The GDPR allows for EU member states to make some derogations (changes to how the data privacy law will be enforced) and as we get closer to the May 28 date of initial enforcement these changes are becoming clearer. Let’s look at some of the member states to see what they’re doing.
Not surprisingly, the French have made it clear that their national data law will apply for French data subjects. Mostly this means French data subjects can appeal to the CNIL (the French data protection authority) for any infringements of their rights, even if the controller is outside France. This is something to be aware of if your company processes any data belonging to French data subjects. France has also indicated its intention to apply additional limitations on the use of biometric data such as prior authorisation from the CNIL.
The Spanish AEPD has issued a statement to local administrations, stressing the need for them to show clear reports on the purposes and legal basis for processing personal data as well as to allow data subjects to clearly exercise their rights. It also states that a risk analysis needs to be undertaken with regard to processing personal data. If the AEPD requires this of local administrations, you can be sure businesses will need to have all this tied down too.
The German legislator has, under its new German Federal Data Protection Act, made significant derogations from the GDPR relating to the collection and use of employee data, and has also applied more stringent requirements for the appointment of a DPO.
With Brexit postponed, there’s no certainty. For now, companies located in the UK need to comply to the Data Protection Act and the GDPR.
Remember, GDPR compliance will be necessary if you process data on European data subjects regardless of Brexit. Using a solution like GDPR365 will allow you to demonstrate that compliance not only to your own supervisory authority, but to any European supervisory authority. Click on the Register button for a free GDPR compliance demo.>