The Treaty of Lisbon entered into force in 2009.
The Treaty of Lisbon is significant because it created a formal European Union with a legal personality. The European Union (EU) can enter into international treaties in its own right, separate and apart from its member states.
The Treaty of Lisbon states that decisions by the EU are binding on all EU member states. Furthermore, it states that EU laws take precedence over the laws of individual member states. Accordingly, EU law is the primary law in European Union territory. This is significant from a data protection perspective because the GDPR is an EU regulation. Therefore, the GDPR is the primary law in the EU. The obligations imposed by the GDPR are applicable to all organizations established within the EU and protections offered by the GDPR cover all data subjects within the EU.
The Treaty of Lisbon is composed of three units: a) The Maastricht Treaty (also known as the Treaty on European Union), b) The EC Treaty (also known as the Treaty establishing the European Community), c) Amendments.
The EC Treaty was later renamed to the Treaty on the Functioning of the European Union (TFEU). Article 16(1) of the TFEU codifies the right to protection of personal data. This makes it primary law in the EU. Article 16(2) of the TFEU extends the application of data protection to EU bodies and organizations.
Another significance of the Treaty of Lisbon is that it made the EU Charter of Fundamental Rights a binding legal document for all EU member states. Therefore, data protection rights and obligations under the EU Charter are binding on all EU organizations and member states.
