First of all, for those not in the know, let us remember that GDPR is an acronym for General Data Protection Regulation, and that the word “Regulation” here means something very specific in EU legislation. A European Union (EU) Regulation “is legal act of the EU that becomes immediately enforceable as law in all member states simultaneously”[i]. As opposed to a EU Directive, that needs to be transposed into specific legislation into each of the Union members, a European Union Regulation does not require any translation into the legislation of the member states. It applies to them (and its citizens and the companies that operate on the Union) as soon as it becomes into force, and in fact it overrides all national laws dealing with the same subject matter. Member States may incorporate elements of the Regulation into their national law. They may also expand the scope of the Regulation by clarifying aspects not covered in it. In fact, we do usually see state members to pass legislation in that sense. But the Member states cannot legislate to limit the scope or in contradiction with the Regulation.
A few concepts around GDPR