On 9 December 2016, a first draft of the Dutch GDPR implementation act was published, providing (additional) national rules where this is necessary for the implementation of provisions on, among other things, the position of the regulator or the fulfillment of discretionary powers provided by the GDPR. The response of the Dutch regulator has not been altogether positive.
On 6 April 2017, the Dutch regulator advised the State Secretary of security and justice on the draft GDPR implementation act. The regulator asks for greater powers and more independence, particularly in relation to the regulator budget, which should, according to the regulator, be a separate part of the national budget instead of being a part of the departmental budget of the Ministry of Security and Justice.
The regulator also criticised not being a separate legal entity under the implementation act, endangering its independence when it comes to taking legal action. The issue of regulator independence is important as the regulator is anticipating a more proactive approach on enforcement of the GDPR than it currently pursues under the Directive. This is underlined by the regulator's push to centralise jurisdiction to rule on GDPR-related issues to a limited number of specialised courts.
The regulator furthermore advises the State Secretary not to try to interpret the GDPR in its own legislation where there is no necessity to do so. Reference is made to additional provisions included in the implementation act which concern accountability, which according to the regulator, should not be defined by a Member State, but by the Article 29 Working Party, in which all national regulators are represented.
The regulator criticises the GDPR by saying it shows characteristics of a Directive instead of a Regulation, with many provisions left to the discretion of the Member States. However, a policy-neutral implementation of the GDPR is encouraged where there is any room for discretion. The regulator recommends that any permitted derogations under the GDPR follow the current Dutch legislation.
No new draft of the GDPR implementation act has been published since the regulator’s advice. At the time of writing, it is unclear to what extent the regulator's comments will be followed by the legislator. A new draft is expected by the end of 2017.
The Data Protection Authority is the Austrian supervisory authority for data protection, the equivalent to a national data protection commissioner in other countries.
Parallel to the GDPR, the Austrian Data Protection Amendment Act 2018, BGBl. I Nr. 120/2017, will enter into force on 25 May 2018.
Currently, the Data Protection Authority operates a public register (the Data Processing Register, or DPR), of controllers and their data applications for the information of data subjects. Due to the elimination of the obligation to file such notification after the implementation of GDPR, the DPR will be available until 31 December 2019, for archival purposes only. Until then, the Austrian Data Protection Authority will provide companies with a download function to retrieve the registered data applications.
Instead of the previous report to the Data Protection Authority, companies will have to be proactive about documenting their processing activities internally. If potentially critical processing is carried out, companies will have to perform a data privacy impact assessment. These central points are not mentioned in the Austrian Data Protection Amendment Act 2018. However, the Data Protection Authority is authorised to issue black and white lists (listings of those data processing activities that require or do not require a DPIA).
For the time being, the Austrian legislator is not proposing to oblige companies to appoint a data protection officer. This would have been possible, for example, according to certain size criteria of the company or – as in Germany – according to the number of employees processing data. Without any specific requirements, organisations will have to use the vague criterion in the GDPR to decide whatever or not to appoint a DPO.
The Hungarian Ministry of Justice has published its first draft of its GDPR implementation law for public consultation purposes. The draft document contains the proposed modification of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (i.e. the Hungarian Data Protection Act) which will have to be modified to contain the required provisions on the Hungarian execution of GDPR and also to harmonise the Hungarian rules with the EU Directive No 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities.
Overall, the draft document seems to be a minimal implementation of GDPR, it contains the most essential modifications required to be in line with the provisions of the GDPR. One difference is that the Hungarian Privacy Act intends to extend the provisions of the GDPR to every kind of data processing activity, i.e. also to manual processing even if personal data is not stored or not intended to be stored in a filing system. Parallel with this significant extension, the draft also deregulates the Hungarian act on duties, and intends to provide duty free procedures in connection with the protection of privacy rights. Furthermore, the draft terminates the data filing obligation of the data controller with the Hungarian data registry of Hungarian Data Protection Authority (HDPA) on their data controlling activities. Such record keeping obligations will apply to the data controller via their internal data registries. An additional requirement according to the draft is that the data controller has to review its data processing activities every three years if the law does not provide any time limits for retaining the data. The review must be documented and be presented to the HDPA upon its request.
The deadline for submitting any comments on the draft ended on 8 September 2017. The review of the comments and the submission of the draft to the Hungarian Parliament are expected shortly, so the final wording of the draft will, most likely, be changed. Professional interpretations of the HDPA are also expected on certain topics, since no specific guidelines have been issued yet regarding the national implementation of the GDPR, and only the general information of the European Commission is published by the HDPA.
The Slovakian implementation of the GDPR is currently in the legislative process. The Slovakian Data Protection Office published its second proposal of the new Data Protection Act, following of the ministry’s interdepartmental consultation. Like the GDPR, the new Act will enter into force on 25 May 2018.
The main parts of the new Act apply to processing of personal data in the course of an activity which falls outside the scope of GDPR (e. g. processing of personal data by the police, military police, financial administration, prosecutors and courts for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties).
However, it seems that the act will include only limited implementation of GDPR relating to specific processing situations. As in the Hungarian case, it contains the most essential modifications required to be in line with the provisions of the GDPR (Art. 85 et seq.). For instance, the controller may process personal data without data subject’s consent, if the processing is necessary for journalistic purposes and the purposes of academic, artistic or literary expression, unless the controller infringes the personal rights of a data subject or his/her right to privacy. Further, the new Act expressly states that in the event of implementation of security measures and carrying out an assessment of the impact, the controller and the processor shall proceed pursuant to the international security standards.
The proposal also prescribes a stricter regime of processing for a specific type of data – the so-called birth number (a unique identification number of each natural person born in the Slovak Republic). Under the previous legislation, this identifier was included in the category of sensitive personal data. Under the draft, a birth number can be processed only if it is necessary to achieve the purpose of such processing. If the legal basis for the processing is consent, this must be explicit.
Based on Art. 9 (4) of GDPR, the Slovakian proposal also introduces an additional condition with regard to the processing of genetic data, biometric data or data concerning health – the controller may process these types of personal data, if processing is based on a legal ground, a special law or international treaty.
The current draft bill on data protection was published in September 2017.
The chief derogations are:
- a derogation based on Article 8 par. 1 GDPR, under which the minimum age requirement as to lawful processing of personal data of a child based on prior consent when providing electronic services is set to 13 years. Below this age limit parental consent is required;
- a derogation based on Article 83 par. 7 GDPR under which the amount of financial penalty which may be imposed on public entities is capped at PLN 100.000 (ca. EUR 24.000);
- in line with Recital no 155 of the GDPR, the current draft bill on the provisions implementing the act on data protection which was published simultaneously with the aforementioned draft bill on data protection, provides that it will be generally allowed to process certain personal data of an employee which exceeds the statutory catalogue stipulated in Article 221 of the Polish Labour Code, provided that an employee expresses his/her consent in writing or in electronic form and such data will be related to the employment relationship. Such consent may be also granted with respect to processing the employee’s biometric data. Under the currently applicable regulation the approach of the courts is that employee consent cannot be regarded as freely given due to the imbalance in the employment relationship and thus its validity may be questioned.