The General Data Protection Regulation

Home » Policy Landscape » Privacy » The General Data Protection Regulation

The GDPR and national landscapes

It is important to note that the GDPR leaves some leeway for the European Member States (hereinafter referred to as Member States) in specific areas, to establish further guarantees for their national legislation. This inevitably creates a more complex harmonization process where the controllers and processors also have to check their accountability with reference to the EU and to the national legislation. As expected by legal professionals, the national implementations of the GDPR will further help in defining the specifications of all derogations that the GDPR allows for. At the same time, these local derogations demand a lot of caution from smaller enterprises that may be established, offering goods or services, or monitoring behaviour of data subjects in more than one European Member State; since they do not only need to comply with the GDPR but also with each applicable national law. As a consequence, companies could be in a position where resources are limited, and the legislation has quickly evolved so as to make data protection a serious duty for any company that stores or processes personal data, even occasionally.


On the other hand, national data protection authorities have been more active in providing organizations with guidance on how to cope with the requirements and obligations that have arisen from both the EU and national laws. The data protection authorities and the European Data Protection Board help transform the legal complex documents into more comprehensive and practical tools. will help raise awareness of national legislations that can differentiate from the harmonized law by providing recommendations to SMEs which specifically mention where a derogation of a Member State is possible or not. However, even though the GDPR provided an updated legal framework to protect personal data, the challenge comes up when one considers what the practical implementation of this framework is. The GDPR allows for approved certification mechanisms as a way to demonstrate the compliance with the data protection rules; however, until such certification mechanisms get approved according to the GDPR, the data protection matters still cannot be easily integrated with the cyber security solutions available in the market. This means that currently there seems to be a gap between the legislation and its application when it comes to techniques of ensuring and demonstrating compliance through certifications. Furthermore, there seems to be a gap in applying the GDPR in more complex processing operations that may be involved in, for example, Internet of Things and Artificial Intelligence.


The GDPR international landscape

To complicate matters further, the reach of the GDPR extends outside the borders of the European Union. It is fundamental to mention that the amount and complexity of international legislation on data protection can vary enormously – any country may have new, old or no laws relating to this field. In consideration of the possible disparity that may exist internationally, the GDPR has created a requirement where in order for transfers of personal data to take place outside the European Union, there must be appropriate safeguards for the protection of personal data. One of the possible ways to assess an adequate level of protection in a country outside the EU is to check whether there has been an adequacy decision published by the European Commission, which will allow controllers and processors to transfer legally.


Furthermore, another crucial element that enlarges the impact of the GDPR on an international level is its extraterritorial scope. More precisely, the GDPR is applicable to all legal entities who:

  • process personal data (e.g., name, surname, e-mail address, phone number, location, IP address) in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether or not the processing takes place in the European Union;
  • offer goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union.
  • monitor the behaviour of data subjects as far as their behaviour takes place within the European Union.

Hence, this means that the GDPR applies also to organizations that do not have an establishment in the European Union. This international scope has generated further challenges, such as, when it comes to jurisdictional matters regarding online services of technological companies violating the applicable law. An example of this uncertainty is the 50 million euros administrative fine issued by the French Data Protection Authority to Google, which used the reasoning that since at the moment of investigation Google Ireland Limited was not the controller of Google’s processing activities, it allows for the Commission Nationale de l’Informatique et des Libertés (CNIL) to also issue a fine instead of having a scenario where the Irish Data Protection Authority is considered to be the “lead supervisory authority".


Electronic communication networks and interconnected digital services have become ubiquitous as they have permeated every fold of everyday life. At a time when automated profiling and electronic surveillance have become commodities, citizens and businesses alike may face limitations and threats when they have personal data processed or seek to protect their privacy on the internet or when using general communication services. Limitations in the transparency, the functionality and interconnectivity of online and communication services increases the risk of having personal data processed out of control of any accountable person or organization or simply becoming exposed to all sorts of privacy threats.

Future Events

The CYBERSEC2019 will be held on 29-30 October 2019 in Katowice, Poland. This is a public policy conference dedicated to strategic security aspects of the global technology revolution and a thriving inter-national community that combines the knowledge and experience of experts and professionals.

29/10/2019 to 30/10/2019

Cyber Security Summit is the UK’s largest one-day event dedicated to cross-sector learning for cyber preparedness across government, the public sector, critical national infrastructure and industry. Connecting 2,000 senior-level business, security, technology and data leaders – this event provides a unique platform to debate national leadership priorities and share best practice solutions to achieve cyber resilience in a fast-moving digital world.