Last reviewed
Any other areas under discussion
Austria 05.06.2018 Austrian Data Protection Act:

Besides the already outlined specialties, the ADPA especially provides for the following exceptional provisions as regards certain data processing activities:

Temporary exception from the right to rectification and the right to erasure: If the rectification or erasure of personal data cannot be carried out immediately due to economic or technical reasons, the processing shall be restricted according to Art 18 GDPR until rectification or erasure is possible.

Special provisions concerning image processing: The new rules of Sec 12 and 13 ADPA apply to all data processing activities regarding images (especially photographs and CCTV)). Thus, taking pictures is usually permitted in case (i) the data subject renders its consent or (ii) the processing is required for legitimate interests of the controller or a third party (especially the protection of private property as well as the surveillance of public areas). Further, the ADPA provides for special data security measures and labelling obligations for image processing activities.

Sector-specific laws:

In addition to the ADPA, various Austrian laws contain special data protection provisions, which particularize the general data protection laws set for specific areas.

Austrian Telecommunications Act:

Further, the provisions of the Austrian Telecommunications Act ("TKG") are highly relevant for the processing of personal data for (electronic) marketing purposes: In general, consent is required before sending electronic messages to customers for marketing purposes (Sec 107 TKG). Further, consent is required before contacting customers via phone for marketing purposes (Sec 107 TKG).

Additionally, collecting personal data via cookies that are not strictly necessary for the functionality of the online service requires the consent of the data subject (usually gathered through a cookie banner) based on sufficient information about this data use (Sec 96 (3) TKG).
Belgium 08.10.2018 The Belgian Privacy Commission (predecessor of the newly established Data Protection Authority) published DPO recommendations on 24 May 2017, recommendations on records of processing activities on 14 June 2017 and recommendations on privacy impact assessments on 28 February 2018.
Czech Republic 16.05.2018 n/a
Denmark 06.09.2018 § 5(3) provides that public authorities may process personal data for other purposes than the purpose for which the data originally were collected even where the purposes is incompatible; however in the case of health data or genetic data, the purposes must be compatible. When public authorities make use of this rule, they are exempted from the obligation in GDPR art. 13(3) and 14(4) to inform the data subject of this further processing unless the processing is for control purposes, c.f. § 23.
Finland 13.11.2018 Under the Data Protection Act, the Data Protection Ombudsman remains as the national data protection authority and supervises the entire field of data protection in Finland.

The administrative fines pursuant to GDPR Article 83 will be imposed by a three-member board consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen.
The administrative fine may also be imposed for the breach of Article 10. 

The administrative fines cannot be imposed on Finnish public authorities, other public bodies, or the Evangelic Lutheran Church or Orthchurch Church of Finland.
France 24.05.2018 The French Digital Republic act already established the right to data portability to anticipate the implementation of the GDPR. However, the right, as provided by the GDPR, seems to be more limited than the right provided by the French Digital act. Indeed, the French Digital act provides for a right to data portability (right for a data subject to be provided with the totality of his/her personal data in a portable format) in “any circumstances”. The GDPR provides a right to data portability for cases where the processing of data is based on the data subject’s consent or on a contract.
However, the French right to data portability does not include the right for a data subject to ask the controller to transmit his/her personal data to another controller of his/her choice when technically possible.
Germany 23.05.2018 Various German Federal laws contain special data protection provisions, which particularize the general data protection laws set for specific areas. Sector-specific data protection will continue to be important in the future.
Telemedia Act (“Telemediengesetz”, “TMG”)
The TMG contains special data protection regulations for providers of Information Society Services (“Telemedia”) in Germany. According to the public information provided by the Federal Ministry of the Interior (BMI), the Ministry is currently not planning to propose a change of the TMG. This means that it will be subject to legal interpretation (in an individual case) which data protection provisions will be superseded by the GDPR and which will remain applicable. Companies operating on the Internet are strongly recommended to keep an eye on further developments.

Telecommunications Act (“Telekommunikationsgesetz”, “TKG”)

The Federal Ministry of the Interior (BMI) has announced that it will provide a proposal for a law that will adapt the Telecommunications Act to the GDPR, but this proposal is not yet public.
The TKG will likely be changed substantially in its provisions that lay down sector-specific data protection rules for the telecommunications sector (sections 91-107 TKG). These provisions will have to be changed whenever they lay down rules that conflict with GDPR provisions and that cannot be based on the ePrivacy Directive in conjunction with the exception clause of Article 95 GDPR. This means that there will likely be substantial changes of this part of the TKG. Details are not yet published.
Hungary 17.05.2018 n/a
Ireland  7.06.2018 Under the Act, the Data Protection Commission is replaced with a new legal entity known as the Data Protection Commission.
The Act provides for a new action, to be known as a ‘data protection action’, whereby an individual may bring a claim for infringement of their rights under the GDPR or the Act and seek an injunction or declaration, or compensation for damage suffered.
There is a proposed new criminal offence relating to direct marketing, profiling or micro-targeting children, which is in the Act but has not been brought into force as it is under consideration by the Irish government.
Italy 17.05.2018 The Garante Guide notes that:
• Controllers and Processors should use symbols and icons suggested by DPA's Decisions on CCTV systems and banks, together with a complete and exhaustive privacy notice;
• DPA will provide guidance on meaning of "reasonable fees" and security measures for processing sensitive data;
• measures appointing staff to process and track bank users' activity should be maintained; and
• records of processing activities for organisations with fewer than 250 persons employed should be maintained.
Netherlands 17.09.2018 UAVG stipulates that:
• Article 22 GDPR does not apply where automated processing/profiling is necessary for compliance with a legal obligation or if processing is necessary for the performance of a task carried out in the public interest. This exception only applies if there is a specific legal basis for profiling.
• There exists a legal obligation to take into account the needs of micro, small and medium-sized enterprises (art. 2a UAVG).
• The prohibition to subject data subjects to automated decision-making does not apply where the law makes this compulsory. This may indirectly enable 'big data' applications (art. 40 UAVG).
Poland 16.05.2018 PDPA provides an administrative and a civil procedure for data subjects to pursue their rights.
Spain 07.09.2018 I. Credit Information Systems
Article 20 of the Spanish Data Protection Draft Bill regulates credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following (including but not limited) requirements are met:
a) The data has been provided by the creditor;
b) The data is related to a true, due and payable doubt;
c) The creditor has informed the data subject in their agreement or when claiming the payment about the possibilities of the debtor to be included in these lists; and
d) The data is kept in the system during a 5 years period and only as long as the breach is not remedied.
II. Data Processing Agreements
The Spanish Royal Decree-Law provides that data processing agreements executed before the 25th May 2018, will continue to be effective during its term; in case of data processing agreements of indeterminate length, they will be effective until 25 May 2022.
III. Blocking of Personal Data
The draft allows data controllers to block personal data when the data subject has previously exercised the rectification or erasure right. Thus, the data controller may keep such personal data duly blocked during the statute of limitations of any liabilities that may arise as a consequence of the processing.
Sweden 06.09.2018 In contrast to article 2.2 (a)-(b) of the GDPR, the Data Protection Act provides that the GDPR and the Data Protection Act shall be applicable to the processing of personal data in the course of an activity (i) which falls outside the scope of Union law or (ii) which falls within the scope of Chapter 2 of Title V of the TEU.
UK 23.05.2018 Derogation for automated decision taking to be implemented (examples given are financial services related).
Controllers must include additional information in their record of processing activity, including indication of lawful basis and details of profiling where applicable (Art.61).

The ICO is retaining annual fees and registrations, and is substantially upping these (controllers with turnover over £36 million or 250+ employees face annual fees of £2900) - this power is contained in the Digital Economy Act 2017.