The GDPR allows each country to set up their own set of regulations regarding the processing of personal data.
Below are 3 noteworthy countries and their application of the law.
The Data Protection Act 2018 (DPA 2018) is Ireland's GDPR implementation, making use of those parts of the GDPR that allow each country to set up their own set of regulations regarding the processing of personal data.
Although it didn’t make full use of the opening clauses, Ireland’s data protection law does contain a few additions on several topics. For example, under the DPA, personal information that is protected refers to the personal information of living individuals or to that of deceased individuals’ relevant information as it applies to a living individual’s relevant info, unlike the GDPR where personal information refers only to living individuals.
Other differences include the following:
- Section 36 outlines suitable and specific measures to be taken for the safeguarding of individuals’ rights.
- DPC (Data Protection Commission) is the regulating authority for the DPA, it enacts several other legislative frameworks and it also publishes guidance notes, such as the one on the data processing principles or that on the legal bases for processing.
- Following the pattern of the GDPR, namely Article 35, DPA adopted a DPIA Blacklist, outlining the types of data processing operations which require a data protection impact assessment.
- When appointing a DPO, this has to be notified to the DPC via an online form. The same applies in the case of a data breach notification.
- While it defines a child as a person under the age of 18, same as the GDPR, the DPA establishes that the legal digital age for consent is 16 years, which means this is the age where a child may provide consent for the processing of their personal data. There is a specific right of erasure as set out in Section 33 of the DPA that states that personal data collected “in relation to the offer to that data subject of information society services” has to be erased without undue delay.
- There are codes of conduct regulated by Section 32 when it comes to the personal data of children, and it is an offense for organizations to process personal data of children for the purposes of direct marketing, profiling or micro-targeting.
- Data subject access rights are restricted under Section 60 of the DPA in certain circumstances, to the extent that:
- to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international relations of the State,
- for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties,
- for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration,
- in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure,
- for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim, or
- for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim,
- by the Commission for the performance of its functions,
- by the Information Commissioner for the performance of his or her functions, or
- by the Comptroller and Auditor General for the performance of his or her functions.”
- “the restrictions are necessary and proportionate—
- the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information, or
- the personal data concerned are kept—
- Other restrictions include situations where the data is processed for scientific or historical research or statistical purposes, where legal advice is being sought or given, or for academic, artistic, or literary expression purposes.
As regards penalties, the DPA mandates that public bodies or authorities are liable to pay a maximum fine of €1 million for non-compliance with GDPR, while companies may get a fine of up to €20 million, or 4% of their annual global turnover for the previous year, whichever is higher.
Art. 3 Organic Law 3/2018 is Spain’s data privacy law, modeled after the GDPR, which it predominantly resembles with the exception of some parts, listed below:
- Personal information: It establishes that heirs and other associated persons with the deceased person may access, rectify and erase the deceased’s personal data. The deceased person may impede these rights via testament.
- Special categories of data: According to Article 9, “the mere consent of the affected party will not suffice to lift the ban on data processing whose main purpose is to identify their ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origin” unless there is an exception “covered by a rule with the force of law, which may establish additional requirements regarding to your security and confidentiality.”
- Consent for more than one purpose of data processing: if you want to process personal data for varying purposes, you must state each and every purpose in the consent form that the data subject signs.
- Cookies must be explained transparently, how they operate, what is their storage period, ways to object and revoke consent, etc.
- The information must be easily accessible and can be made available through a CMS (Consent Management System).
- Consent must be verifiable with revocations and objections mandatorily being made easily accessible at all times.
- In the case of minors under the age of 14, consent must be obtained from a parent/legal guardian and depending on the potential risks of the cookie, your organization must make reasonable efforts to verify the declaring individual.
- The AEPD considers it a best practice to renew consent every 24 months.
- Automated decision-making: the use of automated decision-making is permitted subject to certain limitations.
- Exceptions to the ‘Right to be Informed’: Article 11: data can be provided in a layered way, the minimum amount of information depending on whether it was obtained directly from the data subject or indirectly. Once the basic information has been provided the rest of the information should follow immediately or made easily accessible to the data subject.
- Exceptions to the ‘Right to Delete’: In addition to exceptions listed in the GDPR, the right to delete, according to Spanish law, specifies that if a request for deletion stems from the right to not be subject to automated decision-making, the data may still be kept if it is used to prevent future processing for direct marketing purposes.
- General exception to data subject access rights: Data subject access rights may be denied if the data is collected and processed subject to national laws on statistical secrecy.
- Additional data privacy rights for employees: There are several extra rights granted to employees under this law:
- Spain grants employees the right to privacy when using digital devices made available by the employer mandating that while the device may still be monitored, usage policies have to be drawn based on consultation with employee representatives that ensure the safeguarding of employees’ privacy.
- Article 88 states that employees have a right to disconnect outside working hours, in such a way that it will account for vacation or personal and family privacy. This has to be done in agreement with the employees following internal policies agreed upon by the employer and the employees’ representative.
- As regards video surveillance or sound recording in the workplace, these may be used if employees are informed of this, installing such devices in recreation areas is forbidden, and audio recording is permitted if they represent an appropriate means for safeguarding the people or the property.
- Geolocation tracking in the workplace is only permitted if it is done subject to Spanish employment law and if employees are informed of the use of such devices.
- Last but not least, collective bargaining agreements may be seen as additional guarantees of rights and freedoms pertaining to employees’ personal data being processed in the workplace.
- Data Protection Officer:
- Article 34 states that there are several categories of companies that are under an obligation to appoint a DPO, such as, among others, vocational schools, public and private universities, credit institutions, etc. and if you appoint or remove a DPO, you must notify the regulatory authorities, the AEPD, within 10 days of the appointment/removal.
- Under the law in Spain, you have to inform your DPO - if you have appointed one - of any modification you have made to processing records, and if you are a public entity from the list in Article 77 of the law then you have to make your processing records publicly available by electronic means.
- Video recordings: While the law does not make use of the first part of Article 32 of the GDPR, according to article 22 of Spain’s data protection law, there are several requirements for CCTV recording. This can be used in public spaces where it is needed for the security of individuals and of property, the maximum storage period is 1 month and where a violation of the law takes place the deadline for handing over the footage to the competent authorities is 72 hours.
As regards penalties, Articles 71 through 74 classifies violations into very serious, serious and minor ones with statutes of limitation of three, two and one year(s) respectively. Very serious violations refer to processing data in violation of Article 5 of the GDPR that outlines the principles of lawfulness, fairness and transparency. Examples of serious infringements include processing the personal information of minors without the consent of the minor or of their guardian, or failure to cooperate with authorities, among others.
Last but not least, minor violations are things such as the failure to make public the contact details of your DPO or to communicate these to the AEPD.
These will then be penalized with amounts based on a series of additional criteria to those of the GDPR, such as whether following the violation there was a benefit to be had, whether it was an ongoing violation, or whether the violation occurred before a takeover in which case it cannot be attributed to the absorbing entity. Article 76 introduces these and other criteria and mandates that if the fined organization is a legal entity, if the regulatory authority is the AEPD, and the administrative fine exceeds € 1.000.000, then it will have its identity published in the Official State Gazette.
France’s data protection law, the French Act No. 2018-493 of 20 June 2018, is the GDPR implementation in the country, regulated by the data protection authority CNIL. In addition to the text of the law, there are various guidelines available on the official website of the French regulatory authority, as well as various GDPR compliance tools.
There are only a few differences between the GDPR and France’s law, outlined below:
- Article 3, which refers to the territorial scope, states that the law applies to any data controller or processor on French territory regardless of whether the processing takes place in France or not. If the data subject is a French resident, the law applies regardless of whether the controller is established or not in France.
- Article 45 establishes the legal age of consent at 15 years of age for children.
- Article 48 states that data subjects can provide guidelines about their personal data’s storage and deletions after death.
- Article 62: A DPIA (Data Protection Impact Assessment) is required prior to processing of personal data under the conditions set out in Article 35 of the GDPR. Additionally, there is a DPIA Whitelist and a DPIA Blacklist that the CNIL has published, listing out the processing activities where the requirements of a DPIA do, respectively, do not apply.
- Article 57: Although appointing a Data Protection Officer is only mandatory under the same conditions as the GDPR, the French law has encouraged all organizations to appoint a DPO. What is more, the DPO has to be announced online to the CNIL by filling out a form.
Data subject access rights:
- Article 48 states that on top of being informed on how their data is collected and processed, individuals must also be informed about their right to determine what happens to their data after their death. If the data is collected and processed for the purpose of public security the right to access and obtain information on how personal information is processed is limited for the data subjects, and can be refused.
- Article 52 states that the rights of access and rectification requests have to be addressed directly to the CNIL if the processing is done by public administrations that perform a public service and who either monitor or recover taxes.
- Article 82: Cookie consent is required from the users and must be explicit and obtained before navigating the website. The CNIL published Cookies Guidelines to help organizations be compliant with Article 82 of the law.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.