Will the GDPR be enforced from 25 May?
The GDPR became effective on 25 May 2016 and there has been a two-year period for the entities to prepare for the new set of rules and bring their data processing practices in line with the new regime. EU Member States have equivalently had two years to pass the laws needed to enforce the provisions of the GDPR.
In this blog post, I will briefly address the situation when a Member State fails to adopt the national “implementation laws”, from a legal perspective. It is worth noting that even though the GDPR is a regulation which does not need to be transposed into national law as it is directly effective and applicable across the EU, Member States are still required to bring their laws in line with the GDPR and appoint an authority that will be in charge of the enforcement of the regulation, thus, each Member State has to pass laws with respect to the new rules.
So far, it seems that only a few out of the 28 Member States have passed their "implementation laws". Austria, Belgium, Germany and Slovakia passed their “implementation laws”. Hungary along with other Member States will likely have their laws passed during the course of the Summer.
From a legal perspective, it is fair to say that if a Member State fails to pass the "implementation laws" by 25 May, it is a violation of EU law since all Member States are required to pass the relevant laws necessary to enforce the GDPR. In principle, an EU infringement procedure may be initiated against Member States that have failed to adapt their laws in time. At the same time, it is worth noting that no matter if a Member State has passed its "implementation laws" or not, the GDPR will be applicable from 25 May. The fact is, however, that in the absence of national laws appointing an authority to enforce the regulation, there will be no national authority to enforce the GDPR in that specific country.
Importantly though, this does not mean that companies are relieved of their duty to prepare for the new rules since the regulation applies from 25 May and, furthermore, once the authority gets appointed, that authority will have the power to enforce the GDPR and check compliance retroactively. Preparation is, thus, of utmost importance to all those affected.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.