Any other areas under discussion

Last reviewed
Any other areas under discussion
Austria 05.06.2018 Austrian Data Protection Act:

Besides the already outlined specialties, the ADPA especially provides for the following exceptional provisions as regards certain data processing activities:

Temporary exception from the right to rectification and the right to erasure: If the rectification or erasure of personal data cannot be carried out immediately due to economic or technical reasons, the processing shall be restricted according to Art 18 GDPR until rectification or erasure is possible.

Special provisions concerning image processing: The new rules of Sec 12 and 13 ADPA apply to all data processing activities regarding images (especially photographs and CCTV)). Thus, taking pictures is usually permitted in case (i) the data subject renders its consent or (ii) the processing is required for legitimate interests of the controller or a third party (especially the protection of private property as well as the surveillance of public areas). Further, the ADPA provides for special data security measures and labelling obligations for image processing activities.

Sector-specific laws:

In addition to the ADPA, various Austrian laws contain special data protection provisions, which particularize the general data protection laws set for specific areas.

Austrian Telecommunications Act:

Further, the provisions of the Austrian Telecommunications Act ("TKG") are highly relevant for the processing of personal data for (electronic) marketing purposes: In general, consent is required before sending electronic messages to customers for marketing purposes (Sec 107 TKG). Further, consent is required before contacting customers via phone for marketing purposes (Sec 107 TKG).

Additionally, collecting personal data via cookies that are not strictly necessary for the functionality of the online service requires the consent of the data subject (usually gathered through a cookie banner) based on sufficient information about this data use (Sec 96 (3) TKG).
Belgium 08.10.2018 n/a
Czech Republic 16.05.2018 n/a
Denmark 06.09.2018 § 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purpose is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.
Finland 13.11.2018 Under the Data Protection Act, the Data Protection Ombudsman remains as the national data protection authority and supervises the entire field of data protection in Finland.

The administrative fines pursuant to GDPR Article 83 will be imposed by a three-member board consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen.
The administrative fine may also be imposed for the breach of Article 10. 

The administrative fines cannot be imposed on Finnish public authorities, other public bodies, or the Evangelic Lutheran Church or Orthchurch Church of Finland.
France 24.05.2018 n/a
Germany 23.05.2018 Various German Federal laws contain special data protection provisions, which particularize the general data protection laws set for specific areas. Sector-specific data protection will continue to be important in the future.
Telemedia Act (“Telemediengesetz”, “TMG”)
The TMG contains special data protection regulations for providers of Information Society Services (“Telemedia”) in Germany. According to the public information provided by the Federal Ministry of the Interior (BMI), the Ministry is currently not planning to propose a change of the TMG. This means that it will be subject to legal interpretation (in an individual case) which data protection provisions will be superseded by the GDPR and which will remain applicable. Companies operating on the Internet are strongly recommended to keep an eye on further developments.

Telecommunications Act (“Telekommunikationsgesetz”, “TKG”)

The Federal Ministry of the Interior (BMI) has announced that it will provide a proposal for a law that will adapt the Telecommunications Act to the GDPR, but this proposal is not yet public.
The TKG will likely be changed substantially in its provisions that lay down sector-specific data protection rules for the telecommunications sector (sections 91-107 TKG). These provisions will have to be changed whenever they lay down rules that conflict with GDPR provisions and that cannot be based on the ePrivacy Directive in conjunction with the exception clause of Article 95 GDPR. This means that there will likely be substantial changes of this part of the TKG. Details are not yet published.
Hungary 01/04/2019 n/a
Ireland  7.06.2018 Under the Act, the Data Protection Commission is replaced with a new legal entity known as the Data Protection Commission.
The Act provides for a new action, to be known as a ‘data protection action’, whereby an individual may bring a claim for infringement of their rights under the GDPR or the Act and seek an injunction or declaration, or compensation for damage suffered.
There is a proposed new criminal offence relating to direct marketing, profiling or micro-targeting children, which is in the Act but has not been brought into force as it is under consideration by the Irish government.
Italy 25.10.2018

The Authority has highlighted that:

  • Controllers and processors should use the icons and symbols suggested by the Authority on CCTV systems and banks, together with a complete and exhaustive privacy notice;
  • Decree foresees that for the first 8 months from the date of entry into force of the Decree itself (i.e. until 19 May 2019) the Authority takes into account, for the purposes of the application of administrative sanctions and to the extent that it is compatible with the provisions of GDPR, the phase of first application of the penalty provisions. This provision could be interpreted as an opportunity for the controllers to demonstrate, in case of inspection, that their approach to the GDPR has taken into account the focal points of the new legislation, assessing the need to apply any sanctions in a gradual manner and leaving the possibility to the controllers to remedy any shortcomings found during the inspection;
  • the provisions of the Authority adopted before  May 25 2018 are valid unless stated otherwise and to the extent that they are compatible with the GDPR and the IDPA;
  • To terminate a penalty procedure for some specified violations of the IDPA, the Decree states that Controllers and Processor can directly pay two-fifths of the minimum relevant sanction within sixty days of the date from 19th September 2018.
Netherlands 17.09.2018

UAVG stipulates that:

  • Article 22 GDPR does not apply where automated processing/profiling is necessary for compliance with a legal obligation or if processing is necessary for the performance of a task carried out in the public interest. This exception only applies if there is a specific legal basis for profiling.
  • There exists a legal obligation to take into account the needs of micro, small and medium-sized enterprises (art. 2a UAVG).
  • The prohibition to subject data subjects to automated decision-making does not apply where the law makes this compulsory. This may indirectly enable 'big data' applications (art. 40 UAVG)
Poland 16.05.2018 PDPA provides an administrative and a civil procedure for data subjects to pursue their rights.
Slovakia 13.09.2018  n/a
Spain 05.03.2019 Other relevant issues regulated in the SDPA:

I. Credit Information Systems
Article 20 of the SDPA regulates the credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following requirements are met:
a) The data have been provided by the creditor;
b) The data relate to a true, due and payable debt;
c) The creditor has informed the data subject in their agreement, or when claiming the payment, about the possibility the debtor will be included in these lists; and
d) The data is kept in the system during a 5 year period and only as long as the breach is not remedied.
These records can only be consulted by persons with a contractual relationship with the affected individual, or persons from whom the individual had requested financial assistance.

II. Data Processing Agreements
The Spanish Data Protection Act provides that data processing agreements executed before the 25th May 2018, will remain in force until their expiry; in case of data processing agreements of indeterminate length, they will be effective until May 25 2022.

III. Blocking of Personal Data
The Spanish Data Protection Act obliges controllers to block personal data when the data subjects exercise their right of rectification or erasure. The blocking of data entails the implementation of measures in order to restrict the processing only to the transfer to competent authorities where necessary.

The SDPA includes a set of digital rights for individuals:
- The right to rectification on the Internet (Article 85): social media (and similar) service providers must implement protocols to enable users to exercise their right to rectify information published by other users on the Internet;
- The right to update information publishedin digital media (Article 86): when an individual has exercised the right to rectifyinformation such media must show a warning stating that some information does not correctly reflect an individual's status.
Sweden 06.09.2018 In contrast to article 2.2 (a)-(b) of the GDPR, the Data Protection Act provides that the GDPR and the Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.
UK 23.05.2018 Derogation for automated decision taking to be implemented (examples given are financial services related).
Controllers must include additional information in their record of processing activity, including indication of lawful basis and details of profiling where applicable (Art.61).

The ICO is retaining annual fees and registrations, and is substantially upping these (controllers with turnover over £36 million or 250+ employees face annual fees of £2900) - this power is contained in the Digital Economy Act 2017.