The Conference of Data Protection Authorities of the Bund and the Lnder (Datenschutzkonferenz) has released a guidance paper on how the information requirements for direct collection and third-party collection under the GDPR should be implemented in the nonpublic sector. The conference emphasised that the information requirements go far beyond the current legal situation and build the basis for the exercise of the rights of the data subject. Companies must respect both substantial (detailed notice) and formal requirements (clear and simple language) and must be able to demonstrate compliance. The conference expressed doubts regarding whether the restrictions of the GDPR information requirements under the new German Federal Protection Act are lawful and thus applicable in practice. The conference also pointed out the importance of implementing the newly required technical and organisational measures in order to comply with the information requirements.

The paper is subject to the reservation of a possibly differing future opinion by the European Data Protection Board.