After
the GDPR entered into force on May 2018, EU Member States adopted local
implementing legislation in 2019 to complement the GDPR itself. This process is
concluded in most EU countries, leaving one Member State without further
national specification at the end of 2019.
The
28 EU Members States did not have the same calendar of national laws to
implement the GDPR. Furthermore, and perhaps more problematic for the stated
intention to create a Digital Single Market with consistent laws throughout the
EU, Member States have introduced various interpretations of the derogations,
exemptions, exceptions and restrictions in the GDPR including to the all important
Article 89 on research or statistical purposes (see below).
In
the worst cases, some national specifications have even been reported to contradict
the GDPR despite the limits to flexibility foreseen in Recital 10 to prevent this!
Although the GDPR was adopted to reinforce and harmonise data protection law
across the EU, national laws cannot be ignored.
This
FAQ list will therefore help you to clarify the situation as part of your
continued GDPR compliance efforts.
Does the GDPR need national specifications to be applicable?
No, the GDPR is the primary law on personal data of EU residents and entered into force on 25 May 2018 for all Member States. A regulation adopted by the EU applies directly and uniformly across all the EU Member States, unlike a directive, which requires further transposition into national law.
Why then are there national specifications?
The
GDPR forces the Member States to take a number of legal steps at national
level, especially for the creation or adaptation of the national data
protection authority’s powers, the alignment of sectorial legislation and topics
such as the reconciliation of data protection with freedom of expression and
information. In this context, the GDPR Code of Conduct prepared by ESOMAR and
EFAMRO will be important for the global market, opinion and social research and
data analytics sector to avoid fragmentation via the national laws.
Which areas are concerned?
A third of the GDPR 99 articles have
one or several references to local specifications but there is still a debate
on the exact number of possible margins of manoeuvre (from 20 to 70). The key
areas concerned include:
- Child’s
age of consent
(art. 8): parental consent must be obtained for information society services
(services provided digitally) offered directly to a child under the age of 16. Member
States may define by law a lower age until 13 years. 18 countries have
chosen a lower age between 13 and 15 years.
- Special
categories of personal data
(art. 9): the derogations for processing special categories of data (race,
ethnicity, political opinions…) are determined by local laws, but Member States
may also introduce further conditions, including limitations for genetic data,
biometric data (facial recognition included) or data concerning health.
- Automated
individual decision-making
(art. 22): “the data subject shall have the right not to be subject to a
decision based solely on automated processing, including profiling, which
produces legal effects concerning individuals or similarly significantly
affects them”. Member States may adopt laws that introduce further
conditions with “suitable measures to safeguard the data subject’s rights
and freedoms and legitimate interests”.
- Restrictions (art. 23): Member States may restrict
the rights provided by the GDPR for several reasons including national and
public security, defence, criminal offences, judicial independence and
proceedings, civil law claims, general public interest…Such restrictions must
respect the essence of the fundamental rights and freedoms and must be a
necessary and proportionate measure in a democratic society. Most Members
States have defined restrictions, especially for the right to access (art. 15),
right to information (art. 13/14), right to rectification (art 16) and erasure
(art. 17).
- Notification
of data breach (art.
33/34): the controller notifies the breach to the supervisory authority within
72 hours and communicates to the data subject without undue delay in case
of high risk to the rights and freedoms of natural persons (ie individuals
not legal bodies). Most Members States chose to not deviate from the GDPR,
although a few have added exceptions or changed the notification requirements.
- Data
Protection Officer (art.
37): the DPO is mandatory in three cases (public authority or body, regular and
systematic monitoring of data subjects on a large scale, large-scale processing
of special categories of data) but Member States may specify other
circumstances in which a DPO must be appointed. For example, Germany specifies
that a DPO is mandatory for companies which constantly employ at least 20
employees dealing with the automated processing of personal data (before June
28, 2019 the threshold was at 10 employees only).
- Powers
of supervisory authorities
(art. 58): Member States may add new powers to the three categories
(investigation, correction, advisory). Most Member States did not do so but
some have added details in the list of powers or in their exercise.
- Representation of data subjects (art. 80.2): Member States may allow NGOs and consumer groups to start an action on behalf of data subjects without the data subjects’ mandate. Most Member States have chosen to limit the action to organisations benefitting from a data subjects’ mandate.
- Research or statistical purposes (art. 89): Member States must put safeguards in place for the derogations of the processing of personal data for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes. A small majority of Member States chose not to provide for additional safeguards, while others have added conditions and processing details for safeguards (anonymisation, pseudonymisation). This point requires attention as the local specifications or restrictions concerning article 89 may highly impact the market research industry.
Which local laws should I be aware of?
A company dealing with personal data in
several countries must pay attention to each of the national
specifications. The rights are defined by the country of residence of data
subjects, not by the company location! For example, the national age of consent
must be checked before interviewing children and young people (unless the
minimum age to participate in a survey is 16 years or over).
Who can I ask if I want to double-check?
If you are a member of ESOMAR, you can
always contact our queries desk to seek clarification as to whether
the countries you are conducting research in may have these additional specifications
or unique interpretations you need to bear in mind.