In May 2018, the EU General Data Protection Regulation (GDPR) – which will be directly applicable in all member states – will come into force, harmonizing the data protection regime to a major extent. However, several of the GDPR’s opening clauses delegate responsibility for further regulation to national legislators. International companies will thus still have to consider local laws when preparing for GDRP-compliance.
The significant administrative fines are often mentioned as the most striking difference in the data protection regime to be introduced by the GDPR. Indeed, administrative fines of up to EUR 20 million or, in case of undertakings, up to 4% of the worldwide annual turnover (whichever is higher), will raise privacy offences to the level of competition law infringements in enterprise risk mappings. From a compliance perspective the GDPR particularly stresses the principles of accountability and transparency, requiring organizations to adopt comprehensive governance measures such as privacy impact assessments and to adhere to principles of “privacy by design” and “privacy by default” in certain circumstances. The GDPR also introduces a new data breach notification duty for all industry sectors, and data subjects are given additional rights, including the “right to be forgotten” and data portability rights.
Ultimately, the GDPR will ensure a high level of data protection and minimize the risk of data breaches. In practice, it is likely to mean more policies and procedures for enterprises, due in part to the approximately 70 opening clauses providing member states with discretion to introduce additional national legislation on top of it. The following opening clauses will be of particular importance to compliance organizations:
- Under the GDPR, it will be mandatory to appoint a data protection officer (DPO) for enterprises whose “core activities” consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data. In addition, member states may mandate the appointment of a DPO for additional reasons as well. Therefore, international groups of companies may have to face different DPO requirements throughout the CEE region.
- The GDPR includes a general prohibition on the processing of personal data relating to criminal convictions and offences, unless authorized by European Union or Member State law. Since the processing of personal data in the context of “whistleblowing hotlines” will regularly qualify as “criminal data,” the legal framework for whistleblowing will largely depend on national laws.
- The GDPR provides legal standing for non-profit organizations exercising certain legal remedies on behalf of data subjects. The member states may also confer such rights independently of the data subject’s mandate, which theoretically may even allow for “class action” concepts in the context of privacy infringements.
- The member states may provide for penalties beyond the already significant fines set out in the GDPR for infringements of the GDPR. Therefore, another layer of administrative fines may have to be dealt with by enterprises on a local law level.
- Finally, the member states may lay down more specific rules to ensure data protection in the employment context. Therefore, national (labor) laws will still be decisive for data processing in relation to recruitment, the performance of employment contracts, and HR management in general.
Austria, the Czech Republic, Hungary, Slovakia, and Slovenia have not yet enacted national data protection rules to accompany the GDPR. In Austria, a draft act of the competent secretary is being reviewed by the coalition party and is expected to be published before summer. While the details are still confidential, an imminent decision of the Austrian Constitutional Court may be significant in this respect: The Constitutional Court is currently scrutinizing the competence of the Financial Market Authority to impose administrative fines of up to 10% of the annual turnover against legal entities. A ruling that the relevant provision is unconstitutional may affect the Data Protection Authority’s ability to impose sanctions under the GDPR. In this case, severe fines will need either to be imposed by courts or at least made subject to judicial review.
This only gives a first impression of possible national regulations supplementing the GDPR in CEE. For the time being, it can be stated that excessive use of the opening clauses by national legislators will hinder harmonization and create additional administrative burdens instead. Given the significant fines and the challenging requirements set by the GDRP, enterprises are well advised to start preparing for GDPR compliance as soon as possible. In doing so, international companies will still have to consider peculiarities of local laws, once enacted.