As you all know, a few changes and innovations are imminent in data protection law. The currently valid Federal Data Protection Act (BDSG) (Germany) will be replaced by the basic EU General Data Protection Regulation (GDPR), valid from May 25, 2018. However, this should rather be seen as an opportunity through a timely adjustment, as processes within the company can be harmonized and synergies can be exploited through a data protection law-compliant structure.
To best meet this exciting challenge, we would like to give you an overview in advance of what will change for your company in the future and where we identify the need for action. It is therefore planned that we will present the individual stumbling blocks that are specially tailored to your company in detail at an early stage and present solutions accordingly.
Generally it can be said that the BDSG and the GDPR are quite similar in structure and system, but the companies have to create much more extensive structures and processes through stricter requirements and documentary duties in order to meet the new requirements. The GDPR therefore entails considerable additional costs for companies.
We would like to give you an overview of the most fundamental changes with the following points.
More Drastic Sanctions
The supervisory authorities should ensure that the fines for infringements of the Regulation are „effective, proportionate and dissuasive“. In contrast to the BDSG (§ 43), which provided for a fine of a maximum of 300,000 euros, a fine of up to 10,000,000 euros or 2 % of worldwide Group sales is possible pursuant to Art. 83 GDPR (depending on which amount is higher). The fines are thus considerably increased.
In addition, the risks of liability also increase for the companies. In future, in accordance with Art. 82 I GDPR, civil liability will also be assumed for intangible damages in addition to material damages if data protection violations have occurred. It remains to be seen how the German courts will assess the immaterial damages in practice in the future, since they have been rather cautious in court rulings in the past. The ECJ will certainly set new standards here in the future on the basis of the GDPR. Another not insignificant innovation is also the explicit extension of liability to contractors in the event of breaches of duty pursuant to Art. 82 I GDPR.
Data Protection Officer
The role of the data protection officer will be further strengthened overall, in which he must be even more closely integrated into the processes. In principle, the Regulation provides for the obligation to appoint a data protection officer only under strict conditions. However, companies must appoint a data protection officer if the law of a Member State prescribes this in accordance with Art. 37 IV GDPR. It is to be assumed, unless the German legislator repeals § 4f BDSG, that the known requirements for the appointment of a data protection officer will remain. There is currently also no reason to assume that Art. 37 to Art. 39 GDPR replace the protection against dismissal, the prohibition of discrimination or protection against revocation of the appointment as previously provided for in § 4f Para. 3 BDSG. The individual state regulations will probably apply here. The duties of the Data Protection Officer include: informing and advising the data protection officer or the processor and employees, monitoring compliance with the GDPR and other data protection legislation and monitoring personal data protection strategies, including the allocation of responsibilities, training and review. Furthermore, it cooperates with the supervisory authority, advises on request on the data protection impact assessment and also monitors its implementation. Also new is the explicit mention in Art. 39 I lit. B GDPR that it has comprehensive monitoring obligations and no longer merely „works towards“ compliance in accordance with § 4f I S.1 BDSG. Therefore, it remains to be seen whether and to what extent the data protection officer will be ascribed to criminal liability as a guarantor of surveillance.
Extended Documentation and Verification Obligations
As a matter of principle, the GDPR provides for significantly expanded duties of proof. This is known as accountability. According to Article 5 II GDPR for example, the controller must be able to prove that he has properly complied with the data protection principles set out in Article 5 I GDPR. Infringements can result in substantial fines. Furthermore, the controller must prove that he processes personal data in accordance with Article 24 I GDPR. The duties of the order processor also increase, for example, he must provide the person responsible with all necessary information so that the person responsible can prove that he has fulfilled his duties regulated in Art. 32 – 36 GDPR.
Privacy Impact Assessments
The DSFA replaces the prior check according to § 4 V BDSG. In contrast to ex ante control, the DSFA claims a wider scope of application, as the facts of the case have been made quite open according to Art. 35 I DSBER, which has the consequence that a certain legal uncertainty arises in the question of when exactly the facts of a DSFA are fulfilled. In doing so, the probability of occurrence and the extent of the risk should be assessed, taking into account the type, scope and causes of possible risks. In addition, measures and procedures are to be developed with which the company can reduce risks and position itself in a complient manner. According to Art. 36 GGPR supervisory authorities must be informed if the data protection impact assessment shows that the planned data processing actually entails a high risk.
The principle of establishment of the ordinance is further extended by the so-called market place principle from Art. 3 II GDPR, so that the ordinance also applies to persons responsible or contract processors without a branch in the EU. This considerably expands the geographical scope of EU data protection law. The Regulation applies, on the one hand, to data processing for the purposes of observation of data subjects in the EU and, on the other hand, to data processing for the purpose of offering goods or services to data subjects in the EU.
Priority of GDPR Over other Member States‘ Legislation
The GDPR is different from the BDSG, which is not a catch-all law, but a priority regulation. This means that it takes precedence over the legislation of the individual Member States as an EU regulation and applies directly and directly in accordance with Art. 288 II p.1 TFEU. If the GDPR does not contain explicit possibilities for national regulations, it supersedes the regulations of the member states on data processing. Normal legal regulations such as the Banking Act, the Works Constitution Act or the Social Security Code books take precedence over the GDPR if these do not meet the requirements of the exception regulations.
Extended Transparency Requirements
In future, companies will have to inform data subjects much more comprehensively than before and in a comprehensible manner about how they process their data. According to Art. 5 I GDPR, the principle of transparency is one of the main principles of the regulation. In principle, the person responsible must inform the persons concerned precisely of the processing of their personal data in accordance with the provisions of Art. 12 I GDPR, threatening sensitive fines. Art. 12 – 15 GDPR stipulates extensive information rights and duties to provide information. These go far beyond the obligations of the BDSG. However, the information requirements may no longer apply if the person concerned already possesses or should have possessed the information in question.
The GDPR also provides for a fine for breaches of § 9 BSDG in the future. This was not the case before. In principle, companies should be designed in such a way that they effectively implement the data protection principles of Art. 5 GDPR. Furthermore, IT systems should be preset in such a way that they only process the personal data required for the purpose in order to comply with the principle of data minimization. Further measures include the fastest possible pseudonymization of data to ensure data security. In future, the right to data protection will already be taken into account in the development and design of IT products, services and applications, which not least again underlines the increased importance of data protection.
Obligation to Report and Notify
The reporting obligations to the supervisory authorities and the notification obligations to the persons affected by the GDPR go further than the provisions of § 42a BDSG. The individual provisions can be found in Art. 33 and Art. 34 GDPR. An essential condition of any obligation to report or notify is a breach of data protection. Art. 4 No. 12 GDPR defines a breach of data protection as „a breach of the protection of personal data, a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed“. These facts go clearly further than those of § 42a BDSG. As in the past, the companies responsible must report any breach of data protection immediately after the person responsible becomes aware of the breach. This obligation does not apply to incidents where the violation does not lead to a risk to the personal rights and freedoms of the persons affected by the data protection violation. However, if this special case does not exist, the person responsible within the meaning of Art. 34 I GDPR must inform the person concerned without undue delay, provided that the person responsible has excluded the risks for the person concerned by appropriate technical and organizational safety precautions or by subsequent measures.
Deletion of Data and Right to Oblivion
The GDPR also describes deletion obligations more comprehensively than the BDSG. The data controller must delete personal data without undue delay if one of the reasons stated in Art. 17 I GDPR applies. One of the reasons listed there may also be that the data subject objects to the processing of his/her personal data in accordance with Art. 21 I GDPR. In the event of such an objection, the data controller must delete these data pursuant to Art. 17 I lit. c GDPR. unless there are overriding legitimate reasons for further processing. If the personal data to be deleted have been made public, the data controller must inform other persons responsible for processing such data that the data subject has requested the solution of all replications, copies or links pursuant to Articles 17 II, III GDPR. The exceptions are narrower than the BDSG.
Change of Purpose and Compatibility
As in the past, the purpose for which data is collected is decisive for the permissibility of its processing. If personal data are to be processed for a purpose other than that for which they were collected, this is referred to as a change of purpose. In contrast to existing law, the processing of personal data for a purpose other than that for which the data were collected should initially be permissible under Article 6 III GDPR, provided that the data subject has consented to such a change of purpose or a legal provision within the meaning of Article 23 I GDPR permits it. In practice, the compatibility with the original purpose and guarantees, such as the pseudonymization of data, will determine the permissibility of a change of purpose.
Facilitated Data Exchange within the Group
In contrast to the BDSG, the GDPR no longer differentiates between data processing for own purposes and data processing to protect the legitimate interests of third parties, so that the requirements for the transmission of personal data between persons responsible belonging to a group are relaxed. The Regulation does not prohibit the processing of data in order to protect the legitimate interests of the data controller or a third party where the fundamental rights and freedoms of the data subjects outweigh their fundamental rights and freedoms. According to recital 37, managers who are part of a group of companies regularly have a legitimate interest in transmitting personal data within the group of companies for internal administrative purposes. This also applies expressly to the processing of personal data of customers and employees. In the context of employee protection, the German legislator’s Data Protection Adaptation Act remains to be seen.
Prohibition of Coupling in the Case of Consents
According to Art. 7 GDPR, consent should be given without obligation. This is ensured by preventing data controllers from making the performance of a contract, including the provision of a service, dependent on whether the data subject has consented to data processing. Consent therefore requires a clear act by which the data subject expresses without compulsion and in full knowledge of the facts that he or she agrees to the processing of his or her personal data.
Much Remains the Same – Some Things are Getting Tougher
In summary, it can be said that the basic data protection ordinance is very strongly oriented to the Federal Data Protection Act in its structure and system, but together we expect stricter requirements regarding documentary obligations, so that far more extensive structures and processes have to be created in order to meet the new requirements.
As a properly appointed data protection officer, we are happy to take up the challenge and, as usual, will work closely with you to ensure that your company is sustainably positioned in terms of data protection law.