fbpx

GDPR laws

While GDPR is directly applicable in EU member states, there are

Member states must legislate

  • For a supervisory authority with appropriate powers, resources and independence
  • Procedural rules for the authority
  • Rules on penalties
  • Balance between freedom of expression and information on data protection
  • Balance with rules on public access to documents

Member states may legislate on

  • Representative complaints to supervisory authorities
  • Fines by public authorities (who are they?)
  • Criminal penalties
  • Rules
  • Processing in the context of employment
  • Archiving in the public interest, scientific or historical research purposes or statistical purposes
  • Role of the DPA when dealing with persons subject to secrecy rules
  • Special rules for churches and religious associations
  • Rules on lawfulness of processing for legal obligations and public interest
  • Age of children for parental consent requirements
  • Rules on health, genetic and biometric data
  • Rules on conviction data
  • Exemptions
  • Requirements for DPIA tool for public interest processing
  • Extra requirements to appoint a DPO

EU member state GDPR implementation law

 

[themify_box style=”yellow map shadow fa-exclamation-triangle”]See also: GDPR derogations in EU member states[/themify_box]

While General Data Protection Regulation (GDPR) is directly applicable in EU member states, GDPR provides to EU member states some degree of flexibility over how certain provisions will apply. Even more, sere are set of rules EU member states have to adopt.

Member states must legislate

  • For a supervisory authority with appropriate powers, resources and independence
  • Procedural rules for the authority
  • Rules on penalties
  • Balance between freedom of expression and information on data protection
  • Balance with rules on public access to documents

Member states may legislate on

  • Representative complaints to supervisory authorities
  • Fines by public authorities (who are they?)
  • Criminal penalties
  • Rules
  • Processing in the context of employment
  • Archiving in the public interest, scientific or historical research purposes or statistical purposes
  • Role of the DPA when dealing with persons subject to secrecy rules
  • Special rules for churches and religious associations
  • Rules on lawfulness of processing for legal obligations and public interest
  • Age of children for parental consent requirements
  • Rules on health, genetic and biometric data
  • Rules on conviction data
  • Exemptions
  • Requirements for DPIA tool for public interest processing
  • Extra requirements to appoint a DPO

EU member state GDPR implementation law

Austria

The Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act (DSG)), BGBI. I No. 165/1999, as amended to implement the GDPR) (German)

Belgium

  • The Law on the creation of the Data Protection Authority was enacted on 3 December 2017 (French)
  • The Law on the Protection of Natural Persons with Regard to the Processing of Personal Data 2018 (French and Dutch)

Bulgaria (Not in force)

The National Assembly has adopted a bill on the Amendment and Supplementation of the Protection of Personal Data Act 2002 (Bulgarian)

Croatia

Law on the Implementation of the General Data Protection Regulation 2018 (Croatian)

Cyprus

Law No 125 (I)/2018 on the Protection of Natural Persons Against the Processing of Personal Data and on the Free Circulation of Such Data (Greek)

Czech Republic (Not in force)

Draft Law on the Processing of Personal Data (Czech)

Denmark

Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (‘the Data Protection Act’) (Danish)

Estonia

Personal Data Protection Act (Estonian)

Finland

Data Protection Act (1050/2018) (Finnish)

France

  • Law No. 2018-493 of 20 June 2018 on the Protection of Personal Data (French)
  • Ordinance No. 2018-1125 of 12 December 2018 Amending Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties and Various Provisions Concerning the Protection of Personal Data (French) Will enter into force no later than 1 June 2019.

Germany

Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (German)

Greece (Not in force)

Draft Bill on the Protection of Personal Data (Greek)

Hungary

Act XXXVIII of 2018  amending Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungarian)

Iceland

Law 90/2018 on privacy and processing of personal data (Icelandic)

Ireland

Data Protection Act 2018 (English)

Italy

The Legislative Decree 10 August 2018, no. 101, Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (Italian)

Latvia

Personal Data Processing Law (Latvian, English)

Liechtenstein

  • The Data Protection Act (DSG) of 4 October 2018 (German)
  • The Data Protection Ordinance (DSV) of 11 December 2018 (German)

Lithuania

Law No XIII-1426 of 30 June 2018 on Legal Protection of Personal Data and amending Law No I-1374 (Lithuanian)

Luxembourg

Law of 1 August 2018 Establishing the National Commission for Data Protection and Implementing the General Data Protection Regulation (Regulation (EU) 2016/679), Amending the Labor Code and the Amended Law of 25 March 2015 Laying Down the Salary System and the Conditions and Procedures for the Advancement of State Officials (French)

Malta

Data Protection Act (Act XX 2018) (English)

Netherlands

Act Implementing the GDPR (Dutch)

Norway

Act of 15 June 2018 on the processing of personal data (the Data Protection Act) (Norwegian)

Poland

Act of 10 May 2018 on the Protection of Personal Data (Polish)

Portugal (Not in force)

Law Proposal no. 120/XIII (Portuguese)

Romania

  • The Law No. 190 of 18 July 2018 on the Implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (Romanian).
  • The Law No. 129 of 15 June 2018 Amending and Integrating Law No. 102/2005 on the Establishment, Organisation and Functioning of the National Supervisory Authority for the Processing of Personal Data, as well as the Repeal of Law No. 677/2001 on the Protection of Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data was published (Romanian)

Slovakia

Act of 29 November 2017 on the Protection of Personal Data and on Amendments to Certain Acts (Slovak)

Slovenia (Not in force)

Draft Law on the Protection of Personal Data (ZVOP-2) (Slovenian)

Spain

Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (Spanish)

Sweden

Law 2018:218 with Additional Provisions to the GDPR (Swedish)

UK

Data Protection Act 2018 (Emglish)