Progress on Member State data protection legislation to October 2017.

Member State GDPR implementing legislation Recitals

Austria

Datenschutz-Anpassungsgesetz 2018; No. 120/2017. Passed June 2017.

Age of consent for children is 14. Criminal data can be processed on the basis of a controller's legitimate interest.

Belgium

Proposed legislation has been approved by ministers but no draft as yet.

Bulgaria

The Bulgarian Commission on Personal Data Protection is drafting a bill.

Croatia

Draft legislation was expected Q3 2017 but this has not yet materialised.

Republic of Cyprus

A bill is being drafted.

Czech Republic

New draft legislation plus amendments to existing legislation. Both made available 18 August 2017 and are undergoing the legislative procedure.

Age of consent for children is 13. The processing of personal data is permitted for "compatible" purposes. Restriction of certain subject rights in matters of public interest.

Denmark

The draft bill for the Data Protection Act has had public consultation but has not yet been finalised, available July 2017.

Age of consent for children is 13. Processing of employees' personal data in an employment context is permitted:

  • for the performance of controller or subject obligations under law or a collective agreement;
  • for legitimate interests pursued by the controller under law or a collective agreement, unless overridden by the interests or fundamental rights and freedoms of the subject; or
  • for where the subject has consented.

Information to be provided to the subject and the subject's right of access shall not apply to the private sector if the interests of the subject are overridden by compelling private interests, such as protection of the subject.

Estonia

A bill is being drafted.

Finland

The Finnish GDPR Working Group (TATTI) has proposed a draft Bill for GDPR implementation legislation (from page 68 of their report). Available 21 June 2017.

France

Draft legislation is being drafted.

Germany

The new Federal Data Protection Act (Bundesdatenschutzgesetz). Passed 27 April 2017.

Information provided to the subject in accordance with GDPR Art 13 can be withheld if it would endanger the legal defence of the controller, providing there are no overriding interests of the subject in that information. The right of data access may be limited in cases where information:

  • is stored solely for purposes of data retention requirements;
  • to provide such information would be unreasonably burdensome for the controller; and
  • any processing of the data for other purposes is excluded by technical or organisational measures (e.g. data is blocked from other accesses).

Such information to be provided or rights of access can also be withheld where there are secrecy obligations on the controller, or where it would require disproportionate effort for the controller or would compromise the realisation of wider processing objectives. Article 14 information can also be withheld where the confidentiality interests of the controller are overriding. The right to be forgotten can also be withheld if it is not possible or would incur disproportionate effort to do so due to storage methods. Sensitive personal data of an employee can be processed for the assessment of working capacity and to comply with social security obligations. It can also be processed for scientific or historic research if necessary for the relevant purpose. Personal data can be processed for a different purpose to that for which it was initially collected for a controller to defend a civil law claim so long as the subject's interests do not override. A group of companies may appoint a single DPO rather than a specific German one required under the GDPR.

Greece

A bill is being drafted but is allegedly behind schedule.

Hungary

Draft amendments to the existing data protection legislation were made available for public consultation from 29 August until 8 September 2017.

Processing of personal data without consent is permitted where the controller is fulfilling legal obligations or where it is necessary for the enforcement of the controller's legitimate interests and this is proportionate to restrictions on the subject's rights. Processing of sensitive personal data without consent is permitted for where statute requires it for enforcement of constitutional rights, defence, security, crime or public policy purposes. Information to be given to data subjects when their data is processed is deemed given where a public announcement is made if notification is impossible or would incur unreasonable expense.

Ireland

A General Scheme of Data Protection Bill has been published which proposes the layout and content of the Bill (available May 2017) but the Bill itself is still not available.

Italy

A bill is being drafted.

Latvia

The draft Personal Data Processing Law is undergoing public consultation, available 13 September 2017.

Lithuania

The draft legislation for implementing the GDPR is now available for public consultation but has not been presented as part of the legislative procedure yet.

Luxembourg

The draft bill implementing the GDPR is under legislative consultation now (available 12 September 2017).

Data processing for purposes of journalism, university research, art or literature (Art. 56). Data processing for purposes of statistics, scientific or historical research so long as proportional (Art. 57). Processing of sensitive date allowed by medical bodies and healthcare professionals, research bodies, social security organisms, insurance companies, pension funds, the Medical and Surgical Mutual Fund and other approved organisms. Transfers between these are facilitated. The provision of information to the subject is derogated from where doing so would jeopardise the objective of the collection or would harm the confidentiality of journalistic sources. The processing of sensitive personal data without consent is permitted for health and social care purposes and for social security bodies, regulators, insurance companies and pension fund managers if subject to confidentiality.

Malta

No information about legislation.

Netherlands

The proposed GDPR implementation legislation underwent public consultation but not has not yet begun the legislative process. It was available 9 December 2016.

Data processing for journalistic, academic, artistic or literary purposes is permitted. The right to not be subject to automated decision-making or profiling is waived if necessary to comply with legal obligations or to perform a task in the public interest.

Poland

The draft GDPR implementation legislation has been made available for public consultation but not been introduced to the legislature. Available 12 September 2017.

Age of consent or children is 13 under the draft. Financial institutions may process personal data without consent if assessing credit risk, if analysing for statistics or to fulfil obligations under statute and for the prevention of crime.

Portugal

No information about legislation.

Romania

The draft amendment legislation is currently undergoing public consultation (available 5 September 2017).

Slovakia

The draft GDPR implementation legislation was available for public consultation but no official follow-up as yet (available 15 June 2017).

Personal data may be retained beyond the period of the purpose of its original collection for statistical services, scientific purposes and archiving, within such sectors as tax and accounting, telecommunications, healthcare, social security, pensions and financial services. Processing of personal data without consent is permitted for:

  • complying with statute;
  • literary or artistic expression;
  • fulfilling a contract;
  • protecting the subject's life, health or property;
  • fulfilling an important task in the public interest; and
  • protecting the rights or legitimate interests of the controller.

Processing of sensitive personal data without consent is permitted for:

  • complying with statute;
  • protecting the vital interests of the subject;
  • the provision of generally beneficial services by a civil society, foundation or non-profit organisation;
  • providing care; and
  • providing health insurance or social security services.

Slovenia

The draft GDPR implementation legislation is currently undergoing public consultation (available 3 October 2017).

Spain

The draft Personal Data Protection Law and draft amendments to the existing data protection law have been presented to Ministers. Available 28 June 2017 and 7 July 2017 respectively.

The age of consent for children is 13. Processing personal data without consent is permitted for the fulfilment of legitimate interests where consent is impractical, such as whistleblowing, CCTV and credit references.

Sweden

An extensive report published outline proposals for GDPR implementation but no draft published.

Processing of personal data for journalistic or academic purposes, or for artistic and literary creation, is likely to be permitted to comply with Sweden’s Fundamental Law on Freedom of Expression and Freedom of the Press Act. The age of consent is likely to be 13.

UK

Data Protection Bill 2017 – currently in the House of Lords. Available 14 September 2017.

The age of consent for children is 13. There are conditions where processing of personal data will be lawful. Schedule 1 includes for:

  • performing / exercising rights / obligations under employment law, social security law or social protection law;
  • health / social care purposes;
  • public interest in public health;
  • archiving / scientific or historical research / statistics;
  • parliamentary, statutory or government purpose;
  • equality;
  • prevention or detection of unlawful acts;
  • public protection against dishonesty;
  • journalism about unlawful acts / dishonesty;
  • fraud prevention;
  • suspicion of terrorist financing or money laundering;
  • counselling;
  • necessary for insurance business;
  • occupational pensions;
  • political parties;
  • in connection with elected representatives;
  • sports anti-doping; and
  • Part 3 relates to criminal convictions.

Schedule 2 allows processing for:

  • crime detection and prevention;
  • apprehension and prosecution of offenders;
  • assessment or collection of tax;
  • public protection;
  • regulatory functions in legal services, health and children's services;
  • protection of the rights of others;
  • journalistic, academic, artistic and literary purposes; and
  • research, statistics, archiving in the public interest.

Schedule 3 allows processing for:

  • health, social work, education and child abuse.

Schedule 4 restricts the application of disclosures under the GDPR for:

  • fertilisation;
  • adoption;
  • special educational needs;
  • parental orders and reports; and
  • children's hearings.