Privacy

Regulator
Austria The Data Protection Authority - “DPA” (Datenschutzbehörde - DSB).
China Various, including the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the State Administration of Market Regulation (SAMR), the China Banking and Insurance Regulatory Committee (CBIRC).
Czech Republic Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
England & Wales The UK Information Commissioner’s Office (ICO).
France The Commission Nationale de l’Informatique et des Libertés (CNIL).
Germany There are 16 regulators for the private sectors in Germany (for every German Federal State), each is competent for the companies located in the applicable Federal State. The regulators meet to form joint decisions, however, in practice it is possible that deviating guidance or practices apply.
Hong Kong Office of the Privacy Commission for Personal Data.
Hungary Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Ireland The Irish Data Protection Commission (DPC).
Netherlands Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Poland Personal Data Protection Office (Urząd Ochrony Danych Osobowych).
Singapore Personal Data Protection Commission.
Slovakia Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic).
United Arab Emirates Beside a few tax free zones (including but not limited to Dubai Healthcare City and Dubai International Financial Centre) there is no specific data protection legislation in the UAE, which would be applicable to businesses generally. Consequently, there is no UAE data protection officer as such on federal or emirate level.

Individuals would typically reach out to the Consumer Protection Units at the Department of Economic Development with complaints about a trader/service provider.

However, for a limited number of certain matters, e.g. when information obtained from the registry database with respect to a Domain Name Licences is used, there is specific data protection legislation to be complied with.
Notification requirements
Austria Following applicability of the GDPR, there is no general requirement to notify planned or ongoing data processing involving personal data to the DPA. Apart from the GDPR, also the Austrian Data Protection Act (Datenschutzgesetz - DSG) implementing the GDPR in Austria covers this area. The controller, however, must notify (inform) the processing to the data subjects.

Nevertheless, specific situations can occur where notification to, consultation with, or authorization from the DPA is required. For instance, the GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the DPA within 72 hours (in case this timeframe is not met, such delay has to be documented and justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

Nevertheless, specific situations can occur where notification to, consultation with, or authorization from the DPA is required. For instance, the GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the DPA within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.
China Yes. A company shall – when collecting personal data – present its privacy policy disclosing the purpose, means and scope of collection and use of personal information, and it shall secure prior consent from the data subject. In case of a data breach, a company is subject to a general obligation to notify the data subject. Notification to regulators may be required depending on gravity of the breach.
Czech Republic In the Czech Republic, this area is governed by GDPR. Moreover, the Czech Adaptation Law is effective since April 2019 that specifies the general rules more in detail and lays down several differences from the general regime under GDPR. For example, controllers are relieved from certain obligations (including informing the data subjects) in case of data processing for purposes of journalism, and age limit relating to conditions applicable to child's consent in relation to information society services has been set to 15 years. Further, this adaptation legislation limits/precludes fines against public institutions.

There is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must notify (inform) the processing to the data subjects.

Nevertheless, specific situations can occur where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.
England & Wales The GDPR did away with an annual notification requirement, however, the UK government introduced a new annual data protection fee which ranges from £40-£2,900 depending on the size of the organisation in question. The ICO has set up a self-assessment tool to help organisations work out whether and what they need to pay. The ICO is actively enforcing for non-payment which can lead to fines.

There are additional notification requirements in relation to data breaches under the GDPR and the NIS Regulations.
France With the entry into force of the GDPR, notification of processing activities to the CNIL is no longer required: notification formalities have been replaced by an “accountability” principle. In some specific cases however (eg for some processing activities in the health sector), it is still necessary to obtain a prior authorisation from the CNIL.

On the other hand, GDPR has introduced a notification requirement in case of breach of personal data. Such breaches must be notified to the CNIL within 72 hours and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.

Germany In case of a breach of privacy regarding certain types of personal data (e.g. sensitive personal data, data about banking or credit information), the competent regulator shall be notified. Otherwise, there are no notification requirements if the data controller/processor has appointed a data protection officer.
Hong Kong No requirement to register with or notify any authorities of data processing.
Hungary With the entry into force of the GDPR regulation the Data Protection Directive 95/46/EC has been replaced. Under the new regulation the notification of processing activities to the data protection authority is no longer an obligation.

However the GDPR regulation has introduced a notification requirement as a replacement, in case of breach of personal data. In case of breaches the authority must be notified within 72 hours. Depending on the severity of the breach, those data subjects (natural persons) whose data have been affected by the breach, shall be notified as well (eg in case of bank account numbers or passwords have been made public).
Ireland The GDPR did away with the requirement for processing activities to be registered with the DPC. However, the GDPR introduced new notification requirements to the DPC in relation to personal data breaches (noting that pre-GDPR only telcos had mandatory breach notification requirements under Irish law). Where an organisation has appointed a Data Protection Officer under the GDPR, it is recommended that this is notified to the DPC as well.

The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 have also introduced additional notification requirements to the National Cyber Security Centre which relate to “operators of essential services” and “digital service providers” which can also apply in relation to data breaches.
Netherlands No notification requirements for data processing activities. However, each controller must maintain a record of processing activities, which needs to be provided to the data protection authority on request).

Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer. Notifications can be made electronically via forms made available by the Dutch Data Protection Authority on its website and are free of charge.
Poland All limited liability companies and joint stock companies are personal data administrators by definition.

All personal data administrators must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the Personal Data Protection Office in case of an inspection, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, etc.) and procedures.
Management boards are responsible for violations of personal data. In specific situations, there is an obligation to appoint a Data Protection Officer.
There are no notification requirements for data processing activities. Notification requirements are in place for data breaches and for the appointment of a Data Protection Officer.

In case of a breach of duties relating to personal data protection, the personal data administrators should notify the President of the Personal Data Protection Office of such breach via internet platform using the provided electronic notification form. The notification should follow within 72 hours since the breach occurred.
Singapore The personal data protection regime in Singapore follows a light touch approach. The Personal Data Protection Act does not prescribe how organisations should inform individuals of the purposes of collection, use or disclosure of their personal data, or what must be included as part of the notification. As such, organisations will need to determine the most appropriate form of notification to meet their business needs.
Slovakia Following the adoption and effectiveness of GDPR, there is no general requirement to notify planned or ongoing data processing to the Office for Personal Data Protection. The controller, however, must inform the data subjects about processing.

Still, there may arise situations where notification to, consultation with, or authorisation from the Office is required.

On the other hand, GDPR has introduced a notification requirement in case of a personal data breach. Such breaches must be notified to the Office for Personal Data Protection within 72 hours (in case this timeframe is not met, such delay has to be justified), and, depending on the severity of the breach, to the data subjects whose data have been affected by the breach.
United Arab Emirates Generally speaking this is not applicable in the UAE. But there are a few exceptions.
Other considerations
Austria Data controllers must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the DPA in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy…) and procedures (PIAs, privacy by design and by default, data subjects’ rights, IT security…).

It must also be noted that the DPA generally follows the recommendations of the former Working Party 29 (now the “European Data Protection Board”), which takes a strict approach on the interpretation of GDPR requirements.

Finally, there remain areas where Austrian law has specific requirements or diverging regulations, in addition to GDPR requirements. This is notably the case in the principle of “warning instead of punishment”, for the processing of personal data in the context of video surveillance, as well as the right of access of the data subject.
China China’s fast developing cyber security regime is increasing the importance of privacy topics. Offline and online content censorship adds further complexities. Compliance efforts are strongly recommended which may include e.g. organisational set up (like a CISO) with clear functional guidance, internal procedures and protocols (like IT guidance and use of company VPN).
Czech Republic Moreover, there are specific provisions regarding the monitoring of employees set out in the Czech Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. Personal data may also be exported from the EU (not the EEA) to the US where the importer has certified under the EU-US Privacy Shield.

As regards privacy in the electronic communications sector, due to a specific implementation of Directive 2002/58/EC of the European Parliament and of the Council, when a website controller wishes to use cookies it can do so based on opt-out principle rather than opt-in prescribed by the Directive.
England & Wales Personal data can only be transferred outside the EEA where certain safeguards are in
place or if the country to which the data is being transferred is deemed by the European
Commission to give adequate protection to personal data. While consent may be used
to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or
Binding Corporate Rules. Personal data may also be exported from the EEA
to the USA where the importer has certified under the EU-US Privacy Shield.

The UK's data protection law stems from the EU's General Data Protection Regulation, and its own Data Protection Act 2018. The UK has made provision for a new UK GDPR to be created at the end of the transition period following the UK's exit from the EU. This mirrors the GDPR but removes EU-specific references including to regulator cooperation and the European Data Protection Board. The UK has also made transitional provision for data flows to continue uninterrupted to the EEA, countries currently benefitting from an EU Adequacy Decision, Gibraltar and to the US under the Privacy Shield. Data flows to the UK from the EEA may be disrupted on exit unless a suitable GDPR data transfer mechanism applies or a separate agreement is reached on the question of data transfers between the EU and the UK. Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in the UK and/or the EU.
France Data controllers must ensure full compliance with GDPR requirements. This includes having all the required documentation in place at the disposal of the CNIL in case of control, to demonstrate compliance (record of processing activities, privacy policies, data processing agreements, consent forms, data transfer agreements, data retention policy, etc.) and procedures (PIAs, privacy by design and by default, data subjects’ rights, data breaches, etc.).

It must also be noted that the CNIL generally follows the recommendations of the European Data Protection Board, which takes a strict approach on the interpretation of GDPR requirements.

Finally, there remain areas where French law will have specific requirements, in addition to GDPR requirements. This is notably the case for the processing of employee data, sensitive data (including health data), as well as data relating to criminal offences and convictions.
Germany Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the EUR opean Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or Binding Corporate Rules. Personal data may also be exported from the EU (not the EEA) to the USA where the importer has certified under the EU-US Privacy Shield.
Hong Kong Collection of personal data for direct marketing:
- There are new requirements of “notification” and “consent” from data subjects to enhance protection of consumers’ data privacy rights against unwanted direct marketing activities.
Data export restriction (not yet in force):
- Export of personal data outside of the jurisdiction will be subject to conditions, e.g. data subjects’ written consent or whether the data user or the Commissioner has reasonable grounds to believe that the personal data will be transferred to a jurisdiction that provides a similar degree of protection as Hong Kong.
Hungary For data transfers within the EU, no additional measures would be required regarding the direct applicability of the GDPR in every EU member state. However, where a data controller occupies a service provider acting as data processor, their relationship shall be governed by an agreement. This agreement or contract is subject to the minimum criteria laid down under the GDPR.
In the case of non-EU data transfers, those specific situations are defined when such transfers may be carried out. It shall be considered whether there is an adequacy decision of the EU and if there is no such decision, additional guarantees by means of contractual agreements will have to be provided.
Ireland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most commercial situations it will not be a practical basis for transfer. Instead many organisations rely on the EC Model Clauses or Binding Corporate Rules. Personal data may also be exported from the EEA to the USA where the importer has certified under the EU-US Privacy Shield.

Cross-border businesses may also need to consider the location of their Lead Supervisory Authority and Data Protection Officer (if they have one), as well as whether or not they need to appoint a representative in Ireland and/or the EU.

The DPC actively enforces the rules around direct marketing and frequently prosecutes breaches.
Netherlands Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the personal data is being transferred is deemed by the European Commission to ensure an adequate level of protection for personal data. Under the GDPR, accessing personal data from outside the EEA is considered a data transfer as well.

While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required. These may be in the form of EC Model Clauses or Binding Corporate Rules. Transfer of personal data from the EU (not the EEA) to the USA is also allowed if the data importer has certified under the EU-US Privacy Shield.
Poland Personal data can only be transferred outside the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. While consent may be used to legitimise the export of personal data to third countries in limited circumstances, in most cases, contracts will be required.

These may be in the form of EC Model Clauses or Binding Corporate Rules. Personal data may also be exported from the EU (not the EEA) to the USA where the importer has certified under the EU-US Privacy Shield.
Singapore Organisations will need to determine the most appropriate form of notification to meet their business needs.
Slovakia Along with the entry into force of GDPR, a new act no. 18/2018 Coll. on Personal Data Protection became effective as well. The Act follows GDPR and applies analogical rules also in situations falling outside the scope of GDPR.
Moreover, there are specific provisions regarding monitoring of employees set out in the Slovakian Labour Code. Open or concealed surveillance (monitoring) of employees, interception (including recording) of their telephone calls, checking their electronic mail or postal consignments addressed to a certain employee, may be performed only if there is a serious cause consisting in the employer's nature of activity. The employer shall directly inform the employees of the scope and methods of such monitoring.

Personal data can only be transferred outside of the EEA where certain safeguards are in place or if the country to which the data is being transferred is deemed by the European Commission to give adequate protection to personal data. Personal data may also be exported from the EU (not the EEA) to the US where the importer has certified under the EU-US Privacy Shield.
United Arab Emirates Apart from a situation where there is a legal requirement to do so, the unauthorised use of personal data may qualify as a criminal offence under the UAE Penal Code.

Therefore, matters including but not limited to the processing of employees’ information, recording of any conversations, using video surveillance equipment and recordings created, or even taking pictures during events and the use of the same for any purposes should be handled carefully. Ideally and, where possible, consent of the concerned person should be obtained prior to any form of processing of personal data.