The European legislature opted for a regulation in order to ensure a consistent level of protection for data subjects throughout the European Union and prevent differences that could hamper the free movement of personal data within the internal market. However, the GDPR does not provide for complete harmonization and leaves considerable leeway to Member State national and supervisory authorities to set country-specific rules. It goes without saying that this could result in fragmented implementation, as was the case with the Data Protection Directive (Directive 95/46/EC). The Netherlands has already published a draft GDPR Implementing Act for which public consultation is now closed (see our previous newsletter for more information). In Belgium and Luxembourg no texts have been released thus far.
This issue highlights the most important areas in which the national and supervisory authorities must or may take specific measures. Skip to the end for a summary.
The competent supervisory authorities must establish and publish a list of processing operations for which a data protection impact assessment (DPIA) is required. The Belgian Privacy Commission has prepared a DPIA recommendation (available in Dutch and French) that includes such a list. This recommendation is not yet final. Furthermore, it should be noted that the supervisory authorities may establish a list of processing operations for which a DPIA is not required.
Member States shall take the necessary measures to reconcile the protection of personal data with freedom of expression and information. This means in particular that, if necessary, they shall provide for the necessary exemptions or derogations from the GDPR. Current data protection legislation in the Benelux already provides for such exemptions and derogations. The Dutch GDPR Implementing Act expressly states that many provisions and sections of the GDPR do not apply to processing activities for solely journalistic, academic, artistic or literary purposes.
As indicated in our issue on consent, parental consent is required when information society services are offered to children below the age of 16. Member States may lower this threshold to 13; Belgium is likely to do so. In the Netherlands, the current data protection legislation, which sets the age limit at 16, will not be amended.
Member States may maintain or introduce more specific requirements for the processing of personal data which is necessary (i) to comply with a statutory obligation or (ii) to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
The GDPR generally prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. At the same time, the Regulation provides for a number of exceptions. Thus, Member States have substantial discretion to adopt legislation permitting or conditioning the processing of sensitive data, in particular genetic data, biometric data and data concerning health. The Netherlands has used this discretionary authority to include specific provisions to this end in the draft GDPR Implementing Act.
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects the data subject is waived if the decision is authorised by Member State law laying down suitable measures to safeguard the rights, freedoms and legitimate interests of data subjects. Thus, in the Netherlands, the draft GDPR Implementing Act states that the right not to be subject to automated decision-making is waived if such decision-making is necessary to comply with a legal obligation or to perform a task in the public interest.
Member State law may restrict the rights of data subjects and the controller’s obligations in this regard, provided such restrictions are in accordance with fundamental rights and freedoms and are necessary and proportionate measures in a democratic society to safeguard:
(a) national security;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.
A provision to this effect has been included in the draft GDPR Implementing Act.
Supervisory authorities may:
If a DPIA shows that processing would give rise to high risk unless mitigating measures are taken, the controller must consult with the supervisory authority. Notwithstanding this obligation, Member States may oblige controllers to consult with, and obtain a prior authorization from, the supervisory authority in relation to the processing of personal data for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.
Member States may determine further conditions for the processing of national identification numbers or similar identifiers. Belgium, unlike Luxembourg, has specific rules on the processing of national numbers (rijksregisternummer/numéro de registre national) which state that the processing of such numbers is only allowed if permitted by law or the relevant subcommittee of the Privacy Commission. The draft GDPR Implementing Act provides (in keeping with the Dutch Personal Data Protection Act) that a national identification number may only be processed in order to comply with the law or for purposes provided by law.
Member States may provide specific rules on the processing of employee data. Such rules already exist at Member State level and will probably be maintained or even strengthened. The Luxembourg Personal Data Protection Act for instance sets restrictions on the processing of personal data for surveillance purposes at work. Thus, multinationals that wish to roll-out certain procedures or practices will still encounter differences from one country to another.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89 GDPR)
Where personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, Member State law may provide for derogations from the right of access, the right to rectification, the right to restrict processing and the right to object.
Where personal data are processed for archiving purposes in the public interest, Member States may in addition provide for derogations from the right to data portability and the obligation to notify recipients of the rectification or erasure of personal data or a restriction on processing.
Provisions to this effect have been included in the Dutch draft GDPR Implementing Act. It should be noted that the Belgian Royal Decree of 13 February 2001, implementing the Data Protection Act of 8 December 1992, provides specific rules on the processing of personal data for historical, statistical or scientific purposes.
|MUST TAKE ACTION||MAY TAKE ACTION|
|Establishment of a list of processing operations for which a data protection impact assessment is required||Lowering the age limit for parental consent|
|Implementation of measures to reconcile the protection of personal data and freedom of expression||Introduction of specific requirements for the processing of personal data necessary (i) to comply with a statutory obligation or (ii) to perform a task carried out in the public interest or in the exercise of official authority vested in the controller|
|Introduction of specific requirements for the processing of sensitive personal data|
|Adoption of legislation allowing for automated decision-making|
|Introduction of restrictions on the rights of data subjects in order to safeguard national security, defence, public security and similar interests|
|Adoption of compliance instruments such as (sub)processor standard contractual clauses|
|Approval of compliance instruments such as codes of conduct, binding corporate rules and criteria for certification mechanisms|
|Introduction of an obligation to consult with the supervisory authority in relation to the processing of personal data for the performance of a task carried out in the public interest (including social protection and public health)|
|Introduction of specific conditions for the processing of national identification numbers or similar identifiers|
|Introduction of specific rules for the processing of employee data|
|Introduction of restrictions on the rights of data subjects with regard to processing activities for archiving, scientific or historical research, or statistical purposes|
Vous devez être connecté pour ajouter un commentaire.
Vous devez être membre pour ajouter un contenu à vos favoris.
Déjà membre ? Connectez-vous :
Pas encore inscrit ?Créez votre compte