Privacy

Regulator
Austria The Data Protection Authority - “DPA” (Datenschutzbehörde - DSB).
China Various, including the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the State Administration of Market Regulation (SAMR), the China Banking and Insurance Regulatory Committee (CBIRC).
Czech Republic Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
England & Wales The UK Information Commissioner’s Office (ICO).
France The Commission Nationale de l’Informatique et des Libertés (CNIL).
Germany There are 16 regulators for the private sectors in Germany (for every German Federal State), each is competent for the companies located in the applicable Federal State. The regulators meet to form joint decisions, however, in practice it is possible that deviating guidance or practices apply.
Hong Kong Office of the Privacy Commissioner for Personal Data.
Hungary Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Ireland The Irish Data Protection Commission (DPC).
Italy Garante per la protezione dei dati personali (“Garante”).
Netherlands Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and when it comes to the use of cookies (and other means of access to end-users’ terminal equipment), the Dutch Authority for Consumer and Markets (Autoriteit Consument en Markt) as well.
Poland President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
Singapore Personal Data Protection Commission.
Slovakia Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic).
Ukraine The Ukrainian Parliament Commissioner for Human Rights is a regulator responsible for both supervision and drafting proposals before the Parliament for adoption of new rules with respect to privacy.

Both the courts and the regulator highlighted that personal data should only be used with a person's consent or on the basis of the law. Personal data is typically collected, stored and processed on the basis of the law when a person is employed by the company or is engaged as independent contractor. The scope of permitted use of personal data in relationships with employees and independent contractors is usually narrower and, in most cases, separate consent must be obtained. Additionally, companies must ensure that they implement the respective regime of personal data protection on legal (i.e., availability of the respective internal documents setting organizational and technical details of protection), organisational (i.e., hierarchy of access and responsibilities including compliance procedures) and technical levels (e.g., ISO/IEC 27018:2019, IDT as adopted by the State Enterprise Ukrainian Research and Training Center of Standardization, Certification and Quality by order dd 16.10.2019 № 312).
United Arab Emirates Beside a few tax free zones (including but not limited to Dubai Healthcare City and Dubai International Financial Centre) there is no specific data protection legislation in the UAE, which would be applicable to businesses generally. Consequently, there is no UAE data protection officer as such on federal or emirate level.

Individuals would typically reach out to the Consumer Protection Units at the Department of Economic Development with complaints about a trader/service provider.

However, for a limited number of certain matters, e.g. when information obtained from the registry database with respect to a Domain Name Licences is used, there is specific data protection legislation to be complied with.
Notification requirements
Austria Following applicability of GDPR, there is no general requirement to notify planned or ongoing data processing involving personal data to the DPA. Apart from GDPR, also the Austrian Data Protection Act (Datenschutzgesetz - DSG) implementing GDPR in Austria covers this area. The controller, however, must notify (inform) the processing to the data subjects.

Nevertheless, specific situations can occur where notification to, consultation with, or authorization from the DPA is required. For instance, GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the DPA within 72 hours (in case this timeframe is not met, such delay has to be documented and justified), and, depending on the severity of the breach, also notified to the subjects whose data have been affected by the breach.
China Yes. A company shall – when collecting personal data – present its privacy policy disclosing the purpose, means and scope of collection and use of personal information, and it shall secure prior consent from the data subject. In case of a data breach, a company is subject to a general obligation to notify the data subject. Notification to regulators may be required depending on gravity of the breach.
Czech Republic In the Czech Republic, this area is governed by GDPR. Moreover, the Czech Adaptation Law is effective since April 2019 that specifies the general rules more in detail and lays down several differences from the general regime under GDPR. For example, controllers are relieved from certain obligations (including informing the data subjects) in case of data processing for purposes of journalism, and age limit relating to conditions applicable to child's consent in relation to information society services has been set to 15 years. Further, this adaptation legislation limits/precludes fines against public institutions.

There is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must notify (inform) the processing to the data subjects.

Nevertheless, specific situations can occur where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.
England & Wales The GDPR did away with an annual notification requirement, however, the UK government introduced a new annual data protection fee which ranges from £40-£2,900 depending on the size of the organisation in question. The ICO has set up a self-assessment tool to help organisations work out whether and what they need to pay. The ICO is actively enforcing for non-payment which can lead to fines.

There are additional notification requirements in relation to data breaches under the GDPR and the NIS Regulations.
France With the entry into force of the GDPR, notification of processing activities to the CNIL is no longer required: notification formalities have been replaced by an “accountability” principle. In some specific cases however (eg for some processing activities in the health sector), it is still necessary to obtain a prior authorisation from the CNIL.

On the other hand, GDPR has introduced a notification requirement in case of breach of personal data. Such breaches must be notified to the CNIL within 72 hours and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

Germany With the entry into force of the GDPR, notification of processing activities to the respective competent regulator is no longer required; notification formalities have been replaced by an “accountability” principle.

On the other hand, GDPR has introduced a notification requirement in case of breach of personal data. Such breaches must be notified to the respective competent regulator within 72 hours since the breach occurred and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach without undue delay.

Furthermore, in specific situations, there is an obligation to appoint a Data Protection Officer and to notify the respective competent regulator therof.
Hong Kong No requirement to register with or notify any authorities of data processing.
Hungary With the entry into force of the GDPR regulation the Data Protection Directive 95/46/EC has been replaced. Under the new regulation the notification of processing activities to the data protection authority is no longer an obligation.

However the GDPR regulation has introduced a notification requirement as a replacement, in case of breach of personal data. In case of breaches the authority must be notified within 72 hours. Depending on the severity of the breach, those data subjects (natural persons) whose data have been affected by the breach, shall be notified as well (eg in case of bank account numbers or passwords have been made public).
Ireland The EU General Data Protection Regulation 2016/ 679 (GDPR) together with the Data Protection Acts 1988 – 2018 comprise the legal framework governing data protection and privacy. These measures require personal data breaches to be notified to the DPC. Where an organisation has appointed a Data Protection Officer under the GDPR, this appointment should also be notified to the DPC.

The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 introduced notification requirements to the National Cyber Security Centre, which relate to operators of essential services and digital service providers, which can also apply to data breaches.
Italy Following the entry into force of the GDPR, the Italian Data Protection Code (Legislative Decree No. 196/2003) does not provide for notification formalities applicable to certain processing activities. Indeed, notification formalities were provided under the former legislation, but were repealed by Legislative Decree No. 101/2018, which adapted the Italian Data Protection Code to the GDPR.

The GDPR however introduced the obligation to notify data breaches to the competent supervisory authority within 72 hours from the discovery of the personal data breach, unless it is unlikely that the data breach will result in a risk to the rights and freedom of the data subjects. The notification to the Garante must be made by means of the online service available on the Garante’s website, which also provides several tools to support data controllers in their obligations in the event of a data breach (e. g. a self-assessment procedure to identify the actions to be taken).

Additionally, the Italian Data Protection Code provides that the authorization of the Garante must be obtained in some specific cases (such as, secondary processing of particular categories of personal data for purposes of scientific research or statistic purposes).
Netherlands No general notification requirements for data processing activities. However, each controller must maintain a record of processing activities, which needs to be provided to the data protection authority on request).

Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer. Notifications can be made electronically via forms made available by the Dutch Data Protection Authority on its website and are free of charge.
Poland In principal all limited liability companies, simple joint stock companies and joint stock companies are data controllers.

All data controllers must ensure full compliance with GDPR requirements. This includes among others having all the required documentation in place at the disposal of the Personal Data Protection Office in case of an inspection, to demonstrate compliance (eg record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc) and procedures.

In specific situations, there is an obligation to appoint a Data Protection Officer.
There are no notification requirements for data processing activities. Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer.

In case of a breach of duties relating to personal data protection, the personal data administrators should notify the President of the Personal Data Protection Office of such breach – the relevant notification may be made via internet platform using the provided electronic notification form. The notification should follow within 72 hours since the breach occurred.
Singapore The personal data protection regime in Singapore follows a light touch approach. The Personal Data Protection Act does not prescribe how organisations should inform individuals of the purposes of collection, use or disclosure of their personal data, or what must be included as part of the notification.
Slovakia Following the adoption and effectiveness of GDPR, there is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must inform the data subjects about processing.

Still, there may arise situations where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.
Ukraine Only sensitive data and breaches thereof must be reported to the regulator.

In some cases, such as when personal data is collected automatically, e.g., during surveillance, a visible notification is also required.
United Arab Emirates Generally speaking this is not applicable in the UAE. But there are a few exceptions.
Other considerations
Austria Data controllers must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the DPA in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy…) and procedures (PIAs, privacy by design and by default, data subjects’ rights, IT security…).

It must also be noted that the DPA generally follows the recommendations of the former Working Party 29 (now the “European Data Protection Board”), which takes a strict approach on the interpretation of GDPR requirements.

Finally, there remain areas where Austrian law has specific requirements or diverging regulations, in addition to GDPR requirements. This is notably the case in the principle of “warning instead of punishment”, for the processing of personal data in the context of video surveillance, as well as the right of access of the data subject.
China China’s fast developing cyber security regime is increasing the importance of privacy topics. Offline and online content censorship adds further complexities. Compliance efforts are strongly recommended which may include eg organisational set up (like a CISO) with clear functional guidance, internal procedures and protocols (like IT guidance and use of company VPN).
Czech Republic Moreover, there are specific provisions regarding the monitoring of employees set out in the Czech Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. Personal data may also be exported from the EU (not the EEA) to the US where the importer has certified under the EU-US Privacy Shield.

As regards privacy in the electronic communications sector, due to a specific implementation of Directive 2002/58/EC of the European Parliament and of the Council, when a website controller wishes to use cookies it can do so based on opt-out principle rather than opt-in prescribed by the Directive.
England & Wales Personal data can only be transferred outside the EEA where certain safeguards are in
place or if the country to which the data is being transferred is deemed by the European
Commission to give adequate protection to personal data. While consent may be used
to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or
Binding Corporate Rules. Personal data may also be exported from the EEA
to the USA where the importer has certified under the EU-US Privacy Shield.

The UK's data protection law stems from the EU's General Data Protection Regulation, and its own Data Protection Act 2018. The UK has made provision for a new UK GDPR to be created at the end of the transition period following the UK's exit from the EU. This mirrors the GDPR but removes EU-specific references including to regulator cooperation and the European Data Protection Board. The UK has also made transitional provision for data flows to continue uninterrupted to the EEA, countries currently benefitting from an EU Adequacy Decision, Gibraltar and to the US under the Privacy Shield. Data flows to the UK from the EEA may be disrupted on exit unless a suitable GDPR data transfer mechanism applies or a separate agreement is reached on the question of data transfers between the EU and the UK. Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in the UK and/or the EU.
France Data controllers must ensure full compliance with GDPR requirements and other applicable privacy regulations (notably e-privacy). This includes having all the required documentation in place at the disposal of the CNIL in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy, etc) and procedures (PIAs, privacy by design and by default, data subjects' rights, data breaches, etc).

It must also be noted that the CNIL generally follows the recommendations of the European Data Protection Board, which takes a strict approach on the interpretation of GDPR requirements.

Finally, there remain areas where French law will have specific requirements, in addition to EU requirements. This is notably the case for the processing of employee data, sensitive data (including health data), as well as data relating to criminal offences and convictions. French law also has a specific regime applicable to the hosting of health data collected in the course of prevention, diagnosis or care activities which is subject to a prior mandatory certification process. The CNIL has also adopted in 2020 new specific and strict guidelines applicable to the use of tracking technologies (e.g. cookies, SDK..).
Germany In general, all data controllers must ensure full compliance with GDPR requirements. This includes among others having all the required documentation in place at the disposal of the respective competent regulator in case of an inspection, to demonstrate compliance (eg record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc) and procedures (PIAs, privacy by design and by default, data subjects’ rights, data breaches, etc).

Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or Binding Corporate Rules.

With regard to any data transfer to the USA the CJEU has declared the EU-US Privacy Shield as invalid so a certification of the data importer under the EU-US Privacy Shield is not sufficient any more (Schrems II).

Finally, there remain areas where German law will have specific requirements, in addition to GDPR requirements. This is notably the case eg for the processing of employee data and sensitive data (including health data).
Hong Kong Collection of personal data for direct marketing:
- There are new requirements of “notification” and “consent” from data subjects to enhance protection of consumers’ data privacy rights against unwanted direct marketing activities, eg data subject is entitled to exercise his/her opt-out right and data users must comply with the request.

Data export restriction (not yet in force):
- Export of personal data outside of the jurisdiction will be subject to conditions, eg data subjects’ written consent or whether the data user or the Commissioner has reasonable grounds to believe that the personal data will be transferred to a jurisdiction that provides a similar degree of protection as Hong Kong.
Hungary For data transfers within the EU, no additional measures would be required regarding the direct applicability of the GDPR in every EU member state. However, where a data controller occupies a service provider acting as data processor, their relationship shall be governed by an agreement. This agreement or contract is subject to the minimum criteria laid down under the GDPR.

In the case of non-EU data transfers, those specific situations are defined when such transfers may be carried out. It shall be considered whether there is an adequacy decision of the EU and if there is no such decision, additional guarantees by means of contractual agreements will have to be provided.

Ireland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most commercial situations it will not be a practical basis for transfer. In June 2021, the Commission published its decision on the new standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries, and the template SCCs themselves. The new SCCs addressed the CJEU’s decision in Schrems II by incorporating a number of terms designed to ensure an appropriate level of protection for personal data transferred to third countries from the EEA. The Commission confirmed that there would be an 18 month transition period, during which time companies can continue to transfer personal data to third countries using the existing SCCs. As of 27 September 2021, the previous SCCs can no longer be used for new contracts or new processing activities.

Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in Ireland and/or the EU.

The DPC actively enforces the rules around direct marketing and frequently prosecutes breaches.
Italy The main areas where the Italian Data Protection Code provides for specific requirements are the following: processing of employees’ personal data, processing of genetic data, biometric data or data concerning health, the legal basis applicable to processing of personal data (including health and genetic data) for the purposes of scientific research in the medical, biomedical or epidemiological field; processing of personal data relating to criminal convictions and offences (for which a Decree of the Ministry of Justice is expected to be issued soon); rights concerning deceased people; cases where data controllers may refuse to comply with a request of exercise of rights from the data subject.

The Italian Data Protection Code contains also the provisions implementing the ePrivacy Directive (Directive 2002/58/EC), including the rules governing placement of cookies, processing of traffic and geolocation data.
Netherlands Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the personal data is being transferred is deemed by the European Commission to ensure an adequate level of protection for personal data. Under the GDPR, accessing personal data from outside the EEA is considered a data transfer as well.

Following the outcome of the Schrems II-case (ie the invalidation of the adequacy decision regarding Privacy Shield) by the European Court of Justice, the Dutch DPA has been reluctant to indicate if and how it will investigate and enforce non-compliant data transfers to the US pending further guidance from the European Data Protection Board and/or new legislation. Pursuant to the guidelines from the European Data Protection Board, Dutch companies transferring personal data to the US are advised to perform risk-assessments per data transfer and ensure that appropriate safeguards (eg the use of standard contractual clauses) are present. As of September 2021, parties need to apply the new EU model clauses (SCC’s) when transferring personal data to a country without an adequate level of protection. These new SCC’s offer more options and better protection for the data transfer.

Specific data protection and privacy legislation (eg further notification requirements and industry-specific enforcement guidance) may apply to companies in specialized markets, such as healthcare, energy, fuel, water supply and internet access providers. Companies with user data that may be valuable to public authorities (eg for a criminal investigation), such as police and public prosecutors, should also ensure that they have appropriate policies ready to deal with such data requests.
Poland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required.

These may be in the form of EC Model Clauses or Binding Corporate Rules.

As regards the data exports to the USA given the CJEU judgment in the Schrems II case certification of the data importer under the EU-US Privacy Shield is not sufficient any more.
Singapore Organisations will need to determine the most appropriate form of notification to meet their business needs.
Slovakia Along with GDPR, Act no. 18/2018 Coll. on Personal Data Protection regulates the data protection. The Act follows GDPR and applies analogical rules also in situations falling outside the scope of GDPR.

Moreover, there are specific provisions regarding monitoring of employees set out in the Slovakian Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data.
Ukraine Ukraine is working to align its legislation to be compliant with the laws of the European Union. The majority of Ukrainian IT companies and other entities aimed at European markets tend to comply with the requirements of the GDPR.
Technology companies dealing with personal data often make mistakes when conducting surveillance of their employees or contractors in Ukraine. There are two types of mistakes: i) when consent is not obtained and neither the legislation nor type of services require such surveillance; and ii) when special equipment is used for such surveillance. This type of equipment is considered as special purpose equipment and may only be used by law enforcement authorities if a court order is in place.
United Arab Emirates Apart from a situation where there is a legal requirement to do so, the unauthorised use of personal data may qualify as a criminal offence under the UAE Penal Code.

Therefore, matters including but not limited to the processing of employees’ information, recording of any conversations, using video surveillance equipment and recordings created, or even taking pictures during events and the use of the same for any purposes should be handled carefully. Ideally and, where possible, consent of the concerned person should be obtained prior to any form of processing of personal data.