Data protection and data protection compliance in accordance with DSGVO / GDPR

Since 25.05.2018, the well-known Federal Data Protection Act (BDSG) has been repealed and the European General Data Protection Regulation (GDPR) applies. As a regulation, the GDPR takes effect as directly applicable law without any further act of implementation by the member states. The GDPR leads to a welcome harmonization of standards within the EU, so that cross-border processes within the EU in particular can now be carried out much more quickly and with greater legal certainty. However, the GDPR provides for considerable fines in the event of violations. While the fine under the BDSG was still up to EUR 0.3 million, under the GDPR it is now up to EUR 20 million or 4% of annual global turnover. According to Art. 83 GDPR, the fine should be proportionate, but "in each individual case [...] dissuasive". Compliance with data protection regulations should therefore be paid much closer attention as part of corporate compliance from 25.05.2018 at the latest.The GDPR contains numerous innovations, including

Strict requirements for consent

Art. 7 GDPR contains stricter requirements than the BDSG regarding the voluntary nature of consent. As before, consent must be given voluntarily. However, according to Art. 7 para. 4 GDPR, when assessing the voluntariness of consent, it must now be considered whether the performance of a contract is dependent on consent and whether the consent relates to processing that is not necessary for the performance of the contract. Art. 7 para. 4 GDPR formulates this as follows:

"In assessing whether consent has been freely given, utmost account shall be taken of the fact whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to processing of personal data which is not necessary for the performance of that contract."

Therefore, if consent must be given when concluding a contract and this does not relate directly to the performance of the contract, the new regulations clearly indicate that consent is not voluntary, with the consequence that consent is invalid. This can already be assumed if consent to receive a newsletter is required as part of the order in an online store. A telephone number that must be provided as part of the registration process on an online portal must therefore also be considered critical as a rule, unless the nature of the online portal makes it special.

Liability of the processor as well

Order data processing (ADV), previously known from Section 11 BDSG, is regulated in Art. 28 GDPR. The name has changed slightly. Instead of commissioned data processing, the legal institution is now simply called commissioned data processing.

One change with significant consequences is the new regulation of responsibility. Unlike under the BDSG, under the GDPR, the contractor must also ensure compliance with numerous regulations with regard to the correctness of order processing. According to Art. 83 para. 4 lit. a) GDPR, violations of some of these provisions by the processor are also subject to fines.

Data breach notification

A notification obligation was only included in the BDSG at a late stage with Section 42a BDSG. In Artt. 33 f. GDPR now contain significantly stricter notification obligations. According to Art. 33 GDPR, personal data breaches must be reported to the supervisory authority without undue delay and "where feasible, within 72 hours" of becoming known. Reasons must be given if the 72-hour period is exceeded. According to Art. 34 GDPR, the data subject must also be notified if the personal data breach is "likely to result in a high risk to the rights and freedoms of natural persons".

Data protection impact assessment

The institute of the data protection impact assessment pursuant to Art. 35 GDPR is also new. According to this, if the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, an assessment of the consequences must be carried out in advance. Such risks are assumed in particular when new technologies are used if they pose a risk to the protection of personal data due to their nature, scope, circumstances or purpose. The supervisory authorities may draw up supplementary lists showing which processing operations require data protection impact assessments and which do not.

A data protection impact assessment must contain at least the following

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller;

  • an assessment of the necessity and proportionality of the processing operations in relation to the purpose

  • an assessment of the risks to the rights and freedoms of data subjects; and

  • the measures envisaged to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Privacy by design and privacy by default

With Art. 25 GDPR, the GDPR now contains a regulation on the design of technology. According to this, technology must be designed in such a way that it already technically complies with data protection principles, such as data minimization (privacy-by-design), and at the same time data protection-friendly default settings (privacy-by-default) are made. This means that the requirements of the GDPR must already be observed at the hardware and software development stage.

Right to data portability ("data portability")

The provision in Art. 20 GDPR is also new, according to which a data subject has the right to request the personal data concerning them in a structured, commonly used and machine-readable format. The aim of the regulation is to avoid "lock-in effects" with regard to a specific provider. Data subjects should thus be given the opportunity to "move" their personal data to another provider.

E-Privacy Regulation

Certain regulations relevant to the area of electronic communications (i.e. the internet in particular) will be regulated in an ePrivacy Regulation (currently still at an advanced draft stage). This concerns, for example, the collection of data from smartphones and the handling of cookies.

Conclusion

The GDPR brings numerous changes, some of which may mean a fundamental reassessment of the way companies have organized their processing operations to date. Even the way in which consent is granted may need to be reviewed from the perspective of voluntariness. In view of the considerable range of fines and the new obligation to notify data subjects, which could damage a company's public image, the processing operations in the company should be carefully examined and designed in accordance with the GDPR on the date it comes into force (25/05/2018).

Date: 28. Nov 2017