The European General Data Protection Regulation adopted in April 2016 (GDPR – Regulation (EU) 2016/679 dated 27 April 2016) will become directly applicable from 25 May 2018. Compared to current legislation, it contains new and in part significantly stricter requirements for companies when dealing with personal data. In view of the drastically steeper financial penalties for breaches of up to 20 million Euros or 4% of annual global turnover, companies should promptly address the implementation of the GDPR if they have not done so already.
Following the adoption of the GDPR in April 2016, the EU gave all parties concerned two years to prepare for the significantly stricter compliance requirements. No further transition period, during which the provisions of the GDPR are not applicable either in whole or in part, is scheduled after 25 May 2018.
In contrast to the way in which the legislation was applied in the past, when the rules of the Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) were of central importance to the legal evaluation of the processing of personal data, the revised BDSG (Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 (Datenschutz-Anpassungs- und Umsetzungsgesetz) dated 30 June 2017, as reported in the Federal Law Gazette 2017, Part 1, No. 44 on 05 July 2017, p. 2097 et seq.) only supplements the GDPR. It uses the so-called “opening clauses” contained in the GDPR to regulate particular areas in derogation from or as a supplement to the GDPR. However, such supplementary regulations may not conflict with the GDPR.
As previously discussed (see our article “Be prepared: Changes in dealing with customer data introduced by the GDPR” – Preu Bohlig Newsletter August 2017), the GDPR does not contain any specific regulations for the Internet sector such as e.g. the permissibility of cookies, tracking, social media services, etc. This area is to be covered by the new ePrivacy Regulation ((ePV) – cf. 2017/0003 (COD)), which was originally meant to come into effect in parallel with the GDPR on 25 May 2018. However, the legislative process of the ePV has been delayed due to, inter alia, differences of opinion concerning the permissibility of online-tracking and cookies. As a result, the yet-to-be finalised ePV is not expected to take effect before 2019. Any legislative gaps resulting from this delay between now and the effectiveness of the ePV should be addressed using Article 95 GDPR and its Recital 173, subject to the national data protection regulations for the relevant area. In Germany, this is the Telemedia Act (Telemediengesetz or TMG) that was most recently adapted in October 2017. Please see Sec. 11 et seq. TMG.
Previously, when dealing with the responsible supervisory authorities for data protection, e.g. in the event of a customer complaint, it was the duty of the supervisory authority to prove a company’s breach of the relevant data protection regulations. This will change fundamentally going forward, since under Article 5 para. 2 GDPR:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”
Article 5 para. 1 GDPR sets out the principles relating to the processing of personal data (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, integrity and confidentiality). If the controller cannot account for a possible breach, the supervisory authorities now have significantly increased powers. These may include warnings or the revocation of a data protection certification as well as investigative powers, e.g. a demand to make all information in the company available in order to carry out a data protection inspection. Such investigative powers may be enforced using coercive methods, for example by imposing penalty payments. In particular, if a controller intentionally and substantially violates applicable data protection provisions, the authorities may, depending on the type, extent and duration of the relevant breach, impose a fine of up to 20 million Euros or up to 4% of annual global turnover, whichever is higher.
How can the controller, usually the company, ensure proper accountability?
Above all, this requires the legally compliant documentation of data processing, by which it can be demonstrated that the personal data of the data subject was processed in a lawful manner, for certain specific legitimate purposes, in a factually correct way. Similar to current legal regulations regarding the directory of procedures, cf. Sec. 4g para. 2, 4e BDSG, Article 30 GDPR stipulates that controllers must prepare a procedure index, which should include the name and contact details of the controller, the purposes of data processing, a description of the categories of data subjects and of personal data, as well as, if possible, the envisaged time limits for erasure of the different categories of data. In practice, the necessary record of processing activities has to be created and developed on the basis of the (hopefully) existing directory of procedures that the controller has already prepared. Along with the individual processing activities, the relevant legal basis for the processing, e.g. the underlying contract or the permission of the data subjects, should be listed in this procedure index.
With regard to the permission of the data subjects, which is particularly important in practice, please refer to Article 6 para. 1 a) GDPR, according to which the processing of personal data relating to a person is only lawful if permission has been obtained from that person “for one or more specific purposes”. Some of the blanket customer consents granted under the previous law (e.g. “I consent to the use of my personal data for marketing purposes…”) will no longer be sufficient to satisfy these new requirements and will not provide an adequate legal basis for processing personal data once the GDPR takes effect. Any corresponding personal data should be deleted if no new, sufficiently specific consent is obtained. The text of the consent together with the details of the process for which consent is being obtained must be documented (electronically), archived, and reviewed for conformity with the GDPR.
After the documentation of processing operations with respect to personal data, the controller must document the relevant internal procedural requirements and process rules, such as internal data protection guidelines, company processes when handling personal data, e.g. in the event of customer complaints, deletion requests and “data incidents”, together with the relevant organisational structures with the company management. The same applies to the area of technical data security, starting with access regulations, firewalls, encryption regulations, etc.
Existing contracts of controllers, which relate to the processing of personal data, must be reviewed with regard to compliance with the new standards introduced by the GDPR and should be adapted as necessary. The same applies to existing agreements regarding contract data processing, which must also be adapted to the GDPR standards.
If the processing of personal data is likely to result in a high risk to the data subject due to the nature, scope, context and purposes of the processing, see Article 35 GDPR, the controller must carry out a documented data protection impact assessment. This will require an evaluation of the objectives pursued by the processing, and weighing the affected interests and rights of the relevant natural persons. Such a documented data protection impact assessment can be required, e.g. in the systematic monitoring of employees, in the scoring and profile creation of natural persons, or in the handling of sensitive personal data (relating to health, ethnicity, region, etc.).
Companies which have not yet taken the necessary measures for achieving GDPR compliance are strongly advised to initiate the process immediately.