New in CRi

Data Privacy Legislation in the EU Member States – Part Two of the Pratical Overview (Pohle, CRi 2018, 133)

Part One of this overview presented the 13 EU Member States which had adjusted their domestic data privacy law to the GDPR by July 2018 (Pohle, CRi 2018, 97-116).
Part Two completes this overview for 2018 and presents the national data privacy laws of the EU Member States which have introduced specific domestic laws supplementing GDPR during the third quarter of 2018.

The article provides an overview of how these “late-comer” EU Member States have adjusted their domestic data privacy laws in the following core areas of the new EU privacy law regime: (1) domestic legislation; (2) definitions; (3) relevant authority; (4) registration requirements; (5) data protection officers (DPO); (6) collection and processing; (7) data subject rights; (8) data transfer to third counties; (9) security of personal data; (10) data breach notification; (11) enforcement; (12) data processing in employment context; (13) provisions relating to specific processing situations (chapter 9 GDPR); (14) electronic marketing; (15) online privacy; (16) other notable domestic regulations. Unfortunately, there is still a long list of EU Member States not having yet implemented new domestic data privacy laws.

Table of Contents:

I. Introduction

II. Belgium

III. Cyprus

IV. Italy

V. Luxembourg

VI. The Netherlands

VII. Romania

VIII. Slovakia

IX. Spain

X. Sweden

XI. Other EU Member States

XII. Conclusion

I. Introduction

The General Data Protection Regulation ("GDPR") applies since 25. May 2018 as the European Union ("EU") Data Protection Directive is repealed with effect as of the same date.  Part One published in CRi 2018, pp. 97-116 gave an overview of all EU Member States which, by mid of July 2018, had taken the option granted by GDPR not only to maintain or introduce national provisions to further specify the application of GDPR in specific areas but also to specify the rules of GDPR.

These opening clauses for modifying domestic laws concern, for example, (a) specific processing situations as specified in Chapter nine of the GDPR, including  the  processing of personal data in the context of employment as an extremely important field of processing in day-to-day practice, (b) the determination of the minimum age a child must reach for being able to grant valid consent in the processing of personal data, (c) the processing of personal data relating to criminal convictions and offences as well as (d) the requirement to appointment of a data protection officer or (e) the establishment of a supervisory authority and (f) to which extent administrative fines might be imposed on public authorities and bodies and (g) rules and regulations on penalties. In addition the GDPR does not affect the application of specific other EU legislation such as the E-Commerce Directive as the ePrivacy Directive.

This Part Two completes the overview begun in Part One providing for the “late-comer” EU Member States which have adjusted their domestic data privacy laws within the third quarter of 2018 an overview on the core topics of the domestic data privacy laws and the scope and basic details of their implementation.  Concerning the special political situation in Spain, a summary is provided of the preliminary GDPR related legislation implemented so far but this Spanish legislation is more of an interim legislation merely focusing on GDPR related issues requiring immediate Spanish domestic legislative action rather than a final adjustment of Spanish domestic data privacy laws. Part Two conludes the practical overview of national data privacy legislation in the EU Member States by listing an updated  summary on the status of the legislation in the remaining EU Member States which are unlikely to have their domestic data privacy legislation adjusted to GDPR in 2018.

II. Belgium

Author: Prof. Dr. Patrick Van Eecke, LL.M., Partner,  DLA Piper, Brusselles.

1. Domestic Legislation

The Belgian Data Protection Act (“the Act”) of 30 July 2018 implements the open provisions, derogations and additional requirements; it transposes the 2016/680 Directive and regulates the authorities outside the scope of the EU (including intelligence and security services).

Another law restructuring the Belgian Data Protection Authority ("the DPA Act") was already adopted on 3 December 2017.

2. Definitions

The Act clarifies what should be understood by a ‘government’. In the context of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes ("Research and other purposes") it adds definitions for a ‘trusted third party’, ‘disclosure of personal data’ and ‘distribution of personal data’. It also clarifies the concepts 'processing in the substantial public interest‘, ‘the processing for journalistic purposes’ and introduces new concepts as a ‘joint database’.

3. Authority

Three more authorities (COC, Committee I and Committee P) with varying information security or police competences are created next to the Belgian Data Protection Authority (the "Belgian DPA") which has 6 committees including an inspection committee with investigative powers and a dispute committee with decision powers to settle, formulate warnings and impose periodic penalty payments or administrative fines.

4. Registration Requirements

There are no specific registration requirements applying in Belgium.

5. Data Protection Officers ("DPO")

In addition to Art. 37 GDPR a  DPO also needs to be appointed when there is a high risk following Article 35 GDPR when (i) a private law body processes on behalf of the government or the government transfers personal data to a private law body in the context of police services or (ii) the processing falls under the exception necessary for Research and other purposes. Some government bodies regulated in the Act are also required to appoint a DPO.

6. Collection and Processing

When providing information society services, children above thirteen can consent. When processing genetic, biometric and health data, a controller lists who has access, keeps this list at the disposal of the Belgian DPA and ensures confidentiality. Criminal data can be processed by parties enumerated in the Act. An access list and confidentiality duties are required.

7. Data Subject Rights

Private law bodies are exempted from informing the data subject when personal data is received from or disclosed to certain authorities regulated under the Act. Data subject rights are often limited to rectification and verification for authorities regulated under the Act. The Judicial Code or Code on Criminal proceedings is applicable to rights executed in judicial proceedings.

8. Transfer to Third Countries

No general additional requirements relating to transfers are introduced by the Act.  Notification requirements regarding transfers were previously embedded in Protocol Accords and Royal Decree. It is currently unclear if those are being reconsidered. Transfers of personal data by authorities regulated under the Act are more stringent.

9. Security of Personal Data

No additional security measures are imposed except for different anonymisation or pseudonymisation requirements when processing for Research and other purposes.

The authorities regulated under the Act are subjected to security measures, resembling the GDPR.

10. Breach Notification

Data breach obligations for the authorities regulated under the Act resemble the GDPR.

11. Enforcement

The Belgian DPA can enforce the Act. Either a body, an organisation or non-profit organisation can represent the data subject upon its request when it fulfils four conditions, including its prior activity in the protection of personal data.

The Court of First Instance can injunct a processing activity, except for when personal data is processed in a criminal investigation. No single court is territorially competent. The DPA can impose administrative fines under the GDPR, but the government and their appointees are exempted.

A supervisory authority can exercise corrective measures for infringement of the provisions listed, but certain specified regulated authorities are exempted.

Depending on the infringement and the infringer, criminal sanctions between EUR 800 - EUR  160.000 can be imposed on the controller, processor, competent government body or appointee, and the judgment may be published.

12. Processing in the Context of Employment

The Act does not provide for specific regulations on the processing of personal data in the context of employment.

Specific Regulations According to Articles 85-87 and 89 GDPR

The Act defines the freedom of expression and information exception. and exempts the controller from data subject’s rights, certain controller obligations (notification of breaches, transfer requirements) and investigative powers of the DPA. Two regimes are introduced for the processing for research and other purposes namely (i) general safeguards adding register, information, contractual and security requirements or (ii) the compliance with a code of conduct.

13. Electronic Marketing

The Act does not include specific legislation on electronic marketing.

14. Online Privacy

Online privacy matters are not dealt with by the Act.

15. Other Notable Domestic Regulations

From Belgium there is nothing to report on further notable domestic regulations on data privacy.

III. Cyprus

Authors: Christy Spyrou, Partner, and Grigoris Sarlidis, Senior Associate, Pamboridis LLC Nikosia.

1. Domestic Legislation 

The GDPR is implemented through the Cypriot Protection of Natural Persons as to the Processing of their Personal Data and the Free Movement of such Data Act 125(I) of 2018 (the Act). The Act repeals and replaces the Processing of Personal Data (Protection of Individual) Acts of 2001 to 2012. (...)

Hier geht's direkt zum Aufsatz:

Weiterlesen können Sie auch im CR Schnupperabo.

Verlag Dr. Otto Schmidt vom 12.10.2018 10:26

zurück zur vorherigen Seite