Data Privacy and Cybresecurity

Chapter 17: Issues subject to national law – Unlocking the EU General Data Protection Regulation

Article
|
11 min read

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own national rules (e.g., because Member States have constitutional rules in these areas, or because these issues fall outside the EU’s legislative competence). Consequently, although the GDPR implements a more consistent set of data protection compliance requirements across the EU, there are still areas in which organisations will face inconsistent regulatory requirements from one Member State to the next.

What types of organisations are most affected?

All organisations that operate in more than one Member State will be affected by the lack of harmonisation in these areas, and should be mindful of possible differences in national legislation from one Member State to the next.

What should organisations do to comply?

Organisations operating in more than one Member State should:

  • consider which Member States’ laws may apply to the organisation’s operations (see Chapter 4); and
  • ensure that the organisation is familiar with its obligations under the applicable national laws that fall outside the scope of the GDPR.

   

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

   

Issue The Directive The GDPR Impact

Out-of-scope areas of law

The EU does not have the power to legislate on all areas of law. To the extent that EU law does not apply in a particular area, that area is exempt from the provisions of EU data protection law.

Rec.13; Art.3(2)

Any data processing activities that fell outside the scope of EU law were not subject to the Directive.

 Rec.16; Art.2(2)(a)

Any data processing activities that fall outside the scope of EU law are not subject to the GDPR.

 The GDPR essentially repeats the position as it was set out in the Directive.

Processing of personal data and freedom of expression and information

Member States remain responsible for determining the limits of free expression under their respective national laws. This may mean that data can be processed for the purposes of free expression in some Member States but not others.

Art.9

Member States had to provide rules for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if necessary to reconcile the right to privacy with the rules governing freedom of expression.

 Rec.4, 65, 153; Art.17(3), 85

Member states must reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.

 The GDPR essentially preserves the position as it stood under the Directive. In both cases, Member States remain responsible for determining the balance between the right to privacy and the right to freedom of expression.

Personal data contained in official documents

Member States are responsible for striking a balance between the right to privacy and the need to process personal data where such processing is in the public interest.

Rec.45; Art.7(e)

The Directive permitted Member States to pass laws regarding the processing of personal data for public interest purposes carried out by official authorities, but it did not expressly deal with personal data contained in official documents.

 Art.86

Personal data contained in official documents may be processed, in order to reconcile public access to official documents with the right to the protection of personal data.

 This provision is limited in its scope, and is unlikely to materially affect organisations that do not regularly process personal data contained in official documents.

Processing national ID numbers

Member States are free to set their own rules regarding the processing of national ID numbers.

Art.8(7)

Member States were free to determine the conditions under which national ID numbers could be processed.

 Art.87

Member States are free to determine the conditions under which national ID numbers may be processed, subject to appropriate safeguards for the rights and freedoms of data subjects pursuant to the GDPR.

 The GDPR essentially repeats the relevant provision from the Directive, only adding an obligation to implement appropriate safeguards for the rights and freedoms of data subjects.

Processing in the employment context

In most respects, the employment laws of Member States are outside the legislative competence of the EU. Therefore, EU data protection law recognises that each Member State must find its own balance between the right to privacy and the requirements of national employment law.

Art.8(2)(b)

Processing was permitted where it was necessary for the purposes of giving effect to the rights or obligations of the controller under national employment law, subject to adequate safeguards.

 Rec. 52, 127, 155; Art.9(2)(b), 88

Member States may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards. Member States must inform the Commission of any laws adopted in this area.

 As was the case with the Directive, the GDPR leaves room for Member States to create laws governing the relationship between the GDPR and national employment law. Organisations will need to exercise additional caution in Member States that apply additional protections to the privacy rights of employees.

Processing personal data for scientific, historical or statistical purposes

EU data protection law recognises the fact that there are certain purposes for which personal data may be processed in the public interest, outside of the GDPR's standard requirements.

Rec.29, 40; Art.6(1)(a), (e), 11(2), 13(2)

Subject to appropriate safeguards, and provided that there was no risk of breaching the privacy of the data subject, Member States could restrict the data subject's right of access to their personal data when it concerned processing of personal data for scientific, historical or statistical purposes.

 Rec. 156; Art.89(1), (2)

Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's rights to access, rectification, restriction of processing and to object when it comes to the processing of their personal data for scientific, historical or statistical purposes.

 The provisions of the GDPR are essentially similar to those of the Directive. However, it remains to be seen whether Member States will amend any safeguards which they have already put in place under the Directive.

Obligations of professional secrecy

Some Member States impose specific obligations of professional secrecy onto organisations in certain sectors (e.g., law firms or banks).

N/A

The Directive discussed professional secrecy in the context of health data (see Rec.33 and Art.8(3)) but did not grant Member States specific powers in respect of professional secrecy obligations.

 Rec.50, 53, 75, 85, 164; Art.9(2)(i), (3), 14(5)(d), 54(2), 90

Member States may create their own rules in relation to controllers or processors that are subject to obligations of professional secrecy. Member States that adopt such rules must inform the Commission.

 In those jurisdictions that have professional secrecy laws, the relationship between those laws and the Directive has always been governed by national law. The GDPR does not change this approach.

Processing personal data in the context of churches and religious establishments

In a number of Member States, membership of a church or other religious establishment can have legal consequences for individuals (e.g., in some Member States, it affects the taxes payable by those individuals).

Rec.35; Art.8(2)(d)

Processing was permitted when carried out in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union purpose, and on the condition that the processing related solely to:

  • the members of the body; or
  • persons who have regular contact with it in connection with its purposes

and that the data not be disclosed to third parties without the consent of the data subjects.

 Rec.55, 165; Art.91

Where, in a Member State, churches and religious associations or communities impose rules regarding the processing of personal data, such rules may continue to apply, provided that they are brought into line with the provisions of the GDPR. Churches and religious associations that impose such rules are subject to the oversight of the relevant DPA.

 The amended wording of these provisions is unlikely to be of practical significance for the vast majority of organisations.

   

Commentary: The GDPR does not bring complete harmonisation

Despite the fact that a key aim of the GDPR is to harmonise EU data protection law across all Member States (see, in particular, Chapter 15), the GDPR leaves scope for divergences between Member States in a number of areas. This is, to an extent, the inevitable consequence of the existing limits on the EU's power to legislate over the internal affairs of Member States. Organisations are advised to keep abreast of guidance on these topics that is likely to be produced by the EDPB and affected DPAs.

Commentary: Relationship between EU data protection law and freedom of expression

The balance between data protection and freedom of expression is a fine one. If the balance is too far in favour of the former, it is all too easy to imagine scenarios in which public figures use data protection law to suppress negative stories about themselves. If the balance is too far in favour of the latter, it is foreseeable that journalists might run roughshod over the rights of individuals, in the interests of publishing a story. The GDPR (as the Directive did before it) leaves it to each Member State to determine the right balance in the national context. Organisations that are involved in the media should carefully consider the fact that the rules in this area will differ from one Member State to the next. Note that in December 2009, with the entry into force of the Lisbon Treaty, the CFR became legally binding. As a result, case law of the CJEU on these matters will play a significant role in determining this balance.

Commentary: Relationship between EU data protection law and national employment law

The GDPR (as the Directive did before it) addresses the fact that employment law varies from one Member State to the next, and that the rules regarding the relationship between EU data protection law and employment law need to be determined at the national level by each Member State. In practice, this means that many organisations will find that they face different requirements, with respect to the processing of personal data of employees, from one Member State to the next.

   

   

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Legal basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP

 

Top