GDPR – what it’s all about.

An overview about the General Data Protection Regulation.

The General Data Protection Regulation has already entered into forced on May 24 2016, however has to finally be applied two years later, on May 25 2018.

Why did the GDPR enter into force?
The GDPR aims to harmonize the data protection laws of the EU member states. At the same time, it grants the Member States certain room for maneuver. For this purpose, the GDPR contains so-called opening clauses, which give national legislators the opportunity to specify the provisions of the ordinance or even to provide for special provisions in some cases.

What types of data are there?
The following types of data can be distinguished:

• Personal data: all information about natural or legal persons whose identity is determined or determinable (for example, name, address, date of birth, bank details)
• Indirect personal data: encrypted data that cannot be determined by lawful means
• Anonymized data: have no personal reference
• Sensitive data: information on religion, union affiliation, political views, biometrics, etc.

Subject of the GDPR are personal data; in accordance with the GDPR, all information relating to an identified or identifiable natural person.
Some important new features of the GDPR are briefly described below.

Higher penalties
One reason why the GDPR has been discussed recently, are certainly their sanctioning provisions. The GDPR provides for fines that are significantly higher than those that can be imposed under current legislation.
Certain violations may result in fines of up to € 20 million or, in the case of a business, up to 4% of the total worldwide annual turnover of the previous financial year. Other violations can be sanctioned with fines of up to EUR 10 million or 2% of the total worldwide annual turnover.

Extended rights for those affected
According to the purpose of the GDPR data persons affected are to be informed about the existence of the data processing process and its purposes. Fair and transparent data processing must be ensured by the person responsible. This should be ensured in particular by the following specifications:

• Duty to provide information: Those responsible for data processing have to provide information to the data subject, which has been significantly expanded in comparison to the current legal situation. These vary depending on whether the personal data are collected directly from the person concerned or whether they come from other sources. The time up to which the information obligations must be complied depends on this differentiation. The duty to provide information exists in particular in the collection of data but also in the receipt or transfer of data.
• Right to information: the person concerned has the right to ask the person responsible for a confirmation as to whether personal data relating to him or her are being processed; If this is the case, he has a right to know which personal data is involved. A request for information must be answered immediately, but no later than within one month. In the case of refusal, the data subject has a right of appeal to the data protection authority. A refusal of information is only permitted under certain circumstances.
• Right to be deleted ("Right to be forgotten"): Data subjects have extended rights to demand the deletion (and correction) of personal data concerning them. Responsible persons must comply with a cancellation claim immediately. For those responsible, this can be associated with a considerable (administrative) additional effort, as in the event of cancellation, there may be an obligation to inform other persons responsible for processing this data about the cancellation request.

Infringements of the data subject rights can be punished with the maximum penalty mentioned above (fines of up to EUR 20 million or up to 4% of the worldwide annual turnover). Data protection compliance should therefore (also) have top priority in these points!

Mandatory Data Protection Officer?
The GDPR does not provide for a general obligation to appoint a data protection officer; only in certain cases there is an obligation to do so: companies have to designate a data protection officer if their core activity consists of certain processing operations. The GDPR does not clarify when a core activity is being assumed. In individual cases, therefore, difficult demarcation questions can arise. However, clarification is essential: Infringements of the provisions of the GDPR via the Data Protection Officer may result in fines of up to EUR 10 million or up to 2% of the worldwide annual turnover achieved.

A data protection officer is not responsible within the meaning of the Administrative Penal Code. Thus, despite the appointment of a data protection officer the external representation authorized organs (such as: CEO, Board) can be made (personally) liable for data protection violations.

Privacy by technology ("Privacy by design") / data security
Appropriate technical and organizational measures must be taken to ensure that only as much data is processed as the concrete processing purpose requires; e.g. by encryption of personal data and data protection-friendly default settings of programs. Data usage must be reduced to the necessary extent! Likewise, an appropriate level of data security must be ensured. These specifications must already be taken into account when planning a data processing or during product development - also in terms of (IT) technology.
Violations of these requirements can be punished with fines of up to EUR 10 million or up to 2% of the total worldwide annual turnover. If technical and organizational measures have been taken in the above sense, this can be mitigated in the event of a fine that has nevertheless been imposed, so that the implementation of privacy by design and data security measures is also of crucial importance against this background.

Obligations in case of data misuse
If there is a data breach that threatens the protection of personal data, this circumstance must be reported immediately, but preferably within 72 hours of becoming aware of the data protection authority. The message has to meet certain content requirements. Under certain circumstances, the person concerned should also be informed. Errors in the implementation of these reporting and notification obligations can result in fines of up to EUR 10 million or up to 2% of the total worldwide annual turnover. Because of this, and above all because of the tight time window, it seems necessary to prepare for the emergencies of a data breach. Creating a template of said message might be helpful.

Privacy - Impact Assessment
The obligation to make a privacy impact assessment is completely new. This is necessary when data processing is likely to pose a high risk to the rights and freedoms of individuals. The impact assessment must be carried out in advance and may require consultation with the Data Protection Authorities (DPA). It serves to assess risks and possible consequences for the personal rights and freedoms of those affected.
Here, too, there is a possibility of sanctioning up to EUR 10 million or up to 2% of the total worldwide annual turnover.

Record keeping
Also new is the obligation of the controller (and the processor) to keep a record of all data processing activities. Previously, data processing had to be reported to the Data Processing Register (DVR). This obligation to report externally is eliminated. The GDPR brings the obligation of an internal record keeping ("register of processing activities"). In terms of content, however, the obligation to record is largely based on the DVR report.
DVR notifications submitted to the DPA prior to the GDPR do not release the controller from the obligation to keep an internal list of their data applications.
In the event of breaches of the obligation to record, penalties of up to EUR 10 million or 2% of the worldwide annual turnover are possible.

Outlook
The requirements of the GDPR are extensive. Likewise, the GDPR leads to numerous, fundamental changes compared to the previous legal situation. The need for change is therefore serious. Although the GDPR brings a great deal of organizational effort for companies, it does mean that citizens can rely on increased protection of their rights in a more and more digitized present and future.

You need legal advice on the DSGVO and other data protection issues? Our lawyers specializing in data protection are happy to advise you.

You can read the complete regulation here.