The basis of all personal data in the EU

Expert view
We can say right away that the most important general requirements regarding personal data are the same everywhere and are based on the 7 principles of GDPR:

1) Legality, fairness and transparency of the processing of personal data for and with the consent of the data subject;

2) Restriction of purpose - processing is only for legitimate purposes that are clearly indicated to the data subject when collecting the data in the privacy policy;

3) Data minimization - as much data can be collected and processed as necessary to achieve the purposes;

4) Accuracy - personal data must be current, and inaccurate and redundant data (given the purpose of collection) must be deleted or corrected;

5) Retention limitation - personal data may be stored only within the scope of achieving the objectives;

6) Integrity and confidentiality - processing must be performed in such a way that to ensure the security, integrity and confidentiality of the data;

7) Accountability - the controller is fully responsible for all processes related to personal data and must demonstrate compliance of the processes with GDPR requirements.

The main documents in force in the EU in the area of personal data are:

  • Regulation 2016/679 (The General Data Protection Regulation) - on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • Regulation 2018/1725 - on the protection of natural persons with regard to the processing of personal data by institutions, bodies, authorities and agencies of the Union and on the free movement of such data;
  • Directive 2002/58/EC - on the processing of personal data and the protection of privacy in the electronic communications sector;
  • Directive 2016/680 - on the protection of natural persons with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Explanation of the law situation

The GDPR applies in all EU countries with the same legal force as if they were local laws. That said, EU member states have to adopt their own laws to implement GDPR, but they may differ, because GDPR is primarily general and boilerplate, which sets the trend (for example, under GDPR the age of consent to process personal data is 16, but each state may set its own).

This is how it is organized so that processes within a state comply with the uniform requirements set by the EU. Each country, based on its national peculiarities and the problems it has faced - has put emphasis on certain conditions and itself determines the severity of penalties for violations.


Germany has a Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).

The BDSG applies if the processing of personal data is not for personal (family) purposes. All other personal data laws apply as well.

Features and additions to the GDPR:

1) More detailed requirements for the appointment of an officer responsible for the processing of personal data (DPO) compared to the GDPR: an organization must appoint a responsible officer if more than 20 people are processing personal data automatically or if the processing involves the transfer and anonymization of data, market research, and the DPO must be provided to the supervisory authority;

2) It is expressly prohibited to transfer a pool of personal data obtained without the subjects' permission - for commercial purposes or to harm the subjects;

3) Video surveillance in publicly accessible places is allowed: public authorities are entitled to carry out for the protection of life and health of citizens (to prevent threats to state and public security, criminal offenses), if the video surveillance is necessary to protect legitimate interests and these interests are higher than the subjects' right to protection of personal data;

4) It is allowed the processing of data for scoring before the conclusion of the contract, provided that:
  • compliance with the law on the application of data protection measures;
  • the calculation of the probability value is based on a scientifically recognized mathematical-statistical procedure;
  • the address data have not been used for the sole purpose of calculating the probability value (not for the offer of services or delivery to third parties);
  • if the address data were used, the subject was informed about the expected use of these data before the calculation of the probability value;
  • the scoring process is documented and has instructions.
5) The age of consent to data processing is 16 years;

6) Additional liability:
- fines for violation of the BDSG possible up to 50,000 euros,
- imprisonment up to 2 years.


In Greece, in addition to the GDPR, Law 4624/2019 of 29.08.2019 was passed, which raised many questions because it did not comply in part with the current Greek law or the GDPR. This law has been criticized for its vague wording.

Features and additions to the GDPR:

1) The age of consent to process personal data is 15 years old, otherwise only with the consent of the legal representative (parents, guardians, etc.);

2) Processing of genetic data for life and health insurance and risk assessment purposes is prohibited;

3) Processing of special categories of data by public and private entities without the consent of the data subject is allowed, when it is mandatory for health, social security and workability assessment, security purposes, but subject to measures to protect the interests of the data subjects;

4) Processing of personal data for journalistic or academic, artistic or literary purposes without the consent of the data subject is permitted, provided that the right to inform the public is greater than the right to privacy;

5) The data controller has the right not to delete personal data at the request of the data subject if the controller has reason to believe that the removal may adversely affect the legitimate interests of the data subject;

6) Additional liability for breaking the law (archiving, deletion, copying, unlawful use of personal data): imprisonment of up to 1 year. In the case of special categories of data, imprisonment of at least 1 year and a fine of up to 100,000 euros is imposed. And if it is done for commercial purposes and the total benefit exceeds 120,000 euros, imprisonment of up to 10 years.


In Denmark, in addition to GDPR, Act 502 of May 23, 2018 applies.

Features and additions to GDPR:

1) It is prohibited to use pre-checked consent checkboxes for the collection and processing of personal data. In addition, the notice that "continued use is consent to the rules", including for cookies, is not a valid consent. The use of cookies, whether or not the data collected includes personal data, the placement and functionality of cookies - requires the consent of the user;

2) In order to fully notify the data subject about the processing of personal data, the controller must take active steps: it is not enough to simply publish the policy on the site, the user must clearly tick the box and prove that he/she understands everything;

3) If the controller accidentally receives personal data that he did not ask for and does not need - he must notify the data subject no later than 10 days after receiving the data;

4) The obligation for large companies to supplement the management's financial report with a report on the implementation of the company policy regarding the processing of personal data;

5) There is a division between "ordinary data" and "sensitive data" with respect to personal data, even though this is not explicitly mentioned in the GDPR. Sensitive information is personal data that, due to its nature and context, requires special protection because accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to such personal data could lead to physical, material, or other losses for the data subject (e.g. income, wealth, working conditions, domestic family relationships);

6) When recording conversations with customers - for example, for quality assurance - the controller must obtain consent from the data subject before the conversation is recorded;

7) Age of consent to process personal data - at least 13 years old;

8) Data controllers collecting personal data via social media may be considered joint controllers with the social media rights holder;

9) Additional liability - under criminal liability, imprisonment for up to 6 months


Spain has Law 3/2018 of December 5, 2018 - Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales.

Features and additions to the GDPR:

1) Give the controller the opportunity to handle the complaint independently. If a complaint is filed against the controller or processor with the supervisory authority: the supervisory authority notifies the controller and the person in charge of personal data processing (DPO) has the right to resolve the issue independently within two months of receiving such a complaint;

2) The provision of the law that political parties may use personal data obtained from web pages and other public sources to carry out political activities during the election period has been strongly criticized. After appealing this provision to the constitutional court - it has been amended and now political parties are entitled to process political opinions only if they were freely expressed by people in the exercise of their right to freedom of expression and their ideological freedom;

3) There is a whole chapter on digital rights guarantees.Several articles talk about privacy protection in the workplace, such as the right to privacy and the right to use digital devices in the workplace, the right to privacy from the use of video surveillance and sound recording devices in the workplace and the use of geolocation systems in the performance of work obligations. Also established are the rights:
  • the right to freedom of expression and information, especially with regard to online expression;
  • the existence of algorithms in social networks (and public resources) which enable the correction and deletion of published information;
  • the right to be forgotten on search engines and social networks.

4) Consent to the use of cookies may be considered to be legally obtained if the site provides at least a minimum of information about the use by means of a banner. Consent will be the unambiguous action on the subject indicating consent, for example, using the scroll bar or clicking on links on the site visited;

5) The age of consent to process personal data is 14 years old;

6) Additional liability

Criminal liability in the form of imprisonment of 1 to 4 years and/or a daily fine of 12 to 14 months may be imposed on a person who commits acts to disclose personal data without the consent of the subject: breaking into an email or mailbox, messenger, other storage; interception of telecommunications; using technical devices to listen, transmit, record or reproduce sound or images.


In France, in addition to the GDPR, the amended Law No.78-17 of January 6, 1978 relative à l'informatique, aux fichiers et aux libertés (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés)

Features and additions to the GDPR:

1) Personal data of deceased individualsmay be processed if the data subject did not express his or her refusal during his or her lifetime;

2) The age of consent to data processing is 15 years;

3) Any data subject has the right to register in a special register - Bloctel and thereby express their refusal to receive advertising calls and letters (messages). This refusal is valid for 3 years and can be renewed every 3 years. Moreover, if the subject has signed a contract with the controller - he can call, but after that he can't offer any goods and services, if his data is contained in Bloctel;

4) When using cookies on a site, consent must be explicit: scrolling down, swiping or browsing the site or app is not enough to make it count as consent. Consent must reflect the will of the subject: it must be informed in a clear, complete and visible way, and mere reference to the general terms of use of the site is not enough;

5) It is possible to buy marketing lists with data from third parties, as long as there is proper authorization to transfer personal data from the subjects contained in the lists and adequate data protection is provided;

6) In an employee-employer relationship, it is not necessary to obtain written consent to process personal data, as this is assumed from the outset, so:
  • It is permitted to track the geolocation of vehicles driven by employees, if this is done during work, employees are informed of this;
  • It is permitted to record employee phone calls, if this is consistent with a predetermined purpose, such as for training or service quality assessment;

7) Additional liability:
  •  imprisonment up to 5 years,
  • penalty for individuals up to €300 000,
  • fine for legal entities up to €1 500 000.

To summarize, each country has its own peculiarities, laws and regulations, which must be taken into account when expanding and opening a business. It is always better to learn about them in advance and provide for them, than to frantically correct violations later.