Chapter 17: Issues subject to national law – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 17: Issues subject to national law – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own national rules (e.g., because Member States have constitutional rules in these areas, or because these issues fall outside the EU's legislative competence). Consequently, although the GDPR implements a more consistent set of data protection compliance requirements across the EU, there are still areas in which organisations will face inconsistent regulatory requirements from one Member State to the next.

What types of organisations are most affected?

All organisations that operate in more than one Member State will be affected by the lack of harmonisation in these areas, and should be mindful of possible differences in national legislation from one Member State to the next.

What should organisations do to prepare?

Organisations operating in more than one Member State should:

  • consider which Member States' laws may apply to the organisation's operations (see Chapter 4); and
  • ensure that the organisation is familiar with its obligations under the applicable national laws that fall outside the scope of the GDPR.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Out-of-scope areas of law

The EU does not have the power to legislate on all areas of law. To the extent that EU law does not apply in a particular area, that area is exempt from the provisions of EU data protection law.

blank

Rec.13; Art.3(2)

Any data processing activities that fall outside the scope of EU law are not subject to the Directive.

does not materially change

Rec.16; Art.2(2)(a)

Any data processing activities that fall outside the scope of EU law are not subject to the GDPR.

neutral

The GDPR essentially repeats the position set out in the Directive.

blank

Processing of personal data and freedom of expression and information

Member States remain responsible for determining the limits of free expression under their respective national laws. This may mean that data can be processed for the purposes of free expression in some Member States but not others.

blank

Art.9

Member States must provide for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

does not materially change

Rec.4, 65, 153; Art.17(3), 85

Member states must reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.

neutral

The GDPR essentially preserves the position as it stands under the Directive. In both cases, Member States remain responsible for determining the balance between the right to privacy and the right to freedom of expression.

blank

Personal data contained in official documents

Member States are responsible for striking a balance between the right to privacy and the need to process personal data where such processing is in the public interest.

blank

Rec.45; Art.7(e)

The Directive permits Member States to pass laws regarding the processing of personal data for public interest purposes carried out by official authorities, but it does not expressly deal with personal data contained in official documents.

does not materially change

Art.86

Personal data contained in official documents may be processed, in order to reconcile public access to official documents with the right to the protection of personal data.

neutral

This provision is limited in its scope, and is unlikely to materially affect organisations that do not regularly process personal data contained in official documents.

blank

Processing national ID numbers

Member States are free to set their own rules regarding the processing of national ID numbers.

blank

Art.8(7)

Member States are free to determine the conditions under which a national ID numbers may be processed.

does not materially change

Art.87

Member States are free to determine the conditions under which national ID numbers may be processed, subject to appropriate safeguards for the rights and freedoms of data subjects pursuant to the GDPR.

neutral

The GDPR essentially repeats the relevant provision from the Directive, only adding an obligation to implement appropriate safeguards for the rights and freedoms of data subjects.

blank

Processing in the employment context

In most respects, the employment laws of Member States are outside the legislative competence of the EU. Therefore, EU data protection law recognises that each Member State must find its own balance between the right to privacy and the requirements of national employment law.

blank

Art.8(2)(b)

Processing is permitted where it is necessary for the purposes of giving effect to the rights or obligations of the controller under national employment law, subject to adequate safeguards.

materially changes

Rec. 52, 127, 155; Art.9(2)(b), 88

Member States may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards. Member States must inform the Commission of any laws adopted in this area.

neutral

Like the Directive, the GDPR leaves room for Member States to create laws governing the relationship between the GDPR and national employment law. Organisations will need to exercise additional caution in Member States that apply additional protections to the privacy rights of employees.

blank

Processing personal data for scientific, historical or statistical purposes

EU data protection law recognises the fact that there are certain purposes for which personal data may be processed in the public interest, outside of the GDPR's standard requirements.

blank

Rec.29, 40; Art.6(1)(a), (e), 11(2), 13(2)

Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's right of access to their personal data when it comes to a processing of personal data for scientific, historical or statistical purposes.

does not materially change

Rec. 156; Art.89(1), (2)

Subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject, Member States may restrict the data subject's rights to access, rectification, restriction of processing and to object when it comes to the processing of their personal data for scientific, historical or statistical purposes.

unknown at this stage

The provisions of the GDPR are essentially similar to those of the Directive. However, it remains to be seen whether Member States will amend any safeguards which they have already put in place under the Directive.

blank

Obligations of professional secrecy

Some Member States impose specific obligations of professional secrecy onto organisations in certain sectors (e.g., law firms or banks).

blank

N/A

The Directive discusses professional secrecy in the context of health data (see Rec.33 and Art.8(3)) but does not grant Member States specific powers in respect of professional secrecy obligations.

materially changes

Rec.50, 53, 75, 85, 164; Art.9(2)(i), (3), 14(5)(d), 54(2), 90

Member States may create their own rules in relation to controllers or processors that are subject to obligations of professional secrecy. Member States that adopt such rules must inform the Commission.

neutral

In those jurisdictions that have professional secrecy laws, the relationship between those laws and the Directive has always been governed by national law. The GDPR does not change this approach.

blank

Processing personal data in the context of churches and religious establishments

In a number of Member States, membership of a church or other religious establishment can have legal consequences for individuals (e.g., in some Member States, it affects the taxes payable by those individuals).

blank

Rec.35; Art.8(2)(d)

Processing is permitted when carried out in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union purpose, and on the condition that the processing relates solely to:

  • the members of the body; or
  • persons who have regular contact with it in connection with its purposes and that the data are not disclosed to third parties without the consent of the data subjects.

materially changes

Rec.55, 165; Art.91

Where, in a Member State, churches and religious associations or communities impose rules regarding the processing of personal data, such rules may continue to apply, provided that they are brought into line with the provisions of the GDPR. Churches and religious associations that impose such rules are subject to the oversight of the relevant DPA.

neutral

The amended wording of these provisions is unlikely to be of practical significance for the vast majority of organisations.

 

Further analysis

Commentary: The GDPR does not bring complete harmonisation

Despite the fact that a key aim of the GDPR is to harmonise EU data protection law across all Member States (see, in particular, Chapter 15), the GDPR leaves scope for divergences between Member States in a number of areas. This is, to an extent, the inevitable consequence of the existing limits on the EU's power to legislate over the internal affairs of Member States. Organisations are advised to keep abreast of guidance on these topics that is likely to be produced by the EDPB and affected DPAs, as the GDPR is rolled out.

Commentary: Relationship between EU data protection law and freedom of expression

The balance between data protection and freedom of expression is a fine one. If the balance is too far in favour of the former, it is all too easy to imagine scenarios in which public figures use data protection law to suppress negative stories about themselves. If the balance is too far in favour of the latter, it is foreseeable that journalists might run roughshod over the rights of individuals, in the interests of publishing a story. The Directive and the GDPR both leave it to each Member State to determine the right balance in the national context. Organisations that are involved in the media should carefully consider the fact that the rules in this area will differ from one Member State to the next. Note that in December 2009, with the entry into force of the Lisbon Treaty, the CFR became legally binding. As a result, case law of the CJEU on these matters will play a significant role in determining this balance.

Commentary: Relationship between EU data protection law and national employment law

Both the Directive and the GDPR address the fact that employment law varies from one Member State to the next, and that the rules regarding the relationship between EU data protection law and employment law need to be determined at the national level by each Member State. In practice, this means that many organisations will find that they face different requirements, with respect to the processing of personal data of employees, from one Member State to the next.

 

NEXT CHAPTER
Chapter 18: Relationships with other laws

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP