General Data Protection Regulation EU-GDPR
The EU General Data Protection Regulation (GDPR) is a widely discussed topic that causes uncertainty and questions for many companies and individuals.
We bring light into the darkness: In the following, we have summarised what the GDPR is and what effects it has on companies. We also explain which data protection measures you should take and whether you need a data protection officer.
What is the GDPR?
Since 25 May 2018, the General Data Protection Regulation (GDPR). This is a law comprising almost 100 paragraphs for the protection of personal data within the EU.
Until the regulation came into force, different data protection standards applied in each EU country. The General Data Protection Regulation has harmonised data protection law in the European Union.
The aim of the General Data Protection Regulation
The General Data Protection Regulation aims to guarantee the right of every natural person at European level to the protection of their personal data. This is intended to give citizens back sovereignty over their personal data and allow them to decide for themselves what happens to it. The overall aim of the General Data Protection Regulation (DSGVO) is the protection of the fundamental rights and freedoms of data subjects.
What is personal data?
At personal data? is any information that can be used to identify a specific individual. The GDPR thus refers to all data that can be directly or indirectly associated with a corresponding person. The information can originate from the private and family environment as well as from the economic, legal or social environment. Personal data does not include anonymised data. For example, no conclusions can be drawn about a specific individual from statistical surveys or the sales data of a company. Personal data includes, for example:
- Date of birth
- Marital status
- E-mail address
- IP addresses
- Phone number
- Account details
- License plate
- Identity card number
- Social security number
- Location data
- Criminal record
- Health data
- Cultural / social characteristics
- Biometric data (e.g. fingerprint)
To whom does the General Data Protection Regulation apply?
The GDPR protects the rights of consumers in the EU and at the same time imposes numerous obligations on businesses. All companies based or operating in the EU are affected. This also includes non-European companies that either have an establishment in an EU country or process personal data of EU citizens.
The basic principles of data protection
In Article 5 of the GDPR sets out the principles for data processing with which companies should familiarise themselves. They regulate how the storage and processing of personal data is to be implemented in a legally compliant manner. Processing means, for example, the collection, modification, destruction or storage of this data.
- Lawfulness of the processing
A legal basis is required for data processing. In other words, processing is prohibited unless the individual consents or permission arises from a law such as the TMG.
Data may only be processed for the purpose for which they were collected. The purpose must be legitimate, clearly defined at the time of collection and communicated to the data subject. A subsequent change of purpose must be communicated to the data subject - who may object to the change.
- Data minimisation
Only as much data may be collected and processed as is required in relation to the purpose. For subscribing to a newsletter, for example, the e-mail address must necessarily be collected, but not the car registration number or marital status.
The data must be factually and substantively correct and up to date. Incorrect information must be deleted or corrected immediately.
- Memory limitation
The data shall be deleted when the purpose for which the data were collected has been achieved.
- Integrity / Confidentiality
Data processors must take appropriate technical and organisational measures to adequately protect personal data. Protection is needed, for example, against unauthorised processing or disclosure of the data to third parties.
Data controllers in the company are obliged to prove compliance with the data protection principles to supervisory authorities. Violations of the GDPR are punishable by fines, some of which are high.
Data subject rights: These obligations apply to companies
In addition to the basic principles, data controllers should take into account the principles set out in the General Data Protection Regulation have the rights of the data subjects on their radar screen. This results in further obligations for companies.
A prominent provision is the right to be forgotten (Art. 17 GDPR). For example, a person has a right to have his or her data deleted if:
- she withdraws her consent.
- the purpose for processing the data has ceased to exist.
- the data processing was unlawful.
Other important data subject rights include:
- Right to Information (Art. 12, Art. 13 and the Art. 14 GDPR): Before collection, the data subject must be informed and made aware of his or her rights.
- Right of access to information (Art. 15 GDPR): The data subject may request information on the scope and nature of the personal data processed.
- Right of rectification (Art. 16 GDPR): The data subject may request that inaccurate data be reported.
- Right to data transferability (Art. 20 GDPR): The data subject has a right to receive the record of his personal data in a machine-readable format. The background is that he can enter them into another database.
- Right of objection (Art. 21 GDPR): The data subject may object to the data processing. The controller may only further process the personal data if it can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the data subject.
It becomes clear that without the help of experts and the introduction of a data protection management system, it will be difficult for companies to comply with the legal data protection obligations of notification, accountability and documentation obligations to fulfill.
Is a data protection officer necessary?
According to the EU GDPR, it may be necessary for a company to appoint a data protection officer. This is a person who is responsible for ensuring that a company complies with the data protection complies. This person can be an employee, but the appointment of an external data protection officer is also possible.
Many a company will now be asking, "Do we need a data protection officer?"
The answer can be determined by these three points:
- The main activity is the "extensive regular and systematic monitoring of data subjects".
- Special categories of data (Art. 9 GDPR) are processed
- There are more than 20 employees who process personal data automatically
If one of the three points applies to the company, a data protection officer is required. Irrespective of this, every company can voluntarily appoint a data protection officer.
What does a data protection officer do?
The data protection officer has to perform various tasks that can be derived (in)indirectly from the General Data Protection Regulation. For example:
- Create a data protection concept
- Training and sensitisation of employees on the subject of data protection
- Processing of technical inquiries from customers and employees
- Monitoring the correct application of Data processing software
- Monitoring and safeguarding the rights of data subjects
- Risk assessment or data protection impact assessment
- Data breach notification
It is advisable to involve the data protection officer in data protection-related planning and projects at an early stage and to firmly anchor him or her in the company. Whether to appoint an employee internally for this function or to better obtain support from an external data protection officer is a matter of consideration depending on the requirements of the company.
Special feature of commissioned processing
There are cases where personal data are processed by a contractor on behalf of the controller. This is the case, for example, when an external newsletter provider or a cloud is used.
This case was once referred to as commissioned data processing, in the GDPR it is referred to as Job processing called. Whereas in the case of commissioned data processing the client was primarily responsible for compliance with data protection, in the case of commissioned processing the processor is also jointly responsible. There are obligations for him such as keeping a inventory of his processing activities and the reporting of data mishaps. Another new feature is that the contract for commissioned processing can be concluded electronically.
Fines and sanctions
Before the General Data Protection Regulation came into force, data protection violations were punishable by fines ranging from 50,000 to a maximum of 300,000 euros. Some organisations have accepted this risk. In addition, data protection authorities mostly applied the upper fine limit only in the case of persistent breaches.
The EU GDPR provides for more drastic sanctions. Fines have been increased to up to €20 million or 4% of annual global turnover in the previous financial year.
With its high fines, the regulation is intended to act as a deterrent and encourage companies to take the issue of data protection seriously. Data protection violations can be warned under the GDPR - in this case, there is the threat of legal proceedings.
FAQ: Answers to frequently asked questions
Is the GDPR only relevant for larger companies?
No. Regardless of whether you are a small business owner, a one-man limited company or a large corporation - they are all affected by the General Data Protection Regulation. They must comply with the regulation as soon as they process personal data.
Who should I contact in the event of a data protection breach?
EU citizens must refer data protection breaches and disputes to the data protection authority in their country. Companies also have to deal with the data protection authority in the European member state where they have their headquarters.
Does the data protection regulation have to be adapted to the GDPR?
Does the GDPR have an impact on marketing activities?
Yes, when it comes to marketing, companies face numerous obligations and pitfalls in connection with the General Data Protection Regulation. For example, it is about the consideration of the double opt-in procedure for newsletters or about the legal justification for the processing of collected personal data for marketing purposes.
What do employers have to pay attention to?
In Art. 88 GDPR and the § 26 BDSG new version contains important regulations on employee data protection. Employers may only collect and process personal data that is necessary. For example, data that is necessary for the performance of an employment relationship. Employers should in any case
- review their internal processes relevant to data protection,
- ensure that contracts are drawn up in compliance with data protection requirements, and
- Develop a compliance strategy that can prevent data protection breaches
Where does the GDPR apply?
According to Art. 3 para. 1 of the General Data Protection Regulation, the decisive factor is where the controller or processor is established. If it is established in the European Union, the GDPR always applies - regardless of where in the world the data was processed. If the company is established outside the EU and offers goods/services in the EU or monitors the behaviour of individuals in the EU, it is also subject to the GDPR.