TRACKING THE GDPR: How to Keep Up with National Law Developments

Written by Nymity
on June 14, 2018

Almost three weeks have passed since the GDPR became applicable on May 25th. The days leading up to this date—and following it—have been a bit stressful for some organisations. We saw a series of complaints being filed against certain US tech giants and some media agencies withholding services from European users. However, for most organisations that have to concern themselves with daily GDPR compliance matters, there are many new developments that support ongoing GDPR compliance.

To assist organisations in their ongoing GDPR compliance journey, we held the first of our quarterly update webinars on tracking the GDPR and how to keep up with national law developments. Nymity Research™ withNymity GDPR Implementation Tracker™ were the privacy software tools used to derive the content for the webinar.

State of Play – National Implementation

The GDPR now fully applies in the 28 member states of the EU. However, not all member states have met the deadline to ensure that the GDPR is also fully embedded in national law. Today, at the national level, many countries do not have their implementing laws in place.


  • 13 EU member states and 1 EEA Country (Norway) have finalised their legislative processes.
  • In France, procedure before the Constitutional Council is pending.
  • Belgium has not yet passed the material conversion of GDPR into national law, only the new DPA Act.

Many countries have missed the deadline for putting in place their own implementing laws and many organisations ask what this means for them. Paul Breithbarth, Nymity’s Director of Strategic Research and Regulator Outreach and Former Senior International Officer, Dutch DPA opines that they should continue to apply the GDPR, as well as monitor the implementing laws in the countries in which they operate, in order to ensure compliance. Based on the Directive 95/46, DPAs (Data Protection Authorities) have been established under national law in all 28 member states.

The fact the Directive was repealed doesn’t mean the national implementations are suddenly void as was also confirmed by the Chair of the European Data Protection Board during her first press conference. Enforcement can happen, and by the time investigations are concluded and it is time to impose sanctions, it is likely the legislative procedures will be finalised as well. Non-compliance is not really an option.

State of Play – National Implementation

Age of Consent

For the GDPR, the age of consent is only relevant in relation to the offer of information society services directly to a child. Article 8(1) of the GDPR sets the age of consent at 16 years. Member states may provide a lower age, between 13 and 16.

The state of play for the age of consent is a mixed bag, during the GDPR negotiations it was already clear that member states could not agree to a single age of consent. This can clearly be seen in the implementing laws.


So far, 10 member states have decided not to lower the age of consent below 16. In France and the Netherlands, the age of consent is a contentious issue and one that will need to be monitored.  

State of Play – National Implementation

Appoint and Registration of a DPO

Another area that has been confusing and has caused quite a bit of consternation is the requirement in GDPR Article 37 to appoint a Data Protection Officer (DPO). A DPO is not required in all circumstances. A DPO is mandatory for public sector organisations if the data processing concerns regular, systematic and large-scale monitoring or if it involves the processing of large-scale sensitive data. In Germany, a DPO is also mandatory in cases where a DPIA needs to be completed (Art.38 BDSG).

Limited guidance is available so far on the large-scale requirement, since no definition of large-scale is included in the GDPR. Many organisations have asked for guidance on this point.

The Dutch DPA has set the definition of large-scale in healthcare as 10,000 patients in a single system for healthcare practices, as well as hospitals and pharmacies. The Estonian Commissioner has also provided some guidance, stating that 5,000 individuals can be considered large-scale when using specific categories of data.

The point here is that organizations should be careful what they wish for in terms of regulator guidance, as 5,000 might be considered reasonable for SMEs, but could apply to any and all data processing in large organisations. Where the GDPR is silent or vague about specificities, the important thing is to document your decisions and be prepared to defend them.

State of Play – National Implementation

Other Highlights

Specific differences at the national level:

Here are some notable provisions to the data protection act that data controllers and data processors should be aware of:

  • Austria: additional security requirements for image processing (Section 3, §13 DSG).
  • Germany: document grounds for refusal of data subject rights (Art. 34 nBDSG).
  • Croatia: specific requirements for CCTV recordings, including access limitations and logs. CCTV cannot be used to monitor performance of employees or building staff. (Art. 28 Croatian Act).
  • Netherlands: the prohibition to process data concerning health does not apply for processing that is relevant in social security related matters such as support payments depending on illness (Art. 30 UAVG).

Many member states have included specific provisions in the law on data processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

The European Data Protection Board (EDPB)

The EDPB had their first meeting on the 25th of May, where the Rules of Procedure were adopted. Plenary meetings will be held monthly (excluding August). 

The GDPR is officially here and the compliance journey has just begun. While most organisations are GDPR ready, the challenge lies in monitoring and complying with the evolving implementing laws at the national level. To learn more about this, contact a Nymity team member to request a free trial

You may also like:

GDPR ccpa
New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Survey explores differences in data and privacy practices based on company size, location, sector and geographic reach

GDPR ccpa
TrustArc’s Nymity Awareness Tracker Enables Privacy Knowledge Across Entire Business

Tailored Information Empowers Privacy Champions at Every Level

GDPR ccpa
REIMAGINING PRIVACY: TrustArc Acquires Nymity

Terry McQuay, President and Founder at Nymity Today we’re pleased and proud to be announcing that Nymity, the company ...