||Approach to implementation
e.g amendments to existing law, total repeal of old laws
|Austria||05.06.2018||Overall, the Austrian legislator used just a few opening clauses of the GDPR in a very moderate way highlighting a minimalistic approach to safeguard full harmonization. However, the ADPA nevertheless provides for some specific local provisions.
Further, special data protection provisions will follow in other Austrian laws since the ADPA is limited to the general provisions. Thus, we will learn in the future whether the Austrian legislator keeps up with its restraint or if stricter local rules will come through the backdoor of specific laws.
Belgian Privacy Act repeals the Privacy Act of 8 December 1992. It also implements Directive 2016/680 on data protection in the police and criminal justice sectors, which takes up the majority of the Act's 286 articles.
|Czech Republic||13.09.2018||Current DPA No. 101/2000 Coll. to be repealed by the new DPA. Multiple existing laws (e.g. Civil Procedure Code, Criminal Procedure Code) to be amended by an Amending Act. The new DPA shall also transpose the Law Enforcement Directive.
|Denmark||06.09.2018||Replaced the former Act on Processing of Personal Data.|
|Finland||13.11.2018||The Data Protection Act abrogates the previous Personal Data Act.
The impact that the GDPR has on several hundred sectoral laws, including specific rules on data protection, are still under review or being prepared.
|France||11.02.2019||French Data Protection Act modifies Law N°78-17 of January 61978 on information technology, data files and civil liberties ("FDPA"). Decree n°2005-1309 was also amended by a new decree (01/08/2018 – the "Decree").
Territorial scope slightly differs from the GDPR. The FDPA applies to the processing of personal data:
• when the controller is located on French territory
• when the controller, without being established on French territory or another Member State, uses means of processing located on French territory
• when the data subject is a French resident, even when the controller is not established in France.
|Germany||23.05.2018||Almost all opening clauses are used. GDPR-regulated areas are combined with out-of-scope-areas such as law enforcement and national security.|
|Hungary||01/04/2019||The law modifying the InfoAct adds a list of provisions which apply to data processing activities already covered by the GDPR, and implements the Law Enforcement Directive (2016/680/EU directive).
The InfoAct is now compatible with the GDPR and sets forth when to apply the GDPR, the InfoAct or both.
Other issues remain unresolved. The sectoral data protection provisions still reflect an outdated approach (e.g. limiting the legal basis for processing personal data to either consent or a statutory provision).
There are several contradictory provisions in the finance, insurance and telecommunication sectors, and in relation to direct marketing.
According to a position paper published by the Hungarian National Authority for Data Protection and Freedom of Information ("NAIH"), the authority will only apply the GDPR where its provisions are comprehensive. However, deregulation of rules directly contradicting the provisions of the GDPR is still required to create a landscape that is easier to navigate for businesses.
Generally, where the GDPR permits local deviation, the InfoAct makes few changes. As an example, in relation to information society services offered directly to children, the age of consent remains 16 in Hungary.
|Ireland||07.06.2018||The Data Protection Act 2018 (the “Act”) covers both the GDPR and the Law Enforcement Directive.
The Data Protection Acts 1988 and 2003 (the “1988 and 2003 Acts”) are largely superseded. Under section 8 of the Act, the 1988 and 2003 Acts will continue to apply to (a) the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, and (b) the processing of personal data under certain forensic evidence and vehicle registration legislation.
The Act provides for certain exemptions from the data subject rights and related obligations provided for under the GDPR. Further exemptions may be specified by secondary legislation.
Where the Act provides that processing of personal data in certain contexts must be subject to “suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects”, section 36(1) of the Act provides a non-exhaustive list of such measures. Secondary legislation may be enacted for the purpose of (a) identifying additional suitable and specific measures which may be taken, or (b) specifying that measures referred to in section 36(1) of the Act are mandatory.
The Decree did not repeal the current Data Protection Act (hereinafter, "IDPA") but solely amended any provisions of the IDPA conflicting with the GDPR. It now contains only residual provisions in addition to those of the GDPR which are directly applicable.
A small number of the provisions contained in the Decree are not included in the IDPA. Thus the new final legal framework is quite complex:
|Netherlands||17.09.2018||GDPR Execution Act ("UAVG") is to repeal the current Dutch Data Protection Act ("Wbp"). On 9-12-2016 the Dutch Ministry of Security & Justice (in charge of privacy and data protection matters) issued the GDPR Execution Act (Uitvoeringswet Algemene Verordening Gegegevensbescherming). Purpose of this Execution Act is to effectuate the GDPR and repeal the current Dutch Data Protection Act (Wet bescherming persoonsgegevens).|
|Poland||07.09.2018||The old Data Protection Law has been repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) has been replaced by the President of the Personal Data Protection (PUODO). The ASA will introduce amendments to the existing sectoral acts.|
|Slovakia||13.09.2018||The New DPA has fully repealed the previous Act no. 122/2013 Coll. on Personal Data Protection.|
|Spain||05.03.2019||Repeals Organic Law 15/1999 and all those legal precepts that conflict with the GDPR established in the Royal Decree 1720/2007, approving the Development Regulation of the Organic Law 15/1999.|
|Sweden||06.09.2018||Personal Data Act (1998:204) repealed and replaced by the Data Protection Act (2018:218).|
Repeals Data Protection Act 1998
Further Statutory Instruments are anticipated
In addition to implementing GDPR related provisions, the Act contains additional provisions to: