General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) has been passed, is in force and will apply in Germany and throughout Europe from 2018.
We have set up a dedicated website at www.gdpr.ninja, where we will continuously publish articles on the upcoming regulation together with international experts. Below, you find some high-level information on the major changes.
For many companies, the question is what needs to be done to process data in compliance with the new requirements as well. The Regulation is not a revolution in data protection which overthrows familiar and tested legislation. Even so, there are several changes in the Regulation which make it necessary to closely review all the data processing procedures and systems to be as legally secure as possible for the future. To this extent, the period before direct application of the Regulation, which replaces the Federal Data Protection Act (FDPA) as we know it, is not as long as it may seem at first.
This is because a review of the systems for compliance with the impending data protection act may reveal a need for modification, and any changes would have to be implemented. If this requires modifications to the technical infrastructure or existing data protection authorisation concepts, implementation of these can take a great deal of time.
In the following sections we offer a short overview of the new Regulation and its changes. We should be happy to advise you on this review and implementation process, and are naturally available by phone or e-mail for any questions you may have.
Objectives of the Regulation
Besides harmonising data protection law in Europe, another goal of the Regulation is to strengthen the rights of those affected and data security.
At the same time the documentation and proof obligations of the companies are expanded.
Timetable and validity of the Regulation
The General Data Protection Regulation has been in force since 25 May 2016, but apply in full until 25 May 2018 (Art. 99 GDPR).
As this is a European Regulation, it will – in contrast to a Directive which first has to be enacted in national law – apply throughout Europe immediately from this date.
Due to the fully-harmonised effect of the Regulation, no further, stricter or deviating regulations under national law may exist from 25 May 2018, unless the Regulation itself permits member states to adopt such a regulation (so-called saving clause).
Material changes from previous legal position
The Regulation retains many established concepts and principles. It accordingly retains the general prohibition on processing personal data subject to permission, as was previously the case under the Federal Data Protection Act (BDSG). Even so, several points were naturally added or treated differently. The following sections accordingly highlight briefly the material aspects of the new rules.
Market location principle, geographical area of application
European data protection law now also applies to companies which do not have a registered place of business in the EU but which offer goods or services on the European market.
Contract data processing
Under previous law, contract data processing under Art. 11 BDSG was an option for privileged processing of personal data by third parties, e.g. through outsourcing. The contract data processor was privileged in that it did not count as a “third party” within the meaning of the BDSG, so that transmission of data to the contract processor for processing did not require justification. The law no longer includes a privilege on the lines of Art. 11 BDSG.
Instead, the relative interests of the affected person and the responsible entity must be considered, even in the case of contract data processing. In previous instances of contract data processing, such consideration will generally continue to favour processing.
Area of application of contract data processing
Whereas contract data processing was previously only possible within Europe, it is now possible using contractors outside Europe, if the further requirements are satisfied. These include specifically the careful selection of the contractor and examination of their technical and organisation measures with regard to data protection.
Employee data protection
There is no special rule on employee data protection in the Regulation. However, Art. 88 of the Regulation allows member states to provide for more specific rules on protection of employee personal data. It is planned to incorporate the old Art. 32 BDSG in the new Federal Data Protection Act.
Group preferential treatment
The Regulation also does not give groups any preferential treatment, i.e. transmission of data to companies within the same group now constitutes transmission to a third party within the meaning of the law and requires justification as such.
Partial preferential treatment for groups
There is much talk currently about the partial preferential treatment for groups. This is based on para. 48 of the Regulation which states that a controller that is part of a group may have a legitimate interest in transmitting personal data within the group for internal administrative purposes. This provides a basis for arguing for justification of such transmission within the general balancing of interests in Art. 6 of the Regulation. While there is no clear rule, it gives companies a´n opportunity for justification, provided that the other requirements for data processing are met.
The Regulation significantly intensifies the collector’s obligations to provide information in order to increase the transparency of data processing.
Arts 13, 14 of the Regulation define the obligations to provide information in the course of data collection to those affected, which because of their extent have some of the nature of a formal notification of rights. It is necessary to check here what modifications to a company’s systems and contracts or General Terms & Conditions are necessary to meet all the Regulation’s obligations to provide information.
Further obligations to provide information
A company must also report data protection violations, cancellation of a restriction on processing, one-time transfer to third parties or further processing for a different purpose. The latter obligation in particular can be relevant for many companies, as a change purpose can arise quickly.
Privacy by Design / Privacy by Default
Art. 25 of the Regulation presents the principles of data protection through technical means (privacy by design) and organisation means favourable to data protection (privacy by default). Under these companies are required to bear the needs of data protection in mind in the planning and concept phase and to implementation the principles here. In designing and procuring technical means of processing care must be taken to ensure that the technical and organisational measures have been taken for effective compliance with data protection. The same applies to the safeguards in such equipment and systems. It is, for example, to check whether processing software provides an opportunity to save various authorisation concepts so that access to date can be limited to those individuals who actually must have access.
It should be borne in mind that the Regulation commits only the controller, and not the manufacturers of data processing equipment and systems. The idea here is that the controller should, because of its own obligations, influence the manufacturers to make the corresponding modifications to comply with the requirements.
Existing equipment and systems must be reviewed for this. In addition, planning of new systems must always be reviewed to see whether these comply with the requirements, and offers, General Terms and Conditions and contracts of any suppliers should be reviewed to ensure compliance with the new requirements.
The requirements for valid consent to data processing have been modified in a number of respects. For example, in future tacit consent will also be sufficient, provided that it is clear. There are accordingly substantial obligations to provide information under the new Regulation with regard to valid consent.
Prohibition on tying
A prohibition on tying was also included in the Regulation with regard to consent, which is no longer limited to cases of a monopoly position, as was the case under Art. 28 para. 3(b) BDSG. However, Art. 7 para. 4 of the Regulation merely requires that the link must be considered in the broadest possible terms in assessing consent. There is scope here for interpretation.
Continued validity or renewal of existing consent
The question arises whether companies are now obliged under the new Regulation to obtain new consent meeting the requirements of the Regulation even for existing customers. The Regulation states in para.171 that existing consent remains valid provided that it already meets the conditions of the Regulation. Companies are accordingly advised to subject all existing consent to formal and substantial review with regard to the requirements of the Regulation, to ensure that continued use of the data is not illegal.
The Regulation contains an extensive and severe catalogue of penalties for violations against the various requirements.
The maximum fine under the BDSG was EUR 300,000. The Regulation provides for fines up to EUR 10,000,000 or 2% of global annual sales or EUR 20,000,000 or 4% of annual global sales, depending on the violation. This represents a drastic increase in the scale of fines for data protection violations.
Naturally, these amounts are not due immediately for each violation of the Regulation. However, it should be assumed that the legislator did not provide for these substantial amounts on the assumption that the authorities would not make use of them. It should accordingly be assumed that substantially larger fines will be imposed as soon as the Regulation comes into force.
The following overview of the fines for violations also shows that companies are now subject to fines for failure to comply with almost any of their obligations. Companies should accordingly start soon to review compliance with the Regulation’s requirements, in order to avoid a rude awakening and substantial penalties.
|EUR 10.000.000||Arts 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43 GDPR|
|EUR 20.000.000||Arts 5, 6, 7, 9, 44-49, 58 GDPR|
For companies in Germany, the regulatory position under GDPR will become more complex. Initially, increased expense must be expected for the change to the new legal requirements. This is particularly true if the existing status of data protection in your company is not yet in line with the current status of BDSG.
We would be happy to advise you on implementation and modification of the current and future legal position.