After the GDPR entered into force on May 2018, EU Member States adopted local implementing legislation in 2019 to complement the GDPR itself. This process is concluded in most EU countries, leaving one Member State without further national specification at the end of 2019.
The 28 EU Members States did not have the same calendar of national laws to implement the GDPR. Furthermore, and perhaps more problematic for the stated intention to create a Digital Single Market with consistent laws throughout the EU, Member States have introduced various interpretations of the derogations, exemptions, exceptions and restrictions in the GDPR including to the all important Article 89 on research or statistical purposes (see below).
In the worst cases, some national specifications have even been reported to contradict the GDPR despite the limits to flexibility foreseen in Recital 10 to prevent this! Although the GDPR was adopted to reinforce and harmonise data protection law across the EU, national laws cannot be ignored.
This FAQ list will therefore help you to clarify the situation as part of your continued GDPR compliance efforts.
Does the GDPR need national specifications to be applicable?
No, the GDPR is the primary law on personal data of EU residents and entered into force on 25 May 2018 for all Member States. A regulation adopted by the EU applies directly and uniformly across all the EU Member States, unlike a directive, which requires further transposition into national law.
Why then are there national specifications?
The GDPR forces the Member States to take a number of legal steps at national level, especially for the creation or adaptation of the national data protection authority’s powers, the alignment of sectorial legislation and topics such as the reconciliation of data protection with freedom of expression and information. In this context, the GDPR Code of Conduct prepared by ESOMAR and EFAMRO will be important for the global market, opinion and social research and data analytics sector to avoid fragmentation via the national laws.
Which areas are concerned?
A third of the GDPR 99 articles have one or several references to local specifications but there is still a debate on the exact number of possible margins of manoeuvre (from 20 to 70). The key areas concerned include:
- Child’s age of consent (art. 8): parental consent must be obtained for information society services (services provided digitally) offered directly to a child under the age of 16. Member States may define by law a lower age until 13 years. 18 countries have chosen a lower age between 13 and 15 years.
- Special categories of personal data (art. 9): the derogations for processing special categories of data (race, ethnicity, political opinions…) are determined by local laws, but Member States may also introduce further conditions, including limitations for genetic data, biometric data (facial recognition included) or data concerning health.
- Automated individual decision-making (art. 22): “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affects them”. Member States may adopt laws that introduce further conditions with “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests”.
- Restrictions (art. 23): Member States may restrict the rights provided by the GDPR for several reasons including national and public security, defence, criminal offences, judicial independence and proceedings, civil law claims, general public interest…Such restrictions must respect the essence of the fundamental rights and freedoms and must be a necessary and proportionate measure in a democratic society. Most Members States have defined restrictions, especially for the right to access (art. 15), right to information (art. 13/14), right to rectification (art 16) and erasure (art. 17).
- Notification of data breach (art. 33/34): the controller notifies the breach to the supervisory authority within 72 hours and communicates to the data subject without undue delay in case of high risk to the rights and freedoms of natural persons (ie individuals not legal bodies). Most Members States chose to not deviate from the GDPR, although a few have added exceptions or changed the notification requirements.
- Data Protection Officer (art. 37): the DPO is mandatory in three cases (public authority or body, regular and systematic monitoring of data subjects on a large scale, large-scale processing of special categories of data) but Member States may specify other circumstances in which a DPO must be appointed. For example, Germany specifies that a DPO is mandatory for companies which constantly employ at least 20 employees dealing with the automated processing of personal data (before June 28, 2019 the threshold was at 10 employees only).
- Powers of supervisory authorities (art. 58): Member States may add new powers to the three categories (investigation, correction, advisory). Most Member States did not do so but some have added details in the list of powers or in their exercise.
- Representation of data subjects (art. 80.2): Member States may allow NGOs and consumer groups to start an action on behalf of data subjects without the data subjects’ mandate. Most Member States have chosen to limit the action to organisations benefitting from a data subjects’ mandate.
- Research or statistical purposes (art. 89): Member States must put safeguards in place for the derogations of the processing of personal data for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes. A small majority of Member States chose not to provide for additional safeguards, while others have added conditions and processing details for safeguards (anonymisation, pseudonymisation). This point requires attention as the local specifications or restrictions concerning article 89 may highly impact the market research industry.
Which local laws should I be aware of?
A company dealing with personal data in several countries must pay attention to each of the national specifications. The rights are defined by the country of residence of data subjects, not by the company location! For example, the national age of consent must be checked before interviewing children and young people (unless the minimum age to participate in a survey is 16 years or over).
Who can I ask if I want to double-check?
If you are a member of ESOMAR, you can always contact our queries desk to seek clarification as to whether the countries you are conducting research in may have these additional specifications or unique interpretations you need to bear in mind.
Are there additional sources for detailed information per country?
- ESOMAR
resources:
- ESOMAR has GDPR page covering all of our GDPR resources and content: https://www.esomar.org/gdpr
- The new ESOMAR country pages provide some of the legal information(age of consent, Data Protection laws and authority, sensitive data…): https://www.esomar.org/community/our-community/country-page
- Academic
Privacy Research Groups:
- French Manual (to be released in 2020) https://www.larcier.com/fr/manuel-de-droit-europeen-de-la-protection-des-donnees-a-caractere-personnel-2020-9782802764328.html
- Official EU documentation:
- Report from a leading privacy advocacy group: https://www.accessnow.org/cms/assets/uploads/2019/06/One-Year-Under-GDPR.pdf
2 comments
Thanks Hélène!
Concise and brilliant overview. Thanks Philippe !