[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]
Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.
INTRODUCTION
Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy. GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.
GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.
PRINCIPLES
GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:
- used fairly, lawfully and transparently;
- used for specified, explicit purposes;
- used in a way that is adequate, relevant and limited to only what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary; and
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
DATA PROTECTION LEGISLATION IN EU MEMBER STATES
AUSTRIA |
CZECH REPUBLIC |
LUXEMBOURG |
Federal Act concerning the Protection of Personal Data (DSG)
Supervisory Authority: Austrian Data Protection Authority |
Act No. 110/2019 Coll. on the Processing of Personal Data
Supervisory Authority: Office of Personal Data Protection (UOOU) |
Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework
Supervisory Authority National Data Protection Commission
|
BELGIUM |
CROATIA |
FRANCE |
Protection of Natural Persons regarding the Processing of Personal Data
Supervisory Authority: Gegevensbeschermingsautoriteit |
Law on Implementation of the General Data Protection Regulation
Supervisory Authority: Croatian Data Protection Personal Agency
|
Law n°2018-493 of June 20, 2018
Supervisory Authority: CNIL (Commission nationale de l’informatique et des libertés_ |
GERMANY
|
IRELAND |
DENMARK |
Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)
Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information
|
Data Protection Act 2018
Supervisory Authority: The Data Protection Commission |
Supervisory Authority: The Danish Data Protection Agency (Datatilsynet) |
FINLAND |
ITALY
|
NETHERLANDS |
Data Protection Act – ‘HE 9/2018 vp
Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
|
Legislative Decree No. 101/2018
Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali) |
Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)
Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )
|
POLAND |
SLOVAKIA
|
SPAIN |
Supervisory Authority: President of the Office for Personal Data Protection
|
Protection of Personal Data (Act No. 18 of 2018)
Supervisory Authority: Office of Personal Data Protection |
Organic Law 3/2018 of December 5
Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos) |
SWEDEN |
SWITZERLAND
|
UNITED KINGDOM
|
Data Protection Act (2018:218)
Supervisory Authority: Swedish Data Protection Authority
|
Swiss Federal Data Protection Act
Supervisory Authority: Information Commissioners Office
|
Supervisory Authority: Information Commissioners Office
|
ROMANIA |
PORTUGAL
|
Supervisory Authority: National Supervisory Authority for Personal Data Processing
|
Law no. 58/2019, of 08 of August Supervisory Authority: National Data Protection Authority (CNPD) |
UNITED KINGDOM (“UK”) |
The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.
- Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
- Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
- Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
- choosing the right algorithm;
- the right key size;
- the right software; and
- keeping the key secure.
- Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
- Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
- the right to be informed;
- the right of access;
- dealing with other individual rights;
- reporting personal data breaches; and
- complying with the principles.
- International transfers : The guidance provides clarification regarding
- where a transfer of personal data is considered a ‘restricted transfer’; and
- which mechanisms can be deployed in this case to transfer personal data.
- Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.
BELGIUM |
On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.
The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.
CROATIA |
The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of national security and defence.
As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.
Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.
DENMARK |
The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.
The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.
FRANCE |
Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.
The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018 and Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.
The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:
- CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.
- Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
- a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
- an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
- Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
- The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
- The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
- The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.
FINLAND |
On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).
The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.
GERMANY |
Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.
The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:
- Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
- Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.
IRELAND |
Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.
The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive. The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.
- Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
- your obligations under data protection;
- how to respond to an individual exercising their rights;
- how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.
ITALY |
Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.
The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.
The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.
CODE OF CONDUCT:
Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.
NETHERLANDS |
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.
Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:
- AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
- Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
- Contact details of the controller must be included in the register.
- Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
- Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
- Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
- Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.
POLAND |
The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.
The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:
- Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
- Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
- Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
- Establish the proper basis for collecting and using personal data;
- Comply with the information obligation in accordance with the new rules;
- Communicate in a transparent way;
- Always respect the rights of people;
- Remember that consent can be withdrawn at any time;
- Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
- Do not create unnecessary documentation;
- You have the right to profile, but remember about limitations;
- Invest in a professional DPO;
- Watch out for cheaters.
SLOVAKIA |
The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.
Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:
- Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
- Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
- to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
- customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
- data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
- operator should process only the personal data that is necessary to achieve a specific purpose of processing;
- operator must process correct and up-to-date personal data;
- operator must keep personal data only for the necessary time to achieve the purpose of processing;
- operator must guarantee the adequate security of the processed personal data; and
- operator must be able to show compliance with the previous one the principles of processing.
SPAIN |
The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.
Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:
- Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
- Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
- Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.
SWEDEN |
The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.
The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.
SWITZERLAND |
The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:
- The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
- The data controller or processor (as the potentially infringing party) is a Swiss resident.
- Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.
- Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.
AUSTRIA |
The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.
Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]
CZECH REPUBLIC |
Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.
The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:
- Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
- outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
- provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
- provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
- lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
- DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
- contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
- provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
- highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
- includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.
LUXEMBOURG |
On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.
ROMANIA |
The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities.
Conclusion: Critique of GDPR
As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.
The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.
Recently, some of the major fines were imposed in the year 2020, such as:
- In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
- On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
- On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]
Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.
The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.
† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional
[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.
[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.
[4] https://www.dorda.at/en/publications/new-austrian-data-protection-act-implementing-gdpr-passed-austrian-parliament Last accessed on December 11, 2020.
[5] https://www.uoou.cz/vismo/zobraz_dok.asp?id_org=200144&id_ktg=5020&n=poruseni-zabezpeceni
[6] https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=46497
[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC
[8] https://cisomag.eccouncil.org/four-biggest-gdpr-fines-of-2020/ Last accessed on December 11, 2020.
[9] https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland Last accessed at December 14, 2020
[10]https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/