This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
The European legislature opted for a regulation in order to ensure a consistent level of protection for data subjects throughout the European Union and prevent differences that could hamper the free movement of personal data within the internal market. However, the GDPR does not provide for complete harmonization and leaves considerable leeway to Member State national and supervisory authorities to set country-specific rules. It goes without saying that this could result in fragmented implementation, as was the case with the Data Protection Directive (Directive 95/46/EC). The Netherlands has already published a draft GDPR Implementing Act for which public consultation is now closed (see our previous newsletter for more information). In Belgium and Luxembourg no texts have been released thus far.
This issue highlights the most important areas in which the national and supervisory authorities must or may take specific measures. Skip to the end for a summary.
Areas in which national or supervisory authorities MUST take action
Establishment of a list of processing operations for which a data protection impact assessment is required (Article 35(4) GDPR)
The competent supervisory authorities must establish and publish a list of processing operations for which a data protection impact assessment (DPIA) is required. The Belgian Privacy Commission has prepared a DPIA recommendation (available in Dutch and French) that includes such a list. This recommendation is not yet final. Furthermore, it should be noted that the supervisory authorities may establish a list of processing operations for which a DPIA is not required.
Processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression (Article 85 GDPR)
Member States shall take the necessary measures to reconcile the protection of personal data with freedom of expression and information. This means in particular that, if necessary, they shall provide for the necessary exemptions or derogations from the GDPR. Current data protection legislation in the Benelux already provides for such exemptions and derogations. The Dutch GDPR Implementing Act expressly states that many provisions and sections of the GDPR do not apply to processing activities for solely journalistic, academic, artistic or literary purposes.
Areas in which the national or supervisory authorities MAY take action
Age limit for consent by children (Article 8 GDPR)
As indicated in our issue on consent, parental consent is required when information society services are offered to children below the age of 16. Member States may lower this threshold to 13; Belgium is likely to do so. In the Netherlands, the current data protection legislation, which sets the age limit at 16, will not be amended.
Specific requirements for the application of certain processing grounds (Article 6 GDPR )
Member States may maintain or introduce more specific requirements for the processing of personal data which is necessary (i) to comply with a statutory obligation or (ii) to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
Processing of sensitive data (Articles 9 and 10 GDPR)
The GDPR generally prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation. At the same time, the Regulation provides for a number of exceptions. Thus, Member States have substantial discretion to adopt legislation permitting or conditioning the processing of sensitive data, in particular genetic data, biometric data and data concerning health. The Netherlands has used this discretionary authority to include specific provisions to this end in the draft GDPR Implementing Act.
Automated decision-making (Article 22 GDPR)
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects the data subject is waived if the decision is authorised by Member State law laying down suitable measures to safeguard the rights, freedoms and legitimate interests of data subjects. Thus, in the Netherlands, the draft GDPR Implementing Act states that the right not to be subject to automated decision-making is waived if such decision-making is necessary to comply with a legal obligation or to perform a task in the public interest.
Restrictions on the rights of data subjects (Article 23 GDPR)
Member State law may restrict the rights of data subjects and the controller's obligations in this regard, provided such restrictions are in accordance with fundamental rights and freedoms and are necessary and proportionate measures in a democratic society to safeguard:
(a) national security;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.
A provision to this effect has been included in the draft GDPR Implementing Act.
Adoption or approval of compliance instruments (Article 57 GDPR)
Supervisory authorities may:
- adopt standard contractual clauses for (sub)processor agreements;
- approve codes of conduct;
- approve criteria for certification mechanisms;
- adopt criteria for and conduct the accreditation of bodies monitoring codes of conduct/certification bodies; and
- approve binding corporate rules.
Prior consultation (Article 36.5 GDPR)
If a DPIA shows that processing would give rise to high risk unless mitigating measures are taken, the controller must consult with the supervisory authority. Notwithstanding this obligation, Member States may oblige controllers to consult with, and obtain a prior authorization from, the supervisory authority in relation to the processing of personal data for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.
Processing of national identification numbers (Article 87 GDPR)
Member States may determine further conditions for the processing of national identification numbers or similar identifiers. Belgium, unlike Luxembourg, has specific rules on the processing of national numbers (rijksregisternummer/numéro de registre national) which state that the processing of such numbers is only allowed if permitted by law or the relevant subcommittee of the Privacy Commission. The draft GDPR Implementing Act provides (in keeping with the Dutch Personal Data Protection Act) that a national identification number may only be processed in order to comply with the law or for purposes provided by law.
Processing in the context of employment (Article 88 GDPR)
Member States may provide specific rules on the processing of employee data. Such rules already exist at Member State level and will probably be maintained or even strengthened. The Luxembourg Personal Data Protection Act for instance sets restrictions on the processing of personal data for surveillance purposes at work. Thus, multinationals that wish to roll-out certain procedures or practices will still encounter differences from one country to another.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89 GDPR)
Where personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, Member State law may provide for derogations from the right of access, the right to rectification, the right to restrict processing and the right to object.
Where personal data are processed for archiving purposes in the public interest, Member States may in addition provide for derogations from the right to data portability and the obligation to notify recipients of the rectification or erasure of personal data or a restriction on processing.
Provisions to this effect have been included in the Dutch draft GDPR Implementing Act. It should be noted that the Belgian Royal Decree of 13 February 2001, implementing the Data Protection Act of 8 December 1992, provides specific rules on the processing of personal data for historical, statistical or scientific purposes.
Recitals 10, 45, 51, 52, 72, 73, 153 and 156
Articles 6, 8, 9, 10, 22, 23, 35(4), 36(5), 57, 84, 85, 87, 88 and 89