Specifying the GDPR

Legislation

• Gesamte Rechtsvorschrift für Datenschutzgesetz (consolidated text).

Institutional resources

• Datenschutzbehörde website.
• Datenschutzbehörde newsletter (in German) for general updates.

Legislation

• Wet betreffende de bescherming van natuurlijke personen met betrekking van persoonsgegevens (Kaderwet), 30 juli 2018 - Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel (Loi cadre), 30 juillet 2018.
• Wet van 3 december 2017 tot oprichting van de Gegevensbeschermingsautoriteit - Loi du 3 décembre 2017 portant création de l'Autorité de protection des données.

Institutional resources

• Data Protection Authority website.
• Jaarverslag 2018 - Rapport annuel 2018.
• Jaaverslag 2019 - Rapport annuel 2019.

Other references

• De Smedt, S. and V. Verstraeten (2018), "Belgium: Substantial Reform of Supervisory Authority and Framework Implementing Act Finally Adopted", EDPL, 4:3, pp. 353-359.

Legislation

• Personal Data Protection Act.

Institutional resources

• Commission for Personal Data Protection (CPDP) website.
• Annual report of the CPDP for 2018 (in English).

Legislation

• Zakon o Provedbi Opće Uredbe o Zaštiti Podataka.

Institutional resources

• Croatian Personal Data Protection Agency website.

Legislation

• Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018) (unofficial English translation).

Institutional resources

• Office of the Commissioner for Personal Data Protection.

References

• Markou, C. (2019), "Cyprus: A Look into the Law for the Effective Application of the GDPR", EDPL, 5:3, pp. 389-396.

Legislation

• Zákon ze dne 12. března 2019 o zpracování osobních údajů (original); Czech Act No. 110/2019 Coll., act of 12 March 2019 on personal data processing (English and German translations).

Institutional resources

• The Office for Personal Data Protection website.
• DPA 2018 Annual Report.

Legislation

• Data Protection Act (informal English version).

Institutional resources

• Datatilsynet website.

Legislation

• Isikuandmete kaitse seadus (authentic text).
• Personal Data Protection Act (English version).

Institutional resources

• Estonian Data Protection Inspectorate.

Summary of the event 'Specifying the GDPR: France', which took place on 12 November 2019 at VUB: pdf.

Legislation & case law

• Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (version consolidée).
• Décision du Conseil constitutionnel n° 2018-765 DC du 12 juin 2018 Loi relative à la protection des données personnelles [Non conformité partielle].

Institutional resources & other

• CNIL website.

• CNIL 2018 Activity Report.
• CNIL 2019 Activity Report.
• CNIL's Guidance on French national provisions on the regulation of cookies.
• Association Française des Correspondants à la protection des Données à caractère Personnel (AFCDP).

Civil society

• La Quadrature du Net.

Other references

• Cheruy, L. et al. (eds.) (2019), Protection des données personnelles: Réussir sa mise en conformité, 2ème édition, Éditions Législatives.
• Tambou, O. (2019), "Lessons from the First Post-GDPR Fines of the CNIL against Google LLC", EDPL, 5:1, pp. 80-84.
• Tambou, O. (2018), "France: The French Approach to the GDPR Implementation", EDPL, 4:1, pp. 88-94.

Legislation

• Data Protection Act 1050/2018, Tietosuojalaki (informal English version).

Institutional resources

• Office of the Data Protection Ombudsman website.
• English summary of the Annual Report 2018.

Other resources

• Korpisaari, P. (2019), "Finland: A Brief Overview of the GDPR Implementation", EDPL, 5:2, pp. 232-237.

Legislation

• DSnpUG-EU (English translation).
• Zweites Datenschutz- Anpassungs- und Umsetzungsgesetz EU (2. DSAnpUG-EU).

Institutional resources

• Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit.

  • Independent German Federal and State Data Protection Supervisory Authorities, Report on Experience Gained in the Implementation of the GDPR, November 2019 in English and in German. A summary of the report in English, by Inside Privacy, Covington.

• Baden-Württemberg: Der Landesbeauftragte für den Datenschutz und Informationsfreiheit.

  • Baden-Württemberg Authority: Results of the Hearing of 28 June 2019 at the IHK Stuttgart on the Evaluation of GDPR, December 2019 (in German).

• Bayern: Der Bayerische Landesbeauftragte für den Datenschutz (Bavarian Data Protection Commissioner).
• Berlin: Berliner Beauftragte fur Datenschutz und Informationsfreiheit.
• Brandenburg: Die Landesbeauftragte für den Datenschutzund für das Recht auf Akteneinsicht Brandenburg.
• Bremen: Die Landesbeauftragte für Datenschutz.
• Hamburg: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit.
• Hessen: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit.
• Mecklenburg-Vorpommern: Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern.
• Niedersachsen: Die Landesbeauftragte fuer den Datenschutz Niedersachsen.
• Nordrhein-Westfalen: Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen.
• Rheinland-Pfalz: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz.
• Saarland: Unabhaengiges Datenschutz Zentrum Saarland.
• Sachsen: Sächsischer Datenschutzbeauftragter.
• Sachsen-Anhalt: Landesbeauftragter für den Datenschutz Sachsen-Anhalt.
• Schleswig-Holstein: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein.
• Thüringen: Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit.

Civil society

• Deutsche Vereinigung für Datenschutz.
• Gesellschaft für Datenschutz und Datensicherheit eV.
• Netzwerk Datenschutzexpertise.
• Verbraucherzentrale Bundersverband.

Other references

• Broy, D. (2017), "Germany: Starting Implementation of the GDPR - Brief Overview of the Government Bill for a New Federal Data Protection Act", EDPL, 3:1, pp. 93-97.
• Etteldorf, C. (2019), "Germany Revisited: The Second Data Protection Adaptation and Implementation Act", EDPL, 5:3, pp. 397-403.

Legislation

• Law 4624/2019 - Νόμος 4624/2019 (ΦΕΚ Α' 137/29-08-2019) [Εφαρμογή GDPR - Άρση των capital controls] Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, μέτρα εφαρμογής του Κανονισμού (ΕΕ) 2016/679 για την προστασία των φυσικών προσώπων έναντι της επεξεργασίας δεδομένων προσωπικού χαρακτήρα, ενσωμάτωση στην εθνική νομοθεσία της Οδηγίας (ΕΕ) 2016/680 και άλλες διατάξεις.

Institutional resources

• Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα - Hellenic Data Protection Authority website.
• Annual Reports of the Hellenic Data Protection Authority (in Greek).
• Opinion 1/2020 of the Hellenic DPA on the Law 4624/2019, 24 January 2020 (in Greek).

Other

• Official Request to the Hellenic Data Protection Authority for the issuance of legal opinion on Law 4624/2019, by Homo Digitalis.
• Complaint to the European Commission against the new data protection law 4624/2019 (24.10.2019), by Homo Digitalis.

Legislation

• Consolidated text of the Act CXII of 2011 on Informational Self-Determination and Freedom of Information, including the amendments made by Act XIII of 2018 and Act XXXVIII of 2018 (in Hungarian).

Institutional resources

• National Authority for Data Protection and Freedom of Information website.

Legislation

• Data Protection Act 2018.

Institutional resources

• Data Protection Commission website.
• DPC Annual Report 2018.
• DPC Data Breach Trends from the First Year of the GDPR (October 2019).

Civil society

• Digital Rights Ireland.

Other references

• McLaughlin, S. (2018), "Ireland: A Brief Overview of the Implementation of the GDPR", EDPL, 4:2, pp. 227-234.

Legislation

• Codice in materia di protezione dei dati personali (d.lgs. 196/2003) modificato dal d.lgs. 101/2018.
• Decreto Legislativo 10 agosto 2018, n. 101, Dispozioni per l'adequamento della normativa nazionale alle dispozioni del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonche' alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati).

Institutional resources

• Garante de la Protezione dei Dati Personali webiste.
• Garante de la Protezione dei Dati Personali: Infographic for the period 25 May 2018-30 June 2019.

Other references

• Finocchiario, G. (2018), "Italy: The Legislative Procedure for National Harmonisation with the GDPR", EDPL, 4:4, pp. 496-499.
• Malgieri G. and Comandé G. (2019), Guida al trattamento e alla sicurezza dei dati personali. Le opportunità e le sfide del Regolamento UE e del codice italiano riformato, IlSole24Ore.
• T4DATA – Training for Data project (2018–2019)
• SMEDATA project.

Legislation

• Fizisko personu datu apstrādes likums (original).
• Personal Data Processing Law (English version).

Institutional resources

• Data State Inspectorate website.
• Data State Inspectorate Annual report 2018 (in English).

Other references

• Burkevics, A. (2018), "Latvia: Draft Personal Data Processing Law", EDPL, 4:1, pp. 95-96.

Legislation

• Law Amending Personal Data Protection Law no. I-1374.

Institutional resources

• State Data Protection Inspectorate website.
• List of data processing operations subject to the requirement to perform data protection impact assessment, 19.3.2019.
• 'DPA annual report': The Review of Personal Data Protection Supervision in Lithuania in 2018.

Legislation

• Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données.

Institutional resources

• National Commission for Data Protection (CNPD) website.
• CNDP Rapport d'activités 2018.

Other references

• Andra, G. (2017), "Luxembourg: Reshaping the National Context to Adjust to the GDPR", EDPL, 3:3, pp. 372-375.

Legislation

• Data Protection Act (Cap 586).

Institutional resources

• Office of the Information and Data Protection Commissioner (IDPC) website.

Legislation

• Uitvoeringswet AVG (UAVG).

Institutional resources

• Autoriteit Persoonsgegevens website.
• AP jaarverslag 2018.
• Summary of 2018 Annual Report (in English).
• Report about complaints; Facts & Figrures. Overview January 2019 - June 2019 (Klachtenrapportage: facts & figures. Overzicht januari tot en met juni 2019).

Civil society

• Bits of Freedom.
• Privacy First.

Other references

• Breitbarth, P. (2018), "Netherlands: The GDPR Implementation Act", EDPL, 4:3, pp. 360-365.

Legislation

• Act of 10 May 2018 on the Protection of Personal Data (English version).

Institutional resources

• UODO website.
• Annual report 2018 (Sprawozdanie z działalności Prezesa Urzędu Ochrony Danych Osobowych w roku 2018).

Other references

• Czerniawski, M. and M. Kawecki (2019), Ustawa o ochronie danych osobowych. Komentarz, C. H. Beck.
• Kobylańska, A. and M. Lewoszewski (2017), "Poland: A Brief Overview Concerning the Implementation of the GDPR", EDPL, 3:4, pp. 507-511.

Legislation

• Lei n.º 58/2019, de 8 de agosto que assegura a execução, na ordem jurídica nacional, do Regulamento (UE) 2016/679 do Parlamento e do Conselho, de 27 de abril de 2016, relativo à proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados (RGPD).
• Deliberation related to the non-application of some provisions of the Law n.° 58/2019 by the Portuguese DPA, 23.9.2019.

Institutional resources

• Comissão Nacional de Protecção de Dados.

Other

• Sérvulo Publications on CNPD's Deliberation 2019/494, 24.9.2019.
• Espanha e associados on CNPD's Deliberation 2019/494, 4.10.2019.
• Ministry of Administrative Modernisation, information and guidelines on the implementation of GDPR by the public administration.

Legislation

• Law No. 190/2018 on measures for the application of the GDPR: original version.

Institutional resources

• Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal.

Civil society

• Association for Technology and Internet (ApTI).
• ApTI complaint to the European Commission regarding Romanian law.

Other references

• Petroiu, M. (2018), "Romania: Overview of the GDPR Implementation", EDPL, 4:3, pp. 366-369.

• Ungureanu, C. T. (2018), "Legal remedies for personal data protection in European Union", Logos, Universality, Mentality, Education, Novelty, Section: Law 6.2, pp. 26-47.

Legislation

• Zákon č. 18/2018 Z. z. o ochrane osobných údajov a o zmene a doplnení niektorých zákonov.
• Act no. 18/2018 on personal data protection and amending and supplementing certain Acts (informal English version).
• Vyhláška Úradu na ochranu osobných údajov SR č. 158/2018 Z. z. o postupe pri posudzovaní vplyvu na ochranu osobných údajov (Decree of the Office No. 158/2018 Coll. on procedure for data protection impact assessment).

Institutional resources

• Office for Personal Data Protection of the Slovak Republic website.
• Office for Personal Data Protection of the Slovak Republic (Úrad na ochrane osobných údajov), Report on the State of the Personal Data Protection for the period from 25 May 2018 to 24 May 2019 (Správa o stave ochrany osobných údajov za obdobie 25. máj 2018 až 24. máj 2019).

Legislation

• Draft Personal Data Protection Act (Predlog Zakona o varstvu osebnih podatkov, ZVOP-2), 14 August 2019.

Institutional resources

• Information Commissioner of the Republic of Slovenia (IPRS) website.
• Information Commissioner of the Republic of Slovenia, Annual Report 2018, May 2019.

Legislation

• Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.

Case law

• Sentencia 76/2019, de 22 de mayo, ECLI:ES:TC:2019:76.

Institutional resources & other

• Agencia Española de Protección de Datos (AEPD) website.
• AEPD Memoria anual 2018.
• AEPD Memoria anual 2019.
• AEPD Guía sobre el uso de las cookies (November 2019).
• Autoritat Catalana de Protecció de Dades (APDCAT) website.
• APDCAT Memòria anual 2018.
• Datuak Babesteko Euskal Bulegoa (AVPDA) website.
• Asociación Profesional Española de Privacidad (APEP).

Other references

• García Mahamut, R. and B. Tomás Mallén (eds.) (2019), El Reglamento General de Protección de Datos: Un Enfoque Nacional y Comparado: Especial Referencia a la LO 3/2018 de Protección de Datos y Garantía de los Derechos Digitales, Tirant lo Blanch.
• Rallo Lombarte, A. (ed.) (2019), Tratado de Protección de Datos: Actualizado con la Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales, Tirant Lo Blanch.
• Recio, M. (2017), "Spain: Preparations for a New Law on Data Protection to Implement the GDPR", EDPL, 3:3, pp. 376-379.
• Requejo Isidro, M. (2017), "La aplicación privada del derecho para la protección de las personas físicas en materia de tratamiento de datos personales en el reglamento (UE) 2016/679", LA LEY mercantil, No 42, Sección Empresa y empresario / Doctrina, Diciembre.
• Sampere, Javier, Crossover entre el RGPD y la nueva LOPD (versión 2.0) (pdf).

Legislation

• Lag med kompletterande bestämmelser till EU:s dataskyddsförordning.

Institutional resources

• Datainspektionen website.
• 2019 Report about data breaches: Anmälda personuppgiftsincidenter januari–september 2019.

Civil society

• Föreningen för digitala fri- och rättigheter.

Other references

• C. Storr, and P. Storr (2018), "Sweden: Quantitative (but Qualitative?) Changes in Privacy Legislation", EDPL, 4:1, pp. 97-103.

Legislation

• Data Protection Act 2018.

Institutional resources

• Information Comissioner's Office (ICO) website.
• Information Commissioner’s Annual Report and Financial Statements 2018-19.

Civil society

• Big Brother Watch.
• Privacy International.

Other references

• Woods, L. (2017), "United Kingdom: Heading Towards Brexit but with a Data Protection Bill Implementing GDPR", EDPL, 3:4, pp. 500-506.

Legislation

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Corrigendum. Latest consolidated version.

Institutional resources

• GDPR Implementation: Updated State of play in the Member States (11/04/2019), by the Commission Expert Group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680.
• European Commission's info on Member States notifications under the GDPR.
• European Commission, Stronger Protection, New Opportunities: Commission Guidance on the Direct Application of the General Data Protection Regulation as of 25 May 2018, COM/2018/043 final, Brussels, 24.1.2018.
• European Commission, Data protection as a trust-enabler in the EU and beyond - taking stock, COM(2019) 374 final, Brussels, 24.7.2019.
• Multistakeholder expert group to support the application of Regulation (EU) 2016/679, Contribution to the stock-taking exercise of June 2019 on one year of GDPR application, 13.06.2019.
• EU Fundamental Rights Agency (FRA), The General Data Protection Regulation – one year on: Civil society: awareness, opportunities and challenges, June 2019.
• EU Council, Council position and findings on the application of the General Data Protection Regulation (GDPR), 19 December 2s019.
• TIPIK Legal, Report on the implementation of specific provisions of Regulation (EU) 2016/679, as published on 6 January 2021 by the European Commission: pdf bestandReport on the implementation of specific provisions of the GDPR (2 MB)

Other online resources

• GDPRHub.
• DLA Piper Data Protection Laws Around the World.
• Bird & Bird GDPR Tracker.
• GDPR Today.
• GDPR Enforcement Tracker (fines and penalties).
• Certa.ie Analysis of GDPR incorporation in EU Member States.
• Access Now 'One Year Under the EU GDPR: An implementation progress report - State of play, analysis and recommendations' (2019).
• Complete list of EU national supervisory authorities, by EDPB.

Overview

• European Data Protection Board (EDPB) website.
• European Commission's Factsheet on the EDPB: EU Data Protection Reform: Ensuring its Enforcement, January 2018.

Resources

• Opinions of the EDPB.
• Guidelines of the EDPB.
• Register of Decisions taken by DPAs and courts on issues handled in the consistency mechanism.

GDPR and Member States' laws

• McCullagh, K., O. Tambou and S. Bourton (eds.) (2019), National adaptations of the GDPR, Collection Open Access Book, Blogdroiteuropeen.
• Rijpma, J. J. (ed.) (2020), The New EU Data Protection Regime: Setting Global Standards for the Right to Personal Data Protection, open access version available here.
• Wagner, J. and A. Benecke (2016), "National Legislation within the Framework of the GDPR: Limits and Opportunities of Member State Data Protection Law", EDPL, 2:3, pp. 353-361.

GDPR in general

• Albrecht, J. P. and F. Jotzo (2017), Das neue Datenschutzrecht der EU: Grundlagen, Gesetzgebungsverfahren, Synopse, Nomos.
• De Terwangne, C. and K. Rosier (eds.) (2018), Le Règlement général sur la protection des données (RGPD / GDPR): Analyse approfondie, Larcier.
• Kuner, C., L. A. Bygrave, and C. Docksey (eds.) (2019), The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press.
• Piñar Mañas, J. L., M. Á. Caro and M. Recio Gayo (eds.) (2016), Reglamento General de Protección de Datos: Hacia un nuevo modelo europeo de privacidad, Editorial Reus.
• Rallo Lombarte, A. and García Mahamut, R. (eds.) (2015), Hacia un nuevo derecho europeo de protección de datos: Towards a new european data protection regime, Tirant Lo Blanch.

Comparative studies of data protection in Europe

• Brkan, M., and E. Psychogiopoulou (eds.) (2017), Courts, Privacy and Data Protection in the Digital Environment, Edward Elgar Publishing.
• Custers, B., A. Sears, F. Dechesne, I. Georgieva, T. Tani, and S. van der Hof (eds.) (2019), EU Personal Data Protection in Policy and Practice, TMC Asser Press.
• Erdos, D. (2019), European Data Protection Regulation, Journalism, and Traditional Publishers: Balancing on a Tightrope?, OUP.
• Malgieri, G., "Automated decision-making in the EU Member States: The right to explanation and other “suitable safeguards” in the national legislations", Computer Law & Security Review, 35:5, October 2019.
• Milkaite, I. & E. Lievens (2019), The GDPR child's age of consent for data processing across the EU – one year later (July 2019), Better Internet for Kids.
• Fundamental Rights In Courts and Regulation” (FRICoRe) - Judicial Training Project, Database for CJEU case law.

Private International Law issues

• Chen, J. (2016), "How the best-laid plans go awry: the (unsolved) issues of applicable law in the General Data Protection Regulation", International Data Privacy Law, Vol. 6, Issue 4, Nov. 2016, pp. 310–323 + erratum.
• Pinheiro, L. D. L. (2018), "Law Applicable to Personal Data Protection on the Internet: Some Private International Law Issues", Anuario Español de Derecho Internacional Privado, 18, pp. 163-192.
• Von Hen, J. and A. Bizer (2018), "Social Media and the Protection of Privacy: Current Gaps and Future Directions in European Private International Law", International Journal of Data Science and Analytics, 6.3, pp. 233-239.

EU data protection legal framework

• González Fuster, G. (2014), The Emergence of Personal Data Protection as a Fundamental Right of the EU, Springer.
• Hijmans, H. (2016), The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU, Springer.

Please note this page is work in progress. Coordination: Gloria González Fuster and Olga Gkotsopoulou. Contributors: Laura Drechsler, Lina Jasmontaite, Gianclaudio Malgieri, Sara Roda. We welcome and appreciate comments and suggestions, please contact by email.