GDPR to take effect - a German perspective
On 25 May 2018 the EU General Data Protection Regulation (GDPR) will enter into force. The objective of the GDPR is to increase the level of protection of personal data and to harmonise data protection procedures within the European Union. However, the GDPR has an extensive extraterritorial reach. It will not only be applicable in the 28 Member States, but it will also have an impact on data controllers and processors outside of the EU if the processing activities they carry out relate to services and goods offered to EU citizens or monitor their behaviour. The GDPR concerns almost every legal subject except for, inter alia, natural persons in the course of purely personal or household activities and public authorities dealing with criminal cases as well as issues of public security. GDPR is binding and directly applicable in all Member States without the need for transposition into national law.
Central to the GDPR is the term "personal data" which is defined in Art. 4 (1). "Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is a person who can be identified either directly or indirectly, especially by reference to a name, an identification number, location data, an online identifier (e.g. email address, IP address) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR protects personal data whenever it is processed. "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 (2) GDPR).
The key compliance issues for organisations in relation to GDPR are the following:
- Art. 13 and 14 of the GDPR require data controllers to provide much more detailed information to data subjects about the processing of their personal data (e.g. details of the period for which personal data will be stored, details of the data controller's legitimate interest, the data subject's right to withdraw its consent to the processing, the existence of rights to make subject access requests).
- Art. 4 GDPR requires a freely given, specific, informed and unambiguous consent of the data subject to the processing of their personal data shown either by a statement or a clear affirmative action.
- GDPR provides for more transparency for data subjects with respect to the processing of their data and enhanced rights to rectify, delete, restrict, or object to data being processed. Art. 12 GDPR requires data controllers to provide information in response to a reasonable subject access request free of charge.
- Data controllers are held more accountable for their data processing actions under the GDPR. Art. 25 GDPR allows responsible persons to implement appropriate technical and organisational measures to implement the data-protection principles.
- In certain circumstances data controllers and processors have to designate a data protection officer (DPO). The appointment of a DPO is mandatory for public authorities and organisations processing sensitive personal data on a large scale or monitoring data subjects.
- GDPR requires the implementation of certain security measures such as the pseudonymisation and encryption of personal data, the assurance of confidentiality and the ability to restore the availability and access to personal data in a timely manner (Art. 32 GDPR).
- Art. 33 GDPR introduces a new mandatory requirement for data controllers to notify the regulatory authority of personal data breaches with no undue delay and, where feasible, within 72 hours of awareness, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The short timeframe for notification requires that organisations ensure that they have processes in place to be able to act quickly in the event of a personal data breach.
- The newly established European Data Protection Board will encourage the drawing up of codes of conduct that specify the new data-protection standards in order to ensure the proper application of the Regulation.
GDPR provides for a two-tier system of fines. Minor breaches of some of the more administrative provisions of the GDPR are subject to a maximum fine of € 10 million or 2% of the total worldwide annual turnover. More fundamental breaches may be subject to a fine of € 20 million or 4% of the total worldwide annual turnover, depending on which amount is higher. It is not clear from the wording of Art. 83 GDPR whether the fines relating to a percentage of worldwide annual turnover apply to the group turnover or the turnover of the legal entity in breach.
To prevent data breaches and resulting sanctions, all addressees of the GDPR should – before 25 May 2018 – take precautions to adapt their compliance management systems, in particular to implement procedures to ensure compliance with the new rules. Addressees of the GDPR are well-advised to consult legal experts to develop individual business-related solutions.