2017

The Member States in Luxembourg have numerous options when it comes to implementing the General Data Protection Regulation (GDPR) and recently submitted a new bill to parliament that seeks to abolish the Act of Aug. 2, 2002 on the Protection of Persons with regard to the Processing of Personal Data.

The bill designates the current data protection authority - the CNPD - as the competent authority for enforcement of the GDPR and increases the number of effective members from three to four. It also focuses on investigation and enforcement, and an internal separation between investigation and decision-making powers.

Clarification is offered regarding the GDPR 's fines and includes administrative fees to public authorities, and penalties to compel compliance with CNPD decisions. Specific provisions for journalistic-, research- and healthcare-related data processing also will apply.

Late March, the Polish Ministry of Digital Affairs published a partial draft of the new act on data protection. This is a clear signal that the Polish government has launched preparations for the GDPR.

The draft is not a comprehensive regulation, since it only addresses certain issues as Data Protection Officer, good practices on data security, interim decisions, inspections, accreditation, financial penalties, and DPA 's guidelines. Yet, while entrepreneurs are preparing to implement changes to ensure their compliance with the GDPR, the Polish government is simultaneously seeking to adapt the current Polish legal framework.

The new draft legal provisions are in public consultation, and it is assumed that other legal acts containing specific data protection provisions might also be amended.

The Romanian government has published a "Draft Law" that will implement the mandatory provisions of the European Union's (EU) General Data Protection Regulation into local legislation.
 
Changes focus on the independence and powers of the Romanian Data Protection Authority (Romanian DPA), the procedural steps to be taken during investigations and the method of cooperation during cross-border investigations, the sanctioning of data protection legislation branches, and the procedure for complaints filed by data subjects with the Romanian DPA.