Summary

The General Data Protection Regulation (GDPR) is expected to enter into force in the spring of 2018. It will become directly applicable law in all EU Member States without national transposition acts. While the GDPR contributes substantially to harmonizing data protection laws in Europe, the originally planned full harmonization has not been achieved due to numerous escape clauses. For example, there are escape clauses in employee data protection and in the provisions for company data protection officers.

The principle is already known from the 1995 EU Directive: processing of personal data is in principle prohibited, unless it is permitted by law, statutory ordinance or the consent of the data subjects ("prohibition with reservation of authorization"). Many duties in the GDPR are comparable to the current provisions in the German Federal Data Protection Act. Numerous new terms and provisions are expected to initially lead to more uncertainty in handling personal data. 

Strengthening the rights of data subjects is one of the objectives of the GDPR. Documentation duties were increased and data subjects’ rights of self-determination strengthened. For any processing carried out on the basis of positive balancing of interests in favor of the company, data subjects will have an express right to object in the future. Prior to processing of personal data, companies must carry out data protection impact assessments and under certain circumstances consult the competent supervisory authority, which may prohibit the processing. Extensive information and documentation duties exist in cases of data protection breaches.  The framework of fines was significantly increased and now extends up to EUR 10 million or 4% of worldwide annual revenue of the corporate group. 

Upon entry into force, the GDPR will also apply to companies, which do not maintain an establishment in the EU, but offer their services in the EU. In the future, such companies require a designated representative within the EU. 

In the future, companies must design defaults and products such that as little personal data as possible are collected and processed ("Privacy by Design").

The provisions for contract data processing remain substantially unchanged, but contracts need to be adjusted to new concepts and guidelines. In the future, they may also be concluded in electronic form. Contractors may also process data in third countries in the future. 

The guidelines for data transfers to third countries remain essentially the same, however, the two-stage appropriateness test provided for in the Federal Data Protection Act is no longer required. 

A company data protection officer will be mandatory Europe-wide in the case of risk-entailing processing; stricter national rules are permitted.

Associations may establish rules for industry-specific processing and have them approved by the supervisory authorities. The GDPR aims to promote the certification of processing and to establish clear guidelines. 

Data protection supervision will remain on a national level. One supervisory authority will be responsible for companies with several establishments in the EU, but it will not be solely competent to make decisions. Overall, authorities should intensively consult with each other as regards many decisions and regulations (obligation to ensure consistency).