Germany has released the second draft of a rule implementing the GDPR, which will replace the current national Privacy legislation Bundesdatenschutzgesetz (BDSG), setting alongside the GDPR itself. According to the Regulation, member states may legislate on specific matters, while respecting the general principles set out in the Regulation: Germany apparently is already doing it.
In addition to restrictions for certain obligations of the Controller and for the rights of Data Subjects (as provided by art.23 GDPR), details about personal data of employees, specific provisions on processing for historical or scientific purposes etc. (see full list in precious page “Privacy Matters” by DLA PIPER linked below) the draft contains a few points which I found particularly interesting:
* Compulsory DPO – Art. 37 par. 4 of GDPR leaves the possibility to Member States to define the mandatory criteria for appointing a DPO; Germany substantially suggests to maintain the existing policy: more than nine staff who process personal data, as a general rule. This certainly is rather a strict rule (with due respect to those who claims that “there will not be many companies that will need a DPO” …) but at least it’s a clear rule.
* Enforceability of individuals – The GDPR provides sanctions only for legal persons (Controller or Processor); the BDSG draft provides penalties (up to 300,000 €) as well for natural persons “acting on behalf of the Controller or Processor.” NB: under this definition may certainly fall those we used to call “data handler” and that seemed to have disappeared from GDPR [sometimes they come back!] but perhaps even the DPO, considering that in some way they “act on behalf” as well…
A final thought: if this is the scope of national implementing rules, maybe those who claim that the GDPR actually is a “Directive disguised as Regulation” could not be wrong, and the real game will be played on the ground of the national laws once again. Therefore we expect to know similar moves of the Italian legislator.