The Personal Data Protection Act (PDPA) is in force. The draft of the Act on Changes to the Sectoral Acts (ASA) is still being consulted at the government level.
Current Data Protection Law will be repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) will be replaced by the President of the Personal Data Protection (PUODO). ASA will introduce amendments to the existing sectoral acts.
The PDPA became law on 25 May 2018. It is uncertain when the ASA will become the law, it is highly possible that it will happen at the end of 2018/beginning of 2019.
Areas where Member States must have local laws:
The PDPA provides that some provisions of GDPR will not apply where personal data is processed for journalistic purposes or for the purposes of academic, artistic or literary expressions.
The PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the PUODO's inspection.
Areas where Member States may have local laws:
The PUODO's right of access to information and personal data will be limited by professional secrets.
Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).
However, the processing of a candidate/employee's special categories of personal data by the (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided on the candidate/employee initiative. It is also prohibited in all circumstances to process a candidate/employee's personal data relating to criminal convictions and offences by the (potential) employer if such processing is based on his/her consent. The only basis for such processing is a legal obligation.
Employers may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring the are appropriated for a work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.
Employers are allowed to process employees' biometric data if necessary to ensure access control to particularly important information or access control to the premises requiring special protection.
No special requirements. Only rules related to notification of the DPO to the PUODO.