top of page



When to still check national law

This section of the Handbook highlights situations where national data protection law should still be consulted. Even though the GDPR aims to harmonise data protection law across the EU, in several cases the Regulation does allow Member States to adopt national laws which deviate from or supplement the GDPR. In practice, this means that for some data protection aspects you will encounter different rules from one Member State to the next.

If you operate in more than one Member State, it is important that you consider the possible differences in national legislation.

A distinction should be made between areas where Member States must have national or regional laws and areas where Member States may have such laws.

FORM (1).png

Areas in which Member States must have local laws

  • Personal data and freedom of expression: the exception for processing for journalistic purposes and purposes of academic, artistic or literary expression. Member States remain responsible for determining the balance between the right to privacy and the right to freedom of expression. If you are working in the media sector, note that you should carefully consider the fact that the rules in this area will differ from one Member State to the next.

  • Personal data contained in official documents: Such personal data may be processed in order to reconcile public access to official documents with the right to the protection of personal data. Member States are responsible to balance the right to privacy and the need to process personal data where this is necessary in the public interest.

  • Penalties

FORM (3).png

Areas in which Member States may have national or local laws

  • Professional secrecy and its reconciliation with the right of personal data protection. Member States are free to put in place specific obligations regarding professional secrecy in certain sectors (e.g. law firms or banks).

  • Processing for scientific, historical or statistical purposes: Member States can restrict data subject’s rights (to access, rectification, restriction of processing and to object) because they threaten to render impossible or seriously impair the achievement of those purposes, under the condition of setting out appropriate safeguards and if there is no risk of breaching the privacy of the data subject.

  • Seeing that employment laws of Member States mostly remain outside the scope of legislative competence of the EU, the GDPR leaves room for Member States to create laws governing the relationship between the GDPR and national employment law. In practice, if your company operates in multiple Member States, you will face different requirements with respect to the processing of personal data of employees.

  • Personal data of deceased persons

  • Children’s age of consent

  • Special categories of data

  • Genetic, biometric or health data

  • The use of surveillance camera’s

  • Rules about Data Protection Officers

  • National identification numbers (any other identifier of general application). Member States are free to set their own rules regarding the processing of national ID numbers.

  • Under certain conditions churches and religious establishments are allowed to impose rules on the processing of personal data

Time for action


Consider which Member States’ laws apply to your operations and go check national data protection law for additional or more specific obligations.

bottom of page