The EU General Data Protection Regulation – What can companies in the confectionery industry expect?

On April 14, 2016, the European Parliament adopted the “Regulation of the Council and the European Parliament on the protection of natural persons (GDPR)”. It entered into force after publication in the Official Journal of the EU on May 25, 2016 and will take effect from May 25, 2018. While Directive 95/46/EC had to be transposed into national law by the EU Member States, resulting in uncertainties and differences, the GDPR is directly applicable law with binding guidelines in all European Member States. In the future, differ­ences will take effect only where the EU Member States are allowed to adopt sector-specific regulations (so-called “open­ing clauses”).

Significant developments for corporate practice

1. Area of application

The most fundamental development is the area of application. Up to now, it has been difficult to cover data processors in non-EU countries. By contrast, the GDPR has a broad area of application and applies not only to responsible offices within the EU, but also to companies outside of the EU, along with contract data processors, to the extent that they target their activities at EU citizens (the so-called “market location prin­ciple,” Article 3, para. 2 of the GDPR).

2. Extended documentation and verification obligations

The GDPR provides for significantly extended verification obli­gations for controllers and contract data processors. Article 5, para. 2 of the GDPR stipulates that the controller must be able to demonstrate compliance with the data protection principles laid down in Article 5, para. 1 of the GDPR. As a result, com­panies must be able to demonstrate in the future that they are implementing the requirements of the GDPR.

3. Risk-based data protection

The measures required by the GDPR are directly dependent on the risks that data processing entails for the personal rights and freedoms of the persons concerned. As such, companies in the future will have to set up data protection management systems, following the example of corresponding compliance structures.

4. Privacy impact assessment

The GDPR introduces a so-called “privacy impact assess­ment.” If data processing is anticipated to entail high risks to the personal rights and freedoms of the persons concerned, the controller must carry out such an impact assessment in accordance with Article 35 of the GDPR. If the examination reveals that there is a high risk to personal data, the respon­sible office must consult the supervisory authority for advice and risk minimization.

5. Data protection by means of privacy-friendly default settings

Data protection through technology means that, as early as development, appropriate technical and organizational mea­sures must be taken in order to achieve an appropriate data protection standard. In addition, IT systems should be preset in such a way that, in principle, they process only such per­sonal data, to the extent that this is necessary for the respec­tive purpose being pursued. Violations of the prohibitions of Article 25 of the GDPR are punishable by administrative fines, which was not previously provided by the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”).

6. Order data processing

Article 28 of the GDPR governs the processing of data by order of the responsible office. According to Article 28, para. 1 of the GDPR, the so-called “order processor” must provide sufficient guarantees that it will carry out appropriate technical and organizational measures, process personal data in accordance with the requirements of the Regulation and ensure the protection of the rights of the persons concerned.

Contract data processing is carried out on the basis of a contract that specifies the subject matter and duration along with the manner and purpose of the processing, the type of personal data, the categories of concerned persons and the rights and obligations of the responsible office. With regard to the verification obligations of the responsible office pursuant to Article 24, para. 1 of the GDPR, contracts for order processing will be of decisive importance in the future.

7. Strengthened sanctions and liability rules

The GDPR provides for major innovations in the sanctions for data protection violations and their enforcement. While, under the BDSG, in cases of data protection violations, an adminis­trative fine of up to 50,000. 00 euros or 300,000. 00 euros can be imposed and, if applicable, profits can be siphoned, the sanctions for data protection violations under the GDPR are far more far-reaching. In cases of data protection violations, in ad­dition to claims for damages, companies are threatened with administrative fines of up to 4 percent of their global annual turnover or, if higher, up to 20 million euros. In addition, liability provisions for contract data processors will be strengthened. In the future, with respect to the persons concerned, they will be held more accountable and jointly and severally liable with the responsible office.

8. Project planning for the implementation of the GDPR

The implementation of the GDPR will be associated with costs for companies in the confectionery industry. Processes and data protection policies must be adapted to the requirements of the Regulation. Given the potentially grave liability risks for companies and their decision-makers, companies should have a substantial interest in establishing effective structures and pro­cesses for the implementation of the GDPR by May 25, 2018.