The General Data Protection Regulation (GDPR)[1] is directly applicable in all the Member States. Nevertheless, in accordance with the GDPR, Member States must take necessary legislative steps, for instance, to set up national supervisory authorities, to choose an accreditation body or to lay down rules for the reconciliation of freedom of expression and data protection.

The GDPR gives Member States the possibility to put in place specific rules for certain specified processing situations (so-called ‘specification clauses’), such as in the context of employment. The GDPR does not allow Member States to adopt specific rules for voluntary organisations or associations nor to exempt them from some or all of the provisions of GDPR.

Any measure which would have the result of creating an obstacle to the direct effect of the GDPR or of jeopardising its simultaneous and uniform application in the EU would be contrary to the Treaties[2]. Member States must in any event ensure that any national measure respects Article 8 of the Charter of Fundamental Rights of the EU and Article 16(2) of the Treaty on the Functioning of the European Union (TFEU).

Member States must notify to the Commission the provisions on data protection authorities[3], on penalties[4] and on reconciling the right to data protection with the right to freedom of expression and information[5]. In case Member States regulate the processing of personal data in the employment context or the obligation of secrecy, these provisions must also be notified to the Commission[6].

The Commission is currently receiving those notifications and does not yet have a comprehensive overview. The Commission is launching a study to evaluate the use of some of the specification clauses by Member States.

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
• [2] Case 94/77 Fratelli Zerbone Snc v Amministrazione delle finanze dello Stato ECLI:EU:C:1978:17.
• [3] Article 51(4) GDPR.
• [4] Article 84(2) GDPR.
• [5] Article 85(3) GDPR.
• [6] Article 88(3) and 90(2) GDPR respectively.