What the GDPR Requires of and Leaves to the Member States
This white paper explores the legislative actions the GDPR requires member states to take, and the optional powers available to them to create exceptions and to clarify GDPR rules.
Published: 23 April 2018
This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules.
This distinction is derived from the division between what the member states “shall” and “may” do within the articles of the GDPR. These cover such areas as the processing of sensitive data; data processing in the context of employment; conducting DPIAs; appropriate safeguards for data protection for archiving purposes in the public interest, scientific or historical research, or statistical purposes; access rights; automated decision-making and profiling; and data protection officers.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
What the GDPR Requires of and Leaves to the Member States
This white paper explores the legislative actions the GDPR requires member states to take, and the optional powers available to them to create exceptions and to clarify GDPR rules.
Published: 23 April 2018
Contributors:
Müge Fazlioglu
Principal Researcher, Privacy Law and Policy, IAPP
CIPP/E, CIPP/US
This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules.
This distinction is derived from the division between what the member states “shall” and “may” do within the articles of the GDPR. These cover such areas as the processing of sensitive data; data processing in the context of employment; conducting DPIAs; appropriate safeguards for data protection for archiving purposes in the public interest, scientific or historical research, or statistical purposes; access rights; automated decision-making and profiling; and data protection officers.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Governance Law and Policy: Jurisdiction Overviews
US State Privacy Legislation Tracker
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
