view all news & events


Honeymoon period for data controllers after introduction of the GDPR is over

Even though companies are most certainly focusing on other topics for the time being, aspects of data protection law must by no means be ignored. At the beginning of May 2020, the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate (“State Commissioner”) published information on his role, strategies, and action plan for 2020. The document points out that supervisory authorities will not accept the coronavirus as an “excuse” for mistakes made by companies in terms of their data protection management.

The “Concept for the effective enforcement of data protection law” (only in German language) addresses the fact that the willingness of data subjects to complain has stabilized at a high level. Data protection infringements are not only established by the supervisory authorities through random checks, but above all by way of complaints. The State Commissioner primarily received complaints in relation to the following topics: (i) transfer of data to third parties, (ii) problems in regards to the right of access to information under Article 15 GDPR, (iii) tracking measures on websites, (iv) video surveillance, and (v) application procedures.

The State Commissioner announced that 2020 will be “marked by the consistent elimination and punishment of identified data protection infringements,” highlighting that the supervisory authority is now in the phase of consistently applying remedial powers and sanctions. Depending on the seriousness of the infringement, deficits will have to be remedied with appropriate authority and sanctions, fully exploiting the instruments offered by the GDPR. Due to the fact that the Regulation had been introduced a long time ago, restraint would no longer be necessary.

In addition to assessing complaints, however, the State Commissioner and his agency will also perform checks, which are set out in the 2020 Action Plan (only in German language). Accordingly, these measures will focus on biometrics and automated license plate reading systems. Jointly with other supervisory authorities, another focus will also be the enforcement of the Data Protection Conference’s position in the area of tracking on websites. The Data Protection Conference requests the consent of website users in this context. Additionally, at least in Rhineland-Palatinate, insurance companies, banks, real estate management firms and brokerage businesses will be subject to closer examination.

Conclusion: Companies should prepare for increased checks by the supervisory authorities. Now that the honeymoon period of the recent years is over, data protection infringements will be rigorously pursued. The new fines model, as agreed by the supervisory authorities in Germany, will certainly be assist in these endeavors. Checks by supervisory authorities can therefore be expected all across Germany. The action plan confirms that at least in the area of tracking, the supervisory authorities will cooperate throughout Germany. Certain regional authorities may, however, set different priorities in their checks.


Franziska Ladiges

Franziska Ladiges


visit profile