Austria The Data Protection Authority - 'DPA' (Datenschutzbehörde - DSB).

Brazil ANPD (Autoridade Nacional de Proteção de Dados), with the consultive assistance of the CNPD (Conselho Nacional de Proteção de Dados Pessoais e da Privacidade).

China Various, including the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the State Administration for Market Regulation (SAMR), the China Banking and Insurance Regulatory Commission (CBIRC).

Czech Republic Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

England & Wales The UK Information Commissioner’s Office (ICO).

France The Commission Nationale de l’Informatique et des Libertés (CNIL).

Germany There are 16 regulators for the private sectors in Germany (for every German Federal State), each is competent for the companies located in the applicable Federal State. The regulators meet to form joint decisions, however, in practice it is possible that deviating guidance or practices apply.

Hong Kong Office of the Privacy Commissioner for Personal Data.

Hungary Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).

Ireland The Irish Data Protection Commission (DPC).

Italy Garante per la protezione dei dati personali (“Garante”).

Netherlands Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and when it comes to the use of cookies (and other means of access to end-users’ terminal equipment), the Dutch Authority for Consumer and Markets (Autoriteit Consument en Markt) as well.

Poland President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

Portugal The Portuguese data protection authority, “Comissão Nacional de Proteção de Dados” (CNPD).

Singapore Personal Data Protection Commission.

Slovakia Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic).

Spain The Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD)

United Arab Emirates The UAE government has passed the UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (the “DP Law”) which came into force on 2 January 2022 and is closely aligned with the concepts of the GDPR in Europe. The DP Law applies throughout the UAE, save for the Dubai International Financial Centre and Abu Dhabi Global Market freezones, which have their own separate data protection legislation.
The DP Law makes reference to certain ‘executive regulations’ which will form part of the DP Law. However, although the executive regulation was expected to the published within 6 months of the DP Law becoming effective, and at the time of writing they have not been published. Therefore, the DP Law is not currently being actively enforced.
Under the DP Law, cross-border processing of personal data outside the UAE is only permitted: (i) to a country with legislation offering equivalent protection of the data subject’s personal data; or (ii) to countries not offering appropriate protection of personal data if at least one of the conditions in Article 23.1 of the DP Law is met.

In conjunction with the DP Law, the UAE government passed the UAE Federal Decree-Law No.44 of 2021 Creation of the UAE Data Office. The UAE Data Office will act as the data protection regulatory authority, operationalising the DP Law’s requirements.

Until the UAE Data Office is fully setup and operational individuals will continue having to reach out to the police or the Consumer Protection Units at the DED for complaints about privacy breaches.

Austria Following applicability of GDPR, there is no general requirement to notify planned or ongoing data processing involving personal data to the DPA. Apart from GDPR, also the Austrian Data Protection Act (Datenschutzgesetz – DSG) implementing GDPR in Austria covers this area. The controller, however, must notify (inform) the processing to the data subjects.



Nevertheless, specific situations can occur where notification to, consultation with, or authorization from the DPA is required. For instance, GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the DPA within 72 hours (in case this timeframe is not met, such delay must be documented and justified), and, depending on the severity of the breach, also notified to the data subjects whose data have been affected by the breach.

Brazil The LGPD distresses the need of an open channel for the Data Subject and any requests shall be replied within 15 (fifteen) days.

In addition, in case of Data Incident or any substantial breach, the LGPD establishes that a communication must be made within a reasonable period, as defined by the ANPD. Currently, the ANPD recommends a period of 2 (two) business days for the communication, but this deadline might be modified.

China Yes. A company shall, when collecting personal information, present its privacy policy disclosing the purpose, means and scope of collection and use of personal information, and it shall secure prior consent from the data subject. In case of a data breach, a company is subject to a general obligation to notify the data subject and competent regulators.

Czech Republic In the Czech Republic, this area is governed by GDPR. Moreover, the Czech Adaptation Law is effective since April 2019 that specifies the general rules more in detail and lays down several differences from the general regime under GDPR. For example, controllers are relieved from certain obligations (including informing the data subjects) in case of data processing for purposes of journalism, and age limit relating to conditions applicable to child's consent in relation to information society services has been set to 15 years. Further, this adaptation legislation limits/precludes fines against public institutions.

There is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must notify (inform) the processing to the data subjects.

Nevertheless, specific situations can occur where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

England & Wales The GDPR did away with an annual notification requirement, however, the UK government introduced a new annual data protection fee which ranges from £40-£2,900 depending on the size of the organisation in question. The ICO has set up a self-assessment tool to help organisations work out whether and what they need to pay. The ICO is actively enforcing for non-payment which can lead to fines.

There are additional notification requirements in relation to data breaches under the GDPR and the NIS Regulations.

France With the entry into force of the GDPR, notification of processing activities to the CNIL is no longer required: notification formalities have been replaced by an “accountability” principle. In some specific cases however (eg for some processing activities in the health sector), it is still necessary to obtain a prior authorisation from the CNIL.

On the other hand, GDPR has introduced a notification requirement in case of breach of personal data. Such breaches must be notified to the CNIL within 72 hours and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

Germany With the entry into force of the EU GDPR, notification of processing activities to the respective competent regulator is no longer required; notification formalities have been replaced by an accountability principle.

On the other hand, GDPR has introduced a notification requirement in case of breach of personal data. Such breaches must be notified to the respective competent regulator without undue delay and, where feasible, not later than 72 hours since the breach occurred and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach without undue delay.

Furthermore, in specific situations, there is an obligation to appoint a Data Protection Officer and to notify the respective competent regulator thereof.

Hong Kong No requirement to register with or notify any authorities of data processing.

Hungary With the entry into force of the GDPR regulation the Data Protection Directive 95/46/EC has been replaced. Under the new regulation the notification of processing activities to the data protection authority is no longer an obligation.

However the GDPR regulation has introduced a notification requirement as a replacement, in case of breach of personal data. In case of breaches the authority must be notified within 72 hours. Depending on the severity of the breach, those data subjects (natural persons) whose data have been affected by the breach, shall be notified as well (eg in case of bank account numbers or passwords have been made public).

Ireland The EU General Data Protection Regulation 2016/ 679 (GDPR) together with the Data Protection Acts 1988 – 2018 comprise the legal framework governing data protection and privacy. These measures require personal data breaches to be notified to the DPC. Where an organisation has appointed a Data Protection Officer under the GDPR, this appointment should also be notified to the DPC.

The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 introduced notification requirements to the National Cyber Security Centre, which relate to operators of essential services and digital service providers, which can also apply to data breaches.

Italy Following the entry into force of the GDPR, the Italian Data Protection Code (Legislative Decree No. 196/2003) does not provide for notification formalities applicable to certain processing activities. Indeed, notification formalities were provided under the former legislation, but were repealed by Legislative Decree No. 101/2018, which adapted the Italian Data Protection Code to the GDPR.

The GDPR however introduced the obligation to notify data breaches to the competent supervisory authority within 72 hours from the discovery of the personal data breach, unless it is unlikely that the data breach will result in a risk to the rights and freedom of the data subjects. The notification to the Garante must be made by means of the online service available on the Garante’s website, which also provides several tools to support data controllers in their obligations in the event of a data breach (e. g. a self-assessment procedure to identify the actions to be taken).

Additionally, the Italian Data Protection Code provides that the authorization of the Garante must be obtained in some specific cases (such as, secondary processing of particular categories of personal data for purposes of scientific research or statistic purposes).

Netherlands No general notification requirements for data processing activities. However, each controller must maintain a record of processing activities, which needs to be provided to the data protection authority on request).

Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer. Notifications can be made electronically via forms made available by the Dutch Data Protection Authority on its website and are free of charge.

Poland In principal all limited liability companies, simple joint stock companies and joint stock companies are data controllers.

All data controllers must ensure full compliance with GDPR requirements. This includes among others having all the required documentation in place at the disposal of the Personal Data Protection Office in case of an inspection, to demonstrate compliance (eg record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc) and procedures.

In specific situations, there is an obligation to appoint a Data Protection Officer.
There are no notification requirements for data processing activities. Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer.

In case of a breach of duties relating to personal data protection, the personal data administrators should notify the President of the Personal Data Protection Office of such breach – the relevant notification may be made via internet platform using the provided electronic notification form. The notification should follow within 72 hours since the breach occurred.

Portugal The GDPR establishes that fines may be imposed of up to € 10,000,000.00 or up to € 20,000,000.00 (depending on the subject matter of the administrative infraction) or up to 2% or 4% of its annual worldwide turnover corresponding to the previous financial year, whichever is higher.

The Portuguese Parliament, through Law nº. 58/2019 of 8 August, which ensures the implementation of the GDPR in the Portuguese legal system, establishes a graduation of administrative offences and, consequently, of fines.
Thus, there are very serious administrative offences, which may lead to the application of fines amounting to:
• Large companies: from € 5,000.00 to € 20,000,000.00 or 4% of the annual worldwide turnover, whichever is higher;
• SMEs: from € 2,000.00 to €2,000,000.00 or 4% of the annual worldwide turnover, whichever is higher; and
• Natural persons: from € 1,000.00 to € 500,000.00.
In the case of serious administrative offences, they may lead to the application of fines amounting to:
• Large companies: from € 2,500.00 to € 10,000,000.00 or 2% of the annual worldwide turnover, whichever is higher;
• SMEs: from €1,000.00 a € 1,000,000.00 or 2% of the annual worldwide turnover, whichever is higher; e,
• Natural persons: from € 500.00 to € 250,000.00.

Singapore The personal data protection regime in Singapore follows a light touch approach. The Personal Data Protection Act does not prescribe how organisations should inform individuals of the purposes of collection, use or disclosure of their personal data, or what must be included as part of the notification.

Slovakia Following the adoption and effectiveness of GDPR, there is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must inform the data subjects about processing.

Still, there may arise situations where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

Spain Since GDPR it is not necessary to notify the files to the AEPD. However, it is necessary to notify security breaches affecting personal data as soon as possible and, in any case, within 72 hours of knowledge.

Likewise, it would be necessary to notify any variation in the binding corporate rules previously approved by the AEPD, if applicable.

United Arab Emirates Generally speaking this is not applicable in the UAE. But there are a few exceptions.

Austria Data controllers must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the DPA in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy…) and procedures (PIAs, privacy by design and by default, data subjects’ rights, IT security…).


It must also be noted that the DPA generally follows the recommendations of the former Working Party 29 (now the ‘European Data Protection Board’), which takes a strict approach on the interpretation of GDPR requirements.

Based on the case law of the Court of Justice of the European Union on Schrems II, a data transfer to the U.S. (as a third country) was qualified as unlawful because there was no adequate level of protection for the personal data transferred. The Austrian data protection authority took a relatively strict position, arguing that the measures implemented in addition to the standard contractual clauses were not effective because the U.S. intelligence services still had monitoring and access possibilities.

Finally, there remain areas where Austrian law has specific requirements or diverging regulations, in addition to GDPR requirements. This is notably the case with the principle of ‘warning instead of punishment’, in the event of first-time and usually less serious data protection breaches or violations.

Brazil Brazil has a strong Data Privacy regulation, the LGPD (Law 13.709/2018), which is very similar to the GDPR. Nonetheless, it is imperative a Data Privacy Compliance program in Brazil, adequate to the LGPD requirements. In addition, a foreign company must have an appointed DPO. The DPO can be an employee with substantial knowledge, an external (natural or legal) person, or an external law firm. Privacy regulations are on the spotlight over the last months, as administrative sanctions are about to be applied. There is also the possibility for Procon, Ministério Público and Judiciary to apply additional sanctions. Sanctions can be a warning, indicating the deadline for the adoption of corrective measures; a fine up to 2% (two percent) of the revenues of the legal entity group or conglomerate in Brazil, limited to R $ 50,000,000.00 (fifty million reais) for infringement; a daily fine; publicization of the infraction; a range of prohibitions to use the internal data base until regularization or up to 1 (one) year.

Data Subjects must also be indemnified over breaches involving their own data.

China With China's fast development in the cyber security and data protection regime, privacy topics are gaining more importance. Offline and online content censorship adds further complexities. Compliance efforts are strongly recommended which may include e.g. organisational set up (like a CISO and DPO) with clear functional guidance, internal procedures and protocols (like privacy policies, data classification, IT guidance and use of company VPN), and legal tools to manage data export topic (which is of particular sensitivity for international companies).

Czech Republic Moreover, there are specific provisions regarding the monitoring of employees set out in the Czech Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. Personal data may also be exported from the EU (not the EEA) to the US where the importer has certified under the EU-US Privacy Shield.

As regards privacy in the electronic communications sector, due to a specific implementation of Directive 2002/58/EC of the European Parliament and of the Council, when a website controller wishes to use cookies it can do so based on opt-out principle rather than opt-in prescribed by the Directive.

England & Wales Personal data can only be transferred outside the EEA where certain safeguards are in

place or if the country to which the data is being transferred is deemed by the European

Commission to give adequate protection to personal data. While consent may be used

to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or

Binding Corporate Rules. Personal data may also be exported from the EEA

to the USA where the importer has certified under the EU-US Privacy Shield.


The UK's data protection law stems from the EU's General Data Protection Regulation, and its own Data Protection Act 2018. The UK has made provision for a new UK GDPR to be created at the end of the transition period following the UK's exit from the EU. This mirrors the GDPR but removes EU-specific references including to regulator cooperation and the European Data Protection Board. The UK has also made transitional provision for data flows to continue uninterrupted to the EEA, countries currently benefitting from an EU Adequacy Decision, Gibraltar and to the US under the Privacy Shield. Data flows to the UK from the EEA may be disrupted on exit unless a suitable GDPR data transfer mechanism applies, or a separate agreement is reached on the question of data transfers between the EU and the UK. Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in the UK and/or the EU.

France Data controllers must ensure full compliance with GDPR requirements and other applicable privacy regulations (notably e-privacy). This includes having all the required documentation in place at the disposal of the CNIL in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy, etc) and procedures (PIAs, privacy by design and by default, data subjects' rights, data breaches, etc).

It must also be noted that the CNIL generally follows the recommendations of the European Data Protection Board, which takes a strict approach on the interpretation of GDPR requirements.

In addition,, there remain areas where French law will have specific requirements, in addition to EU requirements. This is notably the case for the processing of employee data, sensitive data (including health data), as well as data relating to criminal offences and convictions. French law also has a specific regime applicable to the hosting of health data collected in the course of prevention, diagnosis or care activities which is subject to a prior mandatory certification process.

In 2020, the CNIL adopted new specific and strict guidelines applicable to the use of tracking technologies (e.g. cookies, SDK...) and also adopted in 2021 new specific guidelines regarding the protection of minor online. Finally, the CNIL published in May 2022 the first criteria for assessing the legality of the use of cookie walls on a website.

Germany In general, all data controllers must ensure full compliance with GDPR requirements. This includes among others having all the required documentation in place at the disposal of the respective competent regulator in case of an inspection, to demonstrate compliance (eg record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc) and procedures (PIAs, privacy by design and by default, data subjects rights, data breaches, etc).

Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Standard Contractual Clauses or Binding Corporate Rules.

With regard to any data transfer to the USA the CJEU has declared the EU-US Privacy Shield as invalid so a certification of the data importer under the EU-US Privacy Shield is not sufficient anymore (Schrems II). However, a new adequacy decision is currently being prepared and is expected to be available in March 2023. The basis for this is the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities recently adopted by the U.S. President.

Finally, there remain areas where German law will have specific requirements, in addition to GDPR requirements. This is notably the case eg for the processing of employee data and sensitive data (including health data).

Hong Kong Collection of personal data for direct marketing:

- There are requirements of notification and consent from data subjects to enhance protection of consumers data privacy rights against unwanted direct marketing activities, eg data subject is entitled to exercise his/her opt-out right and data users must comply with the request.

Data export restriction (not yet in force):

- Export of personal data outside of the jurisdiction will be subject to conditions, eg data subjects written consent or whether the data user or the Commissioner has reasonable grounds to believe that the personal data will be transferred to a jurisdiction that provides a similar degree of protection as Hong Kong.

Hungary For data transfers within the EU, no additional measures would be required regarding the direct applicability of the GDPR in every EU member state. However, where a data controller occupies a service provider acting as data processor, their relationship shall be governed by an agreement. This agreement or contract is subject to the minimum criteria laid down under the GDPR.


In the case of non-EU data transfers, those specific situations are defined when such transfers may be carried out. It shall be considered whether there is an adequacy decision of the EU and if there is no such decision, additional guarantees by means of contractual agreements will have to be provided.

In order to prevent the unlawful processing of personal data, the Authority may order - in the form of a provisional measure - the rendering of electronic data inaccessible temporarily, the publication of which prompted the Authority to open administrative proceedings for data protection or regulatory inspection.

Ireland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most commercial situations it will not be a practical basis for transfer. In June 2021, the Commission published its decision on the new standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries, and the template SCCs themselves. The new SCCs addressed the CJEU’s decision in Schrems II by incorporating a number of terms designed to ensure an appropriate level of protection for personal data transferred to third countries from the EEA. The Commission confirmed that there would be an 18 month transition period, during which time companies can continue to transfer personal data to third countries using the existing SCCs. As of 27 September 2021, the previous SCCs can no longer be used for new contracts or new processing activities.

Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in Ireland and/or the EU.

The DPC actively enforces the rules around direct marketing and frequently prosecutes breaches.

Italy The main areas where the Italian Data Protection Code provides for specific requirements are the following: processing of employees' personal data, processing of genetic data, biometric data or data concerning health, the legal basis applicable to processing of personal data (including health and genetic data) for the purposes of scientific research in the medical, biomedical or epidemiological field; processing of personal data relating to criminal convictions and offences (for which a Decree of the Ministry of Justice is expected to be issued soon); rights concerning deceased people; cases where data controllers may refuse to comply with a request of exercise of rights from the data subject. Additionally, in 2021 the Italian Data Protection Code was amended to include a high-speed reporting system for revenge porn victims.

The Italian Data Protection Code contains also the provisions implementing the ePrivacy Directive (Directive 2002/58/EC), including the rules governing placement of cookies, processing of traffic and geolocation data.

Netherlands Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the personal data is being transferred is deemed by the European Commission to ensure an adequate level of protection for personal data. Under the GDPR, accessing personal data from outside the EEA is considered a data transfer as well.

Following the outcome of the Schrems II-case (i.e. the invalidation of the adequacy decision regarding Privacy Shield) by the European Court of Justice, the Dutch DPA has been reluctant to indicate if and how it will investigate and enforce non-compliant data transfers to the US pending further guidance from the European Data Protection Board and/or new legislation. Pursuant to the guidelines from the European Data Protection Board, Dutch companies transferring personal data to the US are advised to perform risk-assessments per data transfer and ensure that appropriate safeguards (e.g. the use of standard contractual clauses) are present. As of September 2021, parties need to apply the new EU model clauses (SCCs) when transferring personal data to a country without an adequate level of protection. These new SCCs offer more options and better protection for the data transfer.

Although the foregoing still applies at the moment, note that concrete steps are being taken between the European Commission and the United States regarding a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows, tackle the concerns that follow from the Schrems II-case and replace the Privacy Shield. If such a "new" Privacy Shield is adopted (expected March 2023), SCCs will reportedly no longer be required for transfers of personal data to the United States. This does not apply to countries that do not have an adequacy decision or other mechanisms in place. Transfers of personal data to such countries will then still require the use of SCCs.

Specific data protection and privacy legislation (e.g. further notification requirements and industry-specific enforcement guidance) may apply to companies in specialized markets, such as healthcare, energy, fuel, water supply and internet access providers. Companies with user data that may be valuable to public authorities (e.g. for a criminal investigation), such as police and public prosecutors, should also ensure that they have appropriate policies ready to deal with such data requests.

Poland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required.

These may be in the form of EC Model Clauses or Binding Corporate Rules.

As regards the data exports to the USA given the CJEU judgment in the Schrems II case certification of the data importer under the EU-US Privacy Shield is not sufficient any more.

Portugal Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data.

While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or Binding Corporate Rules.

The Portuguese's data protection law stems from the EU's General Data Protection Regulation, and its own Data Protection Law.

Singapore Organisations will need to determine the most appropriate form of notification to meet their business needs.

Slovakia Along with GDPR, Act no. 18/2018 Coll. on Personal Data Protection regulates the data protection. The Act follows GDPR and applies analogical rules also in situations falling outside the scope of GDPR.

Moreover, there are specific provisions regarding monitoring of employees set out in the Slovakian Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data.

Spain Personal data may be transferred outside the EU when the importing state has an adequate level of protection recognized by the European Commission or when adequate safeguards are provided, such as binding corporate rules or, more commonly, standard contractual clauses (approved by the European Commission in 2021).

It will also be necessary to carry out a transfer impact assessment to determine the risks involved, which, if considered high, will require additional safeguards, as was the case, for example, when transferring data to the United States, as established by the CJEU in its July 2020 ruling in case C-311/18 (better known as Schrems II).

United Arab Emirates Apart from a situation where there is a legal requirement to do so, the unauthorised use of personal data may qualify as a criminal offence under the UAE Penal Code and/or Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes .

Therefore, matters including but not limited to the processing of employee's information, recording of any conversations, using video surveillance equipment and recordings created, or even taking pictures during events and the use of the same for any purposes should be handled carefully. Ideally and, where possible, consent of the concerned person should be obtained prior to any form of processing of personal data. It is noteworthy that the DP Law, contrary to the GDPR, does not include a ‘legitimate interest’ of the data controller as a potential reason for permitted processing of personal data.