RESOURCE ARTICLEMEMBER

What the GDPR Requires of and Leaves to the Member States

This white paper explores the legislative actions the GDPR requires member states to take, and the optional powers available to them to create exceptions and to clarify GDPR rules.

Published

Contributors:

Müge Fazlioglu

CIPP/E, CIPP/US

Principal Researcher, Privacy Law and Policy

IAPP

This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules.

This distinction is derived from the division between what the member states “shall” and “may” do within the articles of the GDPR. These cover such areas as the processing of sensitive data; data processing in the context of employment; conducting DPIAs; appropriate safeguards for data protection for archiving purposes in the public interest, scientific or historical research, or statistical purposes; access rights; automated decision-making and profiling; and data protection officers.

Contributors:

Müge Fazlioglu

CIPP/E, CIPP/US

Principal Researcher, Privacy Law and Policy

IAPP

MEMBER

Unlock this exclusive content and more

Join the IAPPAlready a member? Sign in

Membership opens up a world of resources

In-depth knowledge

From original research reports and daily news coverage to legislative trackers and infographics, we have the information you need to stay ahead of change.

A global network

Make valuable professional connections through more than 160 local IAPP KnowledgeNet chapters in 70 countries.

Access to the experts

Connect with top thinkers in privacy, AI governance and cybersecurity for fresh ideas and insights.

Learn what you get from membership