Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 33

1.2.3 GDPR implementation laws

Оглавление

The GDPR is applicable law in all of the EEA. Quite a few articles in the regulation, however, give the Member States12 room to add to the regulation, or even to “color it” to their liking. Article 23 allows Member States to pass laws restricting the obligations and rights regarding information to, and rights of, data subjects, together with the communications of data breaches when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defense, public security, prevention, detection and prosecution of criminal offences, to name just a few items of a long list.

Besides that, there are a number of articles where the regulation gives a default, and Member States can vary or add to that. An examples is the age where a data subject is regarded to be a child, which can vary from 13 to 16 years. This is particularly important regarding the age where consent of a child in connection to social media can be lawful (see Sub-section 8.2.2).

Another example are types of personal data which require extra care in processing, although they are not deemed “sensitive data”. Most countries that use some kind of national identification number or social security number to identify citizens have deemed this number as requiring extra care, or have reserved it for use only by government and other organizations named in Member State law.

The reasons why the aim of harmonization was given up in these cases is not explicitly stated. It is partly because the European Commission and Parliament can only pass law in fields indicated in the treaties, and for instance not in the field of national security and policies. Another reason may be that in some instances different cultural backgrounds make it difficult to reach an agreement, and this option for Member States to specify their own rules means it is easier to make the national provisions coherent with existing national law and indeed more comprehensible to the persons to whom they apply. This takes time as is illustrated by the fact that at the time the GDPR came into force on 25 May 2018, only five countries (Austria, Denmark, Germany, Netherlands and United Kingdom) had their implementation law in place. By the end of 2018 this number had grown to ten.

Since the majority of EEA Member States have passed implementation law using at least part of the flexibility provided in the GDPR for national variation, you must always check for these variations in the jurisdiction where you operate, or where the data subjects are.

Privacy and Data Protection based on the GDPR

Подняться наверх