On April 14, 2016, the European Parliament adopted the “Regulation of the Council and the European Parliament on the protection of natural persons (GDPR)”. It entered into force after publication in the Official Journal of the EU on May 25, 2016 and will take effect from May 25, 2018.
While Directive 95/46/EC had to be transposed into national law by the EU Member States, resulting in uncertainties and differences, the GDPR is directly applicable law with binding guidelines in all European Member States. In the future, differences will take effect only where the EU Member States are allowed to adopt sector-specific regulations (so-called “opening clauses”).
Significant developments for corporate practice
1. Area of application
The most fundamental development is the area of application. Up to now, it has been difficult to cover data processors in non-EU countries. By contrast, the GDPR has a broad area of application and applies not only to responsible offices within the EU, but also to companies outside of the EU, along with contract data processors, to the extent that they target their activities at EU citizens (the so-called “market location principle,” Article 3, para. 2 of the GDPR).
2. Extended documentation and verification obligations
The GDPR provides for significantly extended verification obligations for controllers and contract data processors. Article 5, para. 2 of the GDPR stipulates that the controller must be able to demonstrate compliance with the data protection principles laid down in Article 5, para. 1 of the GDPR. As a result, companies must be able to demonstrate in the future that they are implementing the requirements of the GDPR.
3. Risk-based data protection
The measures required by the GDPR are directly dependent on the risks that data processing entails for the personal rights and freedoms of the persons concerned. As such, companies in the future will have to set up data protection management systems, following the example of corresponding compliance structures.
4. Privacy impact assessment
The GDPR introduces a so-called “privacy impact assessment.” If data processing is anticipated to entail high risks to the personal rights and freedoms of the persons concerned, the controller must carry out such an impact assessment in accordance with Article 35 of the GDPR. If the examination reveals that there is a high risk to personal data, the responsible office must consult the supervisory authority for advice and risk minimization.
5. Data protection by means of privacy-friendly default settings
Data protection through technology means that, as early as development, appropriate technical and organizational measures must be taken in order to achieve an appropriate data protection standard. In addition, IT systems should be preset in such a way that, in principle, they process only such personal data, to the extent that this is necessary for the respective purpose being pursued. Violations of the prohibitions of Article 25 of the GDPR are punishable by administrative fines, which was not previously provided by the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”).
6. Order data processing
Article 28 of the GDPR governs the processing of data by order of the responsible office. According to Article 28, para. 1 of the GDPR, the so-called “order processor” must provide sufficient guarantees that it will carry out appropriate technical and organizational measures, process personal data in accordance with the requirements of the Regulation and ensure the protection of the rights of the persons concerned.
Contract data processing is carried out on the basis of a contract that specifies the subject matter and duration along with the manner and purpose of the processing, the type of personal data, the categories of concerned persons and the rights and obligations of the responsible office. With regard to the verification obligations of the responsible office pursuant to Article 24, para. 1 of the GDPR, contracts for order processing will be of decisive importance in the future.
7. Strengthened sanctions and liability rules
The GDPR provides for major innovations in the sanctions for data protection violations and their enforcement. While, under the BDSG, in cases of data protection violations, an administrative fine of up to 50,000. 00 euros or 300,000. 00 euros can be imposed and, if applicable, profits can be siphoned, the sanctions for data protection violations under the GDPR are far more far-reaching. In cases of data protection violations, in addition to claims for damages, companies are threatened with administrative fines of up to 4 percent of their global annual turnover or, if higher, up to 20 million euros. In addition, liability provisions for contract data processors will be strengthened. In the future, with respect to the persons concerned, they will be held more accountable and jointly and severally liable with the responsible office.
8. Project planning for the implementation of the GDPR
The implementation of the GDPR will be associated with costs for companies in the confectionery industry. Processes and data protection policies must be adapted to the requirements of the Regulation. Given the potentially grave liability risks for companies and their decision-makers, companies should have a substantial interest in establishing effective structures and processes for the implementation of the GDPR by May 25, 2018.