The wide-ranging overhaul of the EU's data proection rules gives individuals more control over the use of their personal information and imposes tight strictures on companies that hold and process that data.

In a presentation of the proposals in Munich, EU Justice Commissioner Viviane Reding says that companies across Europe will be obligated to appoint a data protection officer to preside over the protection of personal data stored and processed by individual businesses.

Internet users must be told which data is collected, for what purposes and how long it will be stored and how it might be used by third parties. Businesses will have to gain the explicit consent from their customers for processing personal data and provide those customers with a "right to be forgotten".

"I want to explicitly clarify that people shall have the right - and not only the 'possibility' - to withdraw their consent to the processing of the personal data they have given out themselves," says Reding. "If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system."

Individuals must also be swiftly informed when their personal data is lost, stolen or hacked.

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," says Reding. "As a general rule, without undue delay means for me 'within 24 hours'."

Penalties of up to €1m, or up to two per cent of an firm's global annual turnover, will be levied on businesses that mishandle their users' data.

The new rules are to be introduced as a comprehensive legislative package that will be uniformly applicable across all EU member states. As such they will need to be approved by the EU's member states and ratified by the European Parliament, a process which could take up to two years.