The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.

Local implementation efforts

Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.

EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.

Local implementation highlights

Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:

  • In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
  • France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
  • Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
  • Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
  • Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
  • The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.

You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
Continue Reading One year of GDPR – How have EU member states implemented and enforced the new data protection regime?