Obligations in scope
Article 9 — controller
Ensure that processing for employment and social security purposes is authorized by Union or Member State law or a collective agreement and provides for appropriate safeguards for the fundamental rights and interests of the data subject. Action required: authorize.
Article 88 — Member States
Member States may provide for more specific rules by law or collective agreements to ensure the protection of rights and freedoms regarding the processing of employees' personal data in the employment context. Action required: provide.
Article 88 — Member States
The specific rules adopted by Member States shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests, and fundamental rights, with particular regard to transparency, data transfers within groups, and monitoring systems. Action required: include.
Article 88 — Member States
Each Member State shall notify the Commission of the provisions of its law adopted pursuant to paragraph 1 by 25 May 2018. Action required: notify. Deadline: 25 May 2018.
Article 88 — Member States
Each Member State shall notify the Commission without delay of any subsequent amendment affecting the provisions of its law adopted pursuant to paragraph 1. Action required: notify. Deadline: without delay.
Practical steps
What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.
- Art 9 — authorize (controller)
- Art 88 — provide (Member States)
- Art 88 — include (Member States)
- Art 88 — notify (Member States)
Obligation reference table
| Article | Obligated entity | Deadline | Penalty |
|---|---|---|---|
| Art 9 | controller | — | — |
| Art 88 | Member States | — | — |
| Art 88 | Member States | — | — |
| Art 88 | Member States | 25 May 2018 | — |
| Art 88 | Member States | without delay | — |
Penalty exposure
None of the 5 obligations on this page carry an explicit penalty figure in the GDPR text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to GDPR's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.
Cross-regulatory conflicts
GDPR interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:
- AI Act Art 19 ↔ GDPR Art 5 (medium) — [entity affected: provider] AI Act mandates keeping logs for at least six months, which may conflict with GDPR's storage limitation principle requiring data to be kept no longer than necessary if the logs contain personal data not needed for that duration.
- DMA Art 1 ↔ GDPR Art 6 (medium) — [entity affected: Member States] DMA prohibits Member States from imposing further obligations on gatekeepers to ensure contestable markets, which may conflict with GDPR's allowance for Member States to introduce specific provisions for lawful processing under public interest or legal obligations.
- DORA Art 11 ↔ GDPR Art 17 (medium) — [entity affected: Financial entities] DORA requires maintaining records and backups for business continuity and audit trails, which may conflict with GDPR's right to erasure if personal data is retained in backups longer than necessary for the original purpose.
- DSA Art 10 ↔ GDPR Art 5 (medium) — [entity affected: provider of intermediary services] DSA Art 10 limits information orders to data already collected for service provision, which may conflict with GDPR Art 5's purpose limitation principle if the original purpose did not include law enforcement cooperation.
- GDPR Art 11 ↔ ePrivacy Directive Art 5 (medium) — [entity affected: controller / provider of publicly available electronic communications service] GDPR Art 11 allows processing without identifying the data subject if not required, while ePrivacy Art 5 requires specific consent for accessing terminal equipment, implying a need to identify the user to validate consent.
- AI Act Art 10 ↔ GDPR Art 17 (high) — [entity affected: provider] AI Act allows processing special categories of data for bias detection if strictly necessary, which may conflict with GDPR's right to erasure if the data is no longer necessary for the original purpose but needed for ongoing bias monitoring.
Related Fontvera pages
- gdpr article 58 supervisory authority
- gdpr vs ai act
- gdpr vs nis2
- ai act art 17 provider obligations
Check your full compliance exposure with the 5-minute Fontvera diagnostic →