• Several member states lift the prohibition to process health data without the individual's prior consent when such data is necessary for medical treatment or diagnosis, or to ensure high-quality standards for the health care industry and medicinal products.
  • The Dutch GDPR implementing act lifts the prohibition to process biometric data (which is considered sensitive data used to uniquely identify a person) without prior consent when such data is needed for authentication or security purposes. This could, for instance, cover access control mechanisms to a company's premises.
  • Several member states have provided that sensitive employee data can be processed without prior consent when needed in the context of workers' reintegration or assistance in case of disability or illness, or to comply with social security, taxation and other legal requirements where the individual has no overriding interest in not processing such data.
  • The requirement to appoint a data protection officer was further tailored in Germany, where the appointment of a DPO was already largely required before the GDPR. Germany's GDPR act provides that companies that employ at least 10 persons who process data, perform processing that requires a Data Protection Impact Assessment, or (anonymously) transfer or process data for market or opinion research must appoint a DPO.
  • Most member states have lowered the minimum age at which children can provide legally valid consent for information society services to the minimum age permitted by the GDPR, 13 years old.
  • From a procedural perspective, several GDPR implementing laws allow for “class actions” through which individuals mandate a nonprofit organization (e.g., a consumer rights organization) to represent them in regulatory and/or legal proceedings on their behalf. Member state implementing legislation also occasionally provides procedural rules for regulatory proceedings before the national Supervisory Authority, including appeal options, and certain specifics for administrative fines.
  • Both the Austrian and Hungarian statutes indicate that their local supervisory authorities should issue warnings before resorting to fining (or other corrective) powers, especially for first-time violations. While the enforceability of these limitations on Supervisory Authorities' powers may be questionable as a matter of EU law, it currently forms an express part of Austrian and Hungarian GDPR statutes.

Jan Dhont, located in Alston & Bird's Brussels office, works with public and private companies in the EU and worldwide to resolve legal issues. Lauren Cuyvers is an associate in the Brussels office and a member of the privacy and data security group.