Austria
Data controllers must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the DPA in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy…) and procedures (PIAs, privacy by design and by default, data subjects’ rights, IT security…).
It must also be noted that the DPA generally follows the recommendations of the former Working Party 29 (now the “European Data Protection Board”), which takes a strict approach on the interpretation of GDPR requirements.
Finally, there remain areas where Austrian law has specific requirements or diverging regulations, in addition to GDPR requirements. This is notably the case in the principle of “warning instead of punishment”, for the processing of personal data in the context of video surveillance, as well as the right of access of the data subject.
China
China’s fast developing cyber security regime is increasing the importance of privacy topics. Offline and online content censorship adds further complexities. Compliance efforts are strongly recommended which may include eg organisational set up (like a CISO) with clear functional guidance, internal procedures and protocols (like IT guidance and use of company VPN).
Czech Republic
Moreover, there are specific provisions regarding the monitoring of employees set out in the Czech Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.
Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. Personal data may also be exported from the EU (not the EEA) to the US where the importer has certified under the EU-US Privacy Shield.
As regards privacy in the electronic communications sector, due to a specific implementation of Directive 2002/58/EC of the European Parliament and of the Council, when a website controller wishes to use cookies it can do so based on opt-out principle rather than opt-in prescribed by the Directive.
England & Wales
Personal data can only be transferred outside the EEA where certain safeguards are in
place or if the country to which the data is being transferred is deemed by the European
Commission to give adequate protection to personal data. While consent may be used
to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or
Binding Corporate Rules. Personal data may also be exported from the EEA
to the USA where the importer has certified under the EU-US Privacy Shield.
The UK's data protection law stems from the EU's General Data Protection Regulation, and its own Data Protection Act 2018. The UK has made provision for a new UK GDPR to be created at the end of the transition period following the UK's exit from the EU. This mirrors the GDPR but removes EU-specific references including to regulator cooperation and the European Data Protection Board. The UK has also made transitional provision for data flows to continue uninterrupted to the EEA, countries currently benefitting from an EU Adequacy Decision, Gibraltar and to the US under the Privacy Shield. Data flows to the UK from the EEA may be disrupted on exit unless a suitable GDPR data transfer mechanism applies or a separate agreement is reached on the question of data transfers between the EU and the UK. Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in the UK and/or the EU.
France
Data controllers must ensure full compliance with GDPR requirements and other applicable privacy regulations (notably e-privacy). This includes having all the required documentation in place at the disposal of the CNIL in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy, etc) and procedures (PIAs, privacy by design and by default, data subjects' rights, data breaches, etc).
It must also be noted that the CNIL generally follows the recommendations of the European Data Protection Board, which takes a strict approach on the interpretation of GDPR requirements.
Finally, there remain areas where French law will have specific requirements, in addition to EU requirements. This is notably the case for the processing of employee data, sensitive data (including health data), as well as data relating to criminal offences and convictions. French law also has a specific regime applicable to the hosting of health data collected in the course of prevention, diagnosis or care activities which is subject to a prior mandatory certification process. The CNIL has also adopted in 2020 new specific and strict guidelines applicable to the use of tracking technologies (e.g. cookies, SDK..).
Germany
In general, all data controllers must ensure full compliance with GDPR requirements. This includes among others having all the required documentation in place at the disposal of the respective competent regulator in case of an inspection, to demonstrate compliance (eg record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc) and procedures (PIAs, privacy by design and by default, data subjects’ rights, data breaches, etc).
Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or Binding Corporate Rules.
With regard to any data transfer to the USA the CJEU has declared the EU-US Privacy Shield as invalid so a certification of the data importer under the EU-US Privacy Shield is not sufficient any more (Schrems II).
Finally, there remain areas where German law will have specific requirements, in addition to GDPR requirements. This is notably the case eg for the processing of employee data and sensitive data (including health data).
Hong Kong
Collection of personal data for direct marketing:
- There are new requirements of “notification” and “consent” from data subjects to enhance protection of consumers’ data privacy rights against unwanted direct marketing activities, eg data subject is entitled to exercise his/her opt-out right and data users must comply with the request.
Data export restriction (not yet in force):
- Export of personal data outside of the jurisdiction will be subject to conditions, eg data subjects’ written consent or whether the data user or the Commissioner has reasonable grounds to believe that the personal data will be transferred to a jurisdiction that provides a similar degree of protection as Hong Kong.
Hungary
For data transfers within the EU, no additional measures would be required regarding the direct applicability of the GDPR in every EU member state. However, where a data controller occupies a service provider acting as data processor, their relationship shall be governed by an agreement. This agreement or contract is subject to the minimum criteria laid down under the GDPR.
In the case of non-EU data transfers, those specific situations are defined when such transfers may be carried out. It shall be considered whether there is an adequacy decision of the EU and if there is no such decision, additional guarantees by means of contractual agreements will have to be provided.
Ireland
Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most commercial situations it will not be a practical basis for transfer. In June 2021, the Commission published its decision on the new standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries, and the template SCCs themselves. The new SCCs addressed the CJEU’s decision in Schrems II by incorporating a number of terms designed to ensure an appropriate level of protection for personal data transferred to third countries from the EEA. The Commission confirmed that there would be an 18 month transition period, during which time companies can continue to transfer personal data to third countries using the existing SCCs. As of 27 September 2021, the previous SCCs can no longer be used for new contracts or new processing activities.
Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in Ireland and/or the EU.
The DPC actively enforces the rules around direct marketing and frequently prosecutes breaches.
Italy
The main areas where the Italian Data Protection Code provides for specific requirements are the following: processing of employees’ personal data, processing of genetic data, biometric data or data concerning health, the legal basis applicable to processing of personal data (including health and genetic data) for the purposes of scientific research in the medical, biomedical or epidemiological field; processing of personal data relating to criminal convictions and offences (for which a Decree of the Ministry of Justice is expected to be issued soon); rights concerning deceased people; cases where data controllers may refuse to comply with a request of exercise of rights from the data subject.
The Italian Data Protection Code contains also the provisions implementing the ePrivacy Directive (Directive 2002/58/EC), including the rules governing placement of cookies, processing of traffic and geolocation data.
Netherlands
Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the personal data is being transferred is deemed by the European Commission to ensure an adequate level of protection for personal data. Under the GDPR, accessing personal data from outside the EEA is considered a data transfer as well.
Following the outcome of the Schrems II-case (ie the invalidation of the adequacy decision regarding Privacy Shield) by the European Court of Justice, the Dutch DPA has been reluctant to indicate if and how it will investigate and enforce non-compliant data transfers to the US pending further guidance from the European Data Protection Board and/or new legislation. Pursuant to the guidelines from the European Data Protection Board, Dutch companies transferring personal data to the US are advised to perform risk-assessments per data transfer and ensure that appropriate safeguards (eg the use of standard contractual clauses) are present. As of September 2021, parties need to apply the new EU model clauses (SCC’s) when transferring personal data to a country without an adequate level of protection. These new SCC’s offer more options and better protection for the data transfer.
Specific data protection and privacy legislation (eg further notification requirements and industry-specific enforcement guidance) may apply to companies in specialized markets, such as healthcare, energy, fuel, water supply and internet access providers. Companies with user data that may be valuable to public authorities (eg for a criminal investigation), such as police and public prosecutors, should also ensure that they have appropriate policies ready to deal with such data requests.
Poland
Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required.
These may be in the form of EC Model Clauses or Binding Corporate Rules.
As regards the data exports to the USA given the CJEU judgment in the Schrems II case certification of the data importer under the EU-US Privacy Shield is not sufficient any more.
Singapore
Organisations will need to determine the most appropriate form of notification to meet their business needs.
Slovakia
Along with GDPR, Act no. 18/2018 Coll. on Personal Data Protection regulates the data protection. The Act follows GDPR and applies analogical rules also in situations falling outside the scope of GDPR.
Moreover, there are specific provisions regarding monitoring of employees set out in the Slovakian Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.
Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data.
Ukraine
Ukraine is working to align its legislation to be compliant with the laws of the European Union. The majority of Ukrainian IT companies and other entities aimed at European markets tend to comply with the requirements of the GDPR.
Technology companies dealing with personal data often make mistakes when conducting surveillance of their employees or contractors in Ukraine. There are two types of mistakes: i) when consent is not obtained and neither the legislation nor type of services require such surveillance; and ii) when special equipment is used for such surveillance. This type of equipment is considered as special purpose equipment and may only be used by law enforcement authorities if a court order is in place.
United Arab Emirates
Apart from a situation where there is a legal requirement to do so, the unauthorised use of personal data may qualify as a criminal offence under the UAE Penal Code.
Therefore, matters including but not limited to the processing of employees’ information, recording of any conversations, using video surveillance equipment and recordings created, or even taking pictures during events and the use of the same for any purposes should be handled carefully. Ideally and, where possible, consent of the concerned person should be obtained prior to any form of processing of personal data.