New in CRi

Data Privacy Legislation in the European Union Member States - A Pratical Overview (Pohle, CRi 2018, 97)

The article provides an overview of how the EU Member States have modified their domestic data privacy law in the following core areas: (1) domestic legislation (2) definitions; (3) relevant authority; (4) registration requirements; (5) data protection officers (DPO); (6) collection and processing; (7) data subject rights; (8) data transfer to third counties; (8) security of personal data; (10) data breach notification; (11) enforcement; (12) data processing in employment context; (13) provisions relating to specific processing situations (chapter 9 GDPR); (14) electronic marketing; (15) online privacy; (16) other notable domestic regulations. EU Member States without finally adjusted domestic data privacy law are listed indicating the current status of the domestic legislative process.

I. Introduction

II. Austria

III. Croatia

IV. Denmark

V. France

VI. Germany

VII. Hungary

VIII. Ireland

IX. Lativa

X. Lithuania

XI. Malta

XII. Poland

XIII. United Kingdom

XIV. Other EU Member States

XV. Conclusion


I. Introduction

The General Data Protection Regulation (“GDPR”) applies since 25. May 2018 as the European Union (“EU”) Data Protection Directive is repealed with effect as of the same date. It is the core and overall aim of the GDPR to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the EU. On this basis, the GDPR strives to establish a harmonized level of protection of the rights and freedoms of natural persons regarding the processing of personal data on an equivalent level in all EU Member States.

Despite its overall goal, the GDPR nevertheless grants Member States the option not only to maintain or introduce national provisions to further specify the application of GDPR in specific areas but also to specify the rules of GDPR. These opening clauses for modifying domestic laws concern, for example, (a) specific processing situations as specified in Chapter nine of the GDPR, including the processing of personal data in the context of employment as an extremely important field of processing in day-to-day practice, (b) the determination of the minimum age a child must reach for being able to grant valid consent in the processing of personal data, (c) the processing of personal data relating to criminal convictions and offences as well as (d) the requirement to appointment of a data protection officer or (e) the establishment of a supervisory authority and (f) to which extent administrative fines might be imposed on public authorities and bodies and (g) rules and regulations on penalties.

Moreover the GDPR does not affect the application of specific other EU legislation such as the E-Commerce Directive as the ePrivacy Directive.

Against the background of the GDPR as such coming into force and becoming directly applicable in all EU Member States, the national legislators in the EU Member States were urged, but also had the opportunity to implement domestic data privacy legislation amending or replacing the domestic data privacy laws implementing the EU Data Protection Directive. This article gives an overview on core topics of the domestic data privacy laws and the scope and basic details of their implementation in the EU Member States to date (excluding The Netherlands, Slovakia and Sweden) as it further provides a summary on the status of the legislation in the remaining EU Member States.

II. Austria

Author: Stefan Panic, Senior Associate, DLA Piper Weiss-Tessbach, Vienna.

1. Domestic Legislation

The Austrian Data Protection Act 15 (“the Act”), as amended by the Privacy Deregulation Act 2018, came into force on 25 May 2018. The Act applies to processing of personal data in Austria and in EU the purposes of an Austrian main establishment or a branch office of a data controller. If data is processed in Austria by a data controller from another EU Member State, and the processing does not occur for the purposes of the controller’s branch office in Austria, the laws of the state where the controller is based apply.

2. Definitions

The Act does not include any additional definitions to those of the GDPR. However, its Section 1 does not use the GDPR definition of “data subject”, but the term “everyone”, which includes corporations. Consequently, the basic right to data privacy and some basic data subject rights also apply to corporations.

3. Authority

The relevant authority is the Austrian Data Protection Authority (the “Austrian DPA”).

4. Registration Requirements

There are no specific registration requirements applying in Austria.

5. Data Protection Officers (“DPO”)

The data protection officer and his staff are obliged to maintain confidentiality regarding the identity of persons approaching him, and circumstances that could reveal their identity.

The DPO and his staff have the right to remain silent regarding the data obtained as data protection officer under certain requirements defined by law. This right extends to the related files and other documents of the DPO.

Further regulations concern DPOs of public organisations.

6. Collection and Processing

Every employee or agent who has access to personal data must be contractually obliged to transfer personal data only after instruction by the employer, and must be subject to confidentiality undertakings or professional or statutory confidentiality obligations. Measures must be taken to ensure that these undertakings and obligations continue to apply after the termination of the employment or service contract.

CCTV (defined broadly as processing of images made in public or private spaces), including related sound recordings, are subject to further regulation and requirements that limit the lawfulness of processing.

Additional regulations on processing of data include those relating to processing of addresses for informing or sending questionnaires to data subjects, and regarding data processing in the event of catastrophes.

7. Data Subject Rights

The Act does not introduce any further data subject rights.

8. Transfer to Third Countries

The transfer of data to third countries is not covered by the Act

9. Security of Personal Data

As regards video surveillance, CCTV controllers must secure access to the CCTV/captured images in a way that makes any unauthorised access and subsequent alteration of captured images impossible.

10. Breach Notification

There are no specific provisions regarding a breach notification in the Act

11. Enforcement

The Austrian DPA is obliged to impose administrative fines in an adequate way. The Austrian DPA should also apply the measures pursuant to Article 58 GDPR in the case of first-time breaches, in particular issuing warnings instead of imposing fines.

Fines under GDPR shall be imposed under Austrian administrative criminal law, i.e. typically against natural persons. The Act provides a possibility to impose fines against legal entities instead of the responsible natural person in specific cases, subject to the discretion of the Austrian DPA. If a fine is imposed against the legal entity, the responsible natural person may not be fined for the same breach. Public bodies cannot be fined for violations of GDPR/the Act.

12. Processing in the Context of Employment

The Act contains no provisions in this respect, regulation for which exists in the Employment Law, requiring obligatory conclusion of works council agreements in certain cases of processing of employee data.

13. Specific Regulations According to Articles 85-87 and 89 GDPR

For processing of personal data by media for journalistic purposes, Chapters II-VII and IX GDPR do not apply. For scientific, artistic and literary purposes, the same chapters also do not apply, with the exception of Articles 5, 28, 29 and 32.

A specific regulation has been adopted regarding processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

14. Electronic Marketing

The GDPR implementation legislation has not provided any amendments or derogations regarding electronic marketing, which is regulated separately by the Austrian Telecommunications Act (“TKG”), implementing the ePrivacy Directive 16 .

15. Online Privacy

Online privacy is specifically regulated by the TKG, to which the GDPR implementation legislation has introduced only minor amendments. The TKG contains specific provisions regarding processing of traffic data and location data. The TKG requires informed active consent for the storage of personal data, including for use of cookies, with the exception of necessary cookies.

16. Other Notable Domestic Regulations

In addition to the Act, the GDPR implementation legislation includes numerous minor amendments in other statutory laws, mostly concerning the new terminology. Other laws with notable additional regulation include the Austrian Insurance Contract Act, Health Telematics Act, Medical Products Act and Pharmaceuticals Act.

III. Croatia

Author: Boris Dvoršćak, attorney-at-law, Zagreb.

1. Domestic Legislation

The Croatian Act on the Implementation of the General Data Protection Regulation 17 (“the Act”) came into force on 25 May 2018. (...)
 

Hier geht's direkt zum Aufsatz:

- im Beratermodul CR:  Login für CR-Print-Abonnenten & registrierte Kunden

- im juris PartnerModul IT-Recht:  Login für registrierte Kunden

Weiterlesen können Sie auch im CR Schnupperabo.