Stage of legislative progress 
Eg. pre-consultation, in consultation

The Personal Data Protection Act (PDPA) is in force. The draft of the Act on Changes to the Sectoral Acts (ASA) is still being consulted at the government level.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Current Data Protection Law will be repealed and replaced by PDPA. The Inspector General for Personal Data Protection (GIODO) will be replaced by the President of the Personal Data Protection (PUODO). ASA will introduce amendments to the existing sectoral acts.

Timescale for implementation 
Eg. pre-consultation, in consultation

The PDPA became law on 25 May 2018. It is uncertain when the ASA will become the law, it is highly possible that it will happen at the end of 2018/beginning of 2019.

Areas where Member States must have local laws:

Personal data and freedom of expression 

The PDPA provides that some provisions of GDPR will not apply where personal data is processed for journalistic purposes or for the purposes of academic, artistic or literary expressions.


The PDPA provides two criminal sanctions for: (i) unpermitted and unauthorized processing, and (ii) in case of jeopardizing or impeding the PUODO's inspection.

Areas where Member States may have local laws:

Professional secrecy 

The PUODO's right of access to information and personal data will be limited by professional secrets.

Scientific, historical or statistical purposes 



Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).

However, the processing of a candidate/employee's special categories of personal data by the (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided on the candidate/employee initiative. It is also prohibited in all circumstances to process a candidate/employee's personal data relating to criminal convictions and offences by the (potential) employer if such processing is based on his/her consent. The only basis for such processing is a legal obligation.

Employers may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring the are appropriated for a work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.

Personal data of deceased persons 


Children online


Special rules for special categories of data
Changes applicable to the private sector include, e.g. changes to (i) the Act on Insurance and Reinsurance Activity enabling insurance companies to process personal data, including health data, in an automated manner, including through profiling, in order to assess insurance risk and perform insurance contracts, and (ii) the Public Procurement Law which provides that transparency principle is not applicable to special categories of personal data collected in the procurement procedure.
Genetic, biometric or health data

Employers are allowed to process employees' biometric data if necessary to ensure access control to particularly important information or access control to the premises requiring special protection.

Designation of a Data Protection Officer

No special requirements. Only rules related to notification of the DPO to the PUODO.

National identification numbers/any other identifier of general application



Any other areas under discussion
The PDPA provides an administrative and a civil procedure for data subjects to pursue their rights.