The EU General Data Protection Regulation (GDPR) applies across the whole of the European Economic Area (EEA), plus the UK. Each country has implemented a national law that specifies how the GDPR applies in that jurisdiction.
We’ve compiled a list of every GDPR implementing law. The list includes a link to each country’s law, plus one or two facts about any country-specific rules or exemptions.
Austria
Federal Law 165/1999 (Data Protection Act)
Austria’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 14 or under.
Belgium
Belgium’s law establishes the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under.
Bulgaria
Personal Data Protection Act (Direct PDF download)
Under Bulgaria’s law, data subjects must raise a complaint within six months of the alleged violation occurring. The act sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 14 or under.
Croatia
Personal Data Protection Act (Direct PDF download)
Croatian law provides additional powers to the data protection authority beyond those listed in the GDPR.
Cyprus
Under Croatia’s law, certain violations of the GDPR are punishable by a prison sentence of 1-5 years.
Czechia (Czech Republic)
Act of 12 March 2019 on Personal Data Processing
Czech law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under.
Denmark
Act No. 502 of 23 May 2018 (Data Protection Act)
The Danish Data Protection Act sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under. The Danish law provides some additional exemptions to facilitating the “right of access”, including the protection of trade secrets.
Estonia
Personal Data Protection Act (PDPA) 2018
Estonia’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under. The act also contains some provisions concerning the persistence of a data subject’s consent after their death.
Finland
Data Protection Act (1050/2018)
Finland’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under. The law interacts with Finland’s Workplace Privacy Act in some important ways regarding the processing of employee data.
France
Loi n° 78-17 (Data Protection Law)
France’s law implements provisions from both the GDPR and the ePrivacy Directive. The law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under.
Germany
Germany’s law provides a set of special conditions under which an organisation must appoint a data protection officer (DPO), including where more than 10 people regularly process personal data.
Greece
Law No. 4624/2019 (Direct PDF download)
Greece’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under. Article 27 of the law sets out some specific rules for processing employee data.
Hungary
Act CXII of 2011 on the right to informational self-determination and on the freedom of information
Hungary’s law integrates both data protection and freedom of information into a single act. The law allows a designated individual to exercise data subject rights on behalf of a dead person for five years following their death.
Iceland
Act on Data Protection and the Processing of Personal Data
Iceland’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under. The law applies to “the processing of personal data of deceased natural persons, where appropriate, for a five-year period from their deaths or longer, when this concerns personal data which is fair and reasonable to keep confidential”.
Ireland
Ireland’s law prohibits employers from requiring employees or applicants to make a subject access request. The age of a “child” for the purposes of Article 8 GDPR is currently 16, but subject to review.
Italy
Italy’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 14 or under. There are special rules around the high-risk processing of health, biometric, and genetic data, for which controllers cannot rely on “consent” alone.
Latvia
Personal Data Processing Law 2021
Latvia’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under.
Liechtenstein
Liechtenstein’s law applies a duty of confidentiality to doctors, lawyers and hospitals regarding data about dead people. Certain violations of the law are punishable by imprisonment.
Lithuania
Law on Legal Protection of Personal Data
Lithuania’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 14 or under. Lithuanian law prohibits the processing of national identification numbers for direct marketing purposes.
Luxembourg
Law of 1 August 2018 (Data Protection Law)
Luxembourg’s law prohibits relying on a data subject’s consent for the processing of genetic data. The data protection authority can impose daily fines of 5% of the daily average turnover for the previous year under certain conditions.
Malta
Maltese law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under. The law also sets an age threshold of 16 for the purposes of processing students’ data.
Netherlands
Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG)
The Dutch UAVG allows the processing of national identification numbers only for purposes provided by law. A controversial decision by the data protection authority states that a “purely commercial interest” can never be a “legitimate interest”. The CJEU will rule on this case.
Norway
Norway’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under. The law provides an exception to the GDPR’s transparency and access rights where disclosing the information might harm the data subject’s health.
https://www.whitecase.com/insight-our-thinking/gdpr-guide-national-implementation-norway
Poland
Ustawa z 10 Maja 2018 o Ochronie Danych Osobowych (UODO) (Direct PDF download)
Poland’s UODO provides exemptions to data subject rights on several grounds, including credit and money laundering.
Portugal
Act 58/2019 (Data Protection Act)
Portuguese law regulates the processing of genetic and health data about dead people. The law law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under.
Romania
Law No. 190 (Data Protection Act)
Romania’s Data Protection Act interacts with other data-related regulations in the areas of accounting and employment law.
Slovakia
Act No. 18/2018 (Data Protection Act)
Under Slovakia’s law, a close relative of a person who has died can provide consent on their behalf, provided there are no objections from other close relatives. Slovakian labour law restricts the types of personal data that can be collected in connection with employment.
Slovenia
Zakon o Varstvu Osebnih Podatkov (ZVOP-1)
Slovenia’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under. There are special rules regarding the use of CCTV in the workplace.
Spain
Organic Law 3/2018 (Data Protection Act)
Spain’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under. The law provides special rules for the processing of “business contact details”.
Sweden
Lag (2018:218) (Data Protection Act)
Sweden’s law states that processing based on “public task” is only permitted when justified under a specific statute, order, or collective bargaining agreement. The act sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 13 or under.
United Kingdom
Data Protection Act (DPA) 2018
The UK’s law sets the age of a “child” for the purposes of Article 8 GDPR as a person aged 15 or under. The UK is in the process of reforming its data protection law, which will likely result in significant changes to the DPA 2018.
We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!
