8 / 5TH ANNIVERSARY OF THE GDPR
9 /
SLOVAKIA.
SPAIN.
SWITZERLAND.
MAREK PRIESOL BDO Legal | Slovakia
ALBERT CASTELLANOS BDO Legal | Spain
KLAUS KROHMANN BDO Legal | Switzerland
priesol@bdoslovakia.com
albert.castellanos@bdo.es
klaus.krohmann@bdo.ch
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED: Switzerland is obviously not a member state of the EU.
Discussions on data protection and privacy in Slovakia are still very much alive, even though five years have already passed since the GDPR came into effect. The COVID 19 pandemic increased Slovak residents’ awareness of their privacy rights, since measures adopted to stop the pandemic led to a large-scale testing of proper protection of personal data concerning health, mainly with respect to the mass population antigen testing organised by the Slovak government in October and November 2020, vaccination, body temperature measurement of all employees before coming to work and introduction of an app developed by the Slovak government for smart tracking quarantine of infected persons (which was not fully implemented due to large resistance from the public on such personal data processing). Discussions are being held recently also with respect to personal data of beneficial owners compulsorily published in the Slovak Register of Public Sector Partners following the case C-37/20 and C-601/20 regarding no unrestricted access to data of beneficial owners to general public.
The GDPR was received in Spain as a mechanism to guarantee citizens’ confidence in the control over their data without the price to be paid for innovation implying a waiver of their rights. Although the legislator has tried to implement the GDPR through the Spanish Data Protection Act, it is a difficult task due to the variety of Spanish sectorial laws that have an impact on data protection (i.e., Whistleblowing Act, Telecommunications Act). As a result, the Spanish Data Protection Agency has detected relevant omissions in the regulatory field, which is evident when observing the sanctioning activity of the Agency, positioned as one of the most active in this area at EU level. Considering the above, we should ask ourselves whether the GDPR is a clear enough regulation and whether it is adequate to achieve its objective in its current state.
Nevertheless, the GDPR had a strong influence in Switzerland. In 2016 a legislation project was started for a total revision of the Swiss Federal Act on Data Protection. After lengthy discussions in Parliament, on 25 September 2020 the new law was finally enacted and will enter in force on 1 September 2023. The completely revised Data Protection Act (DPA) is based on very similar concepts to the GDPR, however, it also has clear deviations. For example, the sanction regime under the DPA is based on penal sanctions instead of the administrative fines as per the GDPR. Moreover, in-keeping with the tradition of the drafting of Swiss laws, the articles of the DPA are phrased in a more general and less specific manner. This gives, on the one hand, more room for interpretation and development of the law, however on the other hand, there is less guidance and surety for future practice.
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
The main initiative to be considered will be the data processing developed around AI components. A challenge in Spain will be the implementation of the proposed Artificial Intelligence Regulation of the European Parliament and the Council. The challenges to be considered will be: Understanding the functioning of AI systems and their impacts on people. Allowing and guiding the development of AI that respects personal data. Auditing and controlling AI systems and protecting people. In this regard, Spain has already considered the creation of the State Agency for the Supervision of Artificial Intelligence, to design a strategy to regulate and protect the rights of the data subjects.
PREDICTIONS FOR THE FUTURE:
The new Swiss DPA will uplift data protection in Switzerland to new levels. Impressed by the sanctions given under the GDPR, data protection gained more respect and attention. Looking deeper into the matter, the sanction system of the Swiss DPA seems to be vague and the future will show whether such a system will in fact enable the enforcement of data protection violations or the experiment to introduce sanctions in this area will turn out to be a damp squib.
The balance between the fight against money laundering and sufficient protection of personal data must be found and it is the duty of the competent Slovak authorities to comply with given CJEU judgment. It is necessary that personal data is not degraded only to the level of a “source” but is still understood as a unique identifier associated to a specific person that must be protected.
The new Swiss DPA will uplift data protection in Switzerland to new levels.
Made with FlippingBook interactive PDF creator