Agreement reached on final General Data Protection Regulation
A compromise has been reached regarding the final version of the EU General Data Protection Regulation (GDPR) in the trilogue meetings of the EU institutions. The draft was approved by the LIBE Committee on 16.12.2015. The law is intended to create binding and uniform regulations for data protection in Europe.
The GDPR will result in a wide range of changes for companies, which are expected to come into force in Q1 2018. The approval of the Council and Parliament appears to be a mere formality. National regulations such as the BDSG must be adapted to the GDPR in the period up to Q1 2018.
An overview of the most important regulations of the General Data Protection Regulation:
- Extended transparency and information obligations (Art. 12): The GDPR provides for extended transparency and information obligations of companies towards data subjects. Thus, Art. 14 establishes a list of information that must be provided to the data subject in the event of data processing. In the event of a change of purpose, the data subject must already be informed before processing begins (para. 1b). In addition, data subjects – as before – have a right to information from data-processing agencies.
- Data Protection Impact Assessments (Art. 33 f.): The new obligation to conduct its own assessment of the level of data protection is gaining in importance over prior checking. The impact assessment must be carried out if the use of “new technologies” is likely to give rise to high risks for personal rights. The regulation is tailored in particular to big data and the processing of large amounts of highly personal data, but goes much further overall. The supervisory authorities are to draw up lists of which data processing operations are deemed relevant here (para. 2a). Companies see themselves exposed to significantly more in-depth documentation requirements here.
- Promotional use of data: In the future, data processing shall continue to take into account the “legitimate interests of the controller” (Art. 6 (1) (f) GDPR), but according to Recital 38, the “legitimate expectations” of the data subjects shall be increasingly taken into account. It is therefore only clear that advertising is permissible with the consent of the data subject (Art. 6 (1) a DSGVO).
- One-stop store: Internationally active companies will in principle only be subject to the supervisory authority at the company’s headquarters (Art. 46, 54a GDPR-E). This is to be welcomed, as it means that companies often have a single point of contact.
- Responsibility (“Accountability”): New are regulations according to which – similar to compliance regulations – companies must document how they implement compliance with data protection regulations (Article 5 (2) GDPR-E). If no clean documentation can be presented, there is a risk of disadvantages in the process or vis-à-vis those affected.
- Risk-based approach to data processing: The core assumption of the GDPR is that regulations on data processing should not be strictly defined, but instead in many cases a balancing of interests should take place. This leads to legal uncertainty, as it is unclear how courts and supervisory authorities will evaluate data processing.
- Consideration of new rights for data subjects: The GDPR provides for various rights for data subjects, such as the right to data portability (Art. 18) or the right to be forgotten (right to erasure, Art. 17). Companies must implement processes internally to meet these requirements.
- Employee data protection: It is envisaged that national regulations can remain in force in employee data protection (Art. 82 GDPR). Therefore, the existing German regulations will probably continue to apply. Works agreements also remain possible, but must be adapted to the requirements of the GDPR.
- Data protection officers: The appointment of a data protection officer is only mandatory if the core activities of an entity require “continuous and systematic monitoring of data subjects on a large scale” or if special personal data are collected on a large scale (Art. 35 et seq.). In addition, individual states may regulate the appointment of data protection officers nationally. It is to be expected that company data protection officers will continue to be mandatory in Germany.
- Fines: The maximum fines for data protection violations are now set at a maximum of €20 million or 4% of the annual worldwide turnover of a group of companies (Article 79 (3) GDPR-E). Compliance with data protection regulations therefore becomes all the more important.
Short transition period – immediate need for action
Given the many changes that will result, two years is a short time for implementation. Data processors should inform themselves immediately and start implementing the new regulations as early as possible.
We will be happy to support you in implementing the new regulations and also offer in-house seminars on this subject. Feel free to contact Dr. Drewes at