||Any other areas under discussion
|Austria||05.06.2018||Austrian Data Protection Act:
Besides the already outlined specialties, the ADPA especially provides for the following exceptional provisions as regards certain data processing activities:
Temporary exception from the right to rectification and the right to erasure: If the rectification or erasure of personal data cannot be carried out immediately due to economic or technical reasons, the processing shall be restricted according to Art 18 GDPR until rectification or erasure is possible.
Special provisions concerning image processing: The new rules of Sec 12 and 13 ADPA apply to all data processing activities regarding images (especially photographs and CCTV)). Thus, taking pictures is usually permitted in case (i) the data subject renders its consent or (ii) the processing is required for legitimate interests of the controller or a third party (especially the protection of private property as well as the surveillance of public areas). Further, the ADPA provides for special data security measures and labelling obligations for image processing activities.
In addition to the ADPA, various Austrian laws contain special data protection provisions, which particularize the general data protection laws set for specific areas.
Austrian Telecommunications Act:
Further, the provisions of the Austrian Telecommunications Act ("TKG") are highly relevant for the processing of personal data for (electronic) marketing purposes: In general, consent is required before sending electronic messages to customers for marketing purposes (Sec 107 TKG). Further, consent is required before contacting customers via phone for marketing purposes (Sec 107 TKG).
Additionally, collecting personal data via cookies that are not strictly necessary for the functionality of the online service requires the consent of the data subject (usually gathered through a cookie banner) based on sufficient information about this data use (Sec 96 (3) TKG).
|Denmark||06.09.2018||§ 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purpose is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.
|Finland||13.11.2018||Under the Data Protection Act, the Data Protection Ombudsman remains as the national data protection authority and supervises the entire field of data protection in Finland.
The administrative fines pursuant to GDPR Article 83 will be imposed by a three-member board consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen.
The administrative fine may also be imposed for the breach of Article 10.
The administrative fines cannot be imposed on Finnish public authorities, other public bodies, or the Evangelic Lutheran Church or Orthchurch Church of Finland.
|Germany||23.05.2018||Various German Federal laws contain special data protection provisions, which particularize the general data protection laws set for specific areas. Sector-specific data protection will continue to be important in the future.
Telemedia Act (“Telemediengesetz”, “TMG”)
The TMG contains special data protection regulations for providers of Information Society Services (“Telemedia”) in Germany. According to the public information provided by the Federal Ministry of the Interior (BMI), the Ministry is currently not planning to propose a change of the TMG. This means that it will be subject to legal interpretation (in an individual case) which data protection provisions will be superseded by the GDPR and which will remain applicable. Companies operating on the Internet are strongly recommended to keep an eye on further developments.
Telecommunications Act (“Telekommunikationsgesetz”, “TKG”)
The Federal Ministry of the Interior (BMI) has announced that it will provide a proposal for a law that will adapt the Telecommunications Act to the GDPR, but this proposal is not yet public.
The TKG will likely be changed substantially in its provisions that lay down sector-specific data protection rules for the telecommunications sector (sections 91-107 TKG). These provisions will have to be changed whenever they lay down rules that conflict with GDPR provisions and that cannot be based on the ePrivacy Directive in conjunction with the exception clause of Article 95 GDPR. This means that there will likely be substantial changes of this part of the TKG. Details are not yet published.
|Ireland||7.06.2018||Under the Act, the Data Protection Commission is replaced with a new legal entity known as the Data Protection Commission.
The Act provides for a new action, to be known as a ‘data protection action’, whereby an individual may bring a claim for infringement of their rights under the GDPR or the Act and seek an injunction or declaration, or compensation for damage suffered.
There is a proposed new criminal offence relating to direct marketing, profiling or micro-targeting children, which is in the Act but has not been brought into force as it is under consideration by the Irish government.
The Authority has highlighted that:
UAVG stipulates that:
|Poland||16.05.2018||PDPA provides an administrative and a civil procedure for data subjects to pursue their rights.|
|Spain||05.03.2019||Other relevant issues regulated in the SDPA:
I. Credit Information Systems
Article 20 of the SDPA regulates the credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following requirements are met:
a) The data have been provided by the creditor;
b) The data relate to a true, due and payable debt;
c) The creditor has informed the data subject in their agreement, or when claiming the payment, about the possibility the debtor will be included in these lists; and
d) The data is kept in the system during a 5 year period and only as long as the breach is not remedied.
These records can only be consulted by persons with a contractual relationship with the affected individual, or persons from whom the individual had requested financial assistance.
II. Data Processing Agreements
The Spanish Data Protection Act provides that data processing agreements executed before the 25th May 2018, will remain in force until their expiry; in case of data processing agreements of indeterminate length, they will be effective until May 25 2022.
III. Blocking of Personal Data
The Spanish Data Protection Act obliges controllers to block personal data when the data subjects exercise their right of rectification or erasure. The blocking of data entails the implementation of measures in order to restrict the processing only to the transfer to competent authorities where necessary.
The SDPA includes a set of digital rights for individuals:
- The right to rectification on the Internet (Article 85): social media (and similar) service providers must implement protocols to enable users to exercise their right to rectify information published by other users on the Internet;
- The right to update information publishedin digital media (Article 86): when an individual has exercised the right to rectifyinformation such media must show a warning stating that some information does not correctly reflect an individual's status.
|Sweden||06.09.2018||In contrast to article 2.2 (a)-(b) of the GDPR, the Data Protection Act provides that the GDPR and the Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.|
|UK||23.05.2018||Derogation for automated decision taking to be implemented (examples given are financial services related).
Controllers must include additional information in their record of processing activity, including indication of lawful basis and details of profiling where applicable (Art.61).
The ICO is retaining annual fees and registrations, and is substantially upping these (controllers with turnover over £36 million or 250+ employees face annual fees of £2900) - this power is contained in the Digital Economy Act 2017.