Prior authorization/notification requirements (from Baker McKenzie 2019)

General comparison via Baker McKenzie (via compare jurisdiction and topics),7b3389f4364545d8933d7ccb76b6d5c8

In many articles it is stated that prior notification/authorization requirements had been replaced with GDPR by the need to have high-risk Data Protection Impact Assessments reviewed by the Supervisory Authorities (GDPR Art 36). – However, there are still cases in which more specific prior notification/authorization requirements exist (GDPR Art 36 (5) and Member state laws (via opening clauses)).

According to the above source, in the EU, -and omitting DPO registrations – there are requirements for
(check source above for the precise wording, my own summary below)

  • Belgium
    (CCTV, sometimes communication of health data)
  • Denmark
    (purpose-related: warning someone to engage in some business, creditchecks/financial standing-related, legal information system-related)
  • France
    (sometimes for processing of person’s NIR (national identification registry) number; state investigations; biometric or genetic data for authentication on behalf of the state; some transfers of personal data to a third country (GDPR 43 (3) a);
    ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (“référentiels”) of the CNIL. Failing that, article 54 of the Data Protection Act states that processing shall be subject to the CNIL’s prior authorization, except in the field of health research or study. ” (quote from URL above) [Exceptions for some bodies and services listed via a Ministerial Order]

For France/CNIL: Overview by Baker McKenzie