The German Data Protection Authorities (German DPAs) released a “Report on the Experience Gained in the Implementation of the GDPR”, which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report.

Background

Under Article 97 of the EU General Data Protection Regulation (GDPR), the EU Commission is required to submit an evaluation and review report on the implementation of the GDPR by May 25, 2020 – so two years after the GDPR became applicable. The German DPAs want to share their experience to contribute to this process and have thus published the Report. The German DPAs opine that the GDPR’s regulatory concept and objectives have largely proved successful and that the heavy GDPR fines are a driver for developing broad-based awareness of data protection. However, they also acknowledge that some uncertainty remains when it comes to GDPR implementation and that there still is a need for guidance from the supervisory authorities.

Key GDPR issues identified in the Report

The German DPAs have identified nine key issues associated with GDPR implementation and provided the following suggestions for improvement in the Report:

1. Making life easier and practicability

The German DPAs reiterate that the GDPR must be suitable for everyday use. In particular, they raise the following three issues:

Information obligations (Article 13 GDPR) during data collection by telephone

  • The German DPAs consider it “unrealistic” to provide comprehensive information in accordance with Article 13 GDPR in case of a verbal or telephone contact. They refer to complaints by data subjects about information overload in this regard.
  • Suggested solution: It should be sufficient to implement a layered, risk-based approach, telling the data subjects where they can find further relevant information.

Right to a copy of personal data (Article 15(3) GDPR)

  • The German DPAs acknowledge the heated debate surrounding the scope of the right to a copy of personal data under Article 15(3) GDPR.
  • Suggested solution: The scope of the right to a copy of personal should be clarified, e.g., by supervisory authorities.

Duty to communicate details of data protection officers to supervisory authorities (Article 37(7) GDPR)

  • The German DPAs note that the duty to communicate the contact details of data protection officers to the supervisory authorities under Article 37(7) GDPR creates additional work for controllers and unnecessary processing of personal data by the supervisory authorities.
  • Suggested solution: Article 37(7) GDPR should be deleted.

2. Data breach reports

  • The German DPAs note that the number of data breach notifications has increased significantly since the GDPR became applicable. Many controllers notify breaches without having done a risk assessment due to the potentially heavy fines, leading to the notification of trivial and minor breaches.
  • Suggested solution: The data breach notification obligation should be limited to cases that are likely to result in more than merely a minimal risk to the rights and freedoms of data subjects.

3. Purpose limitation

  • The German DPAs discuss the legal bases and requirements for further processing of personal data where the purpose of the processing changes.
  • Suggested solution: Article 6(4) GDPR should be amended to clarify that further processing of personal data shall be limited to that which is carried out by the same controller.

4. Data protection by design

  • In the view of the German DPAs, the data protection by design requirement in Article 25(1) GDPR does not cover the target group of producers and has thus hardly caught on in practice. It covers data controllers that often do not develop hardware and software themselves but rely on contractors’ services.
  • Suggested solution: The GDPR should be amended to oblige producers to implement data protection by design and the liability section in Article 82 GDPR should be extended to producers.

5. Supervisory authorities’ powers

  • The German DPAs criticize that their powers under Article 58(2) GDPR are limited to “processing operations.” However, the GDPR contains obligations that are independent of the processing principles set forth in Article 5 GDPR (e.g., designation of a data protection officer or duty to maintain a record of processing activities).
  • Suggested solution: The reference to “processing operations” in Article 58(2)(a) and (b) GDPR should be deleted.

6. Provisions on consistency

  • The German DPAs address the lack of clarity as to whether the consistency mechanism must be triggered for each administrative arrangement that serves as the basis for an international data transfer and is thus submitted to the supervisory authorities for authorization (Article 46(3)(b) GDPR).
  • Suggested solution: The GDPR should be amended to clarify that administrative arrangements must be submitted to the European Data Protection Board.

7. Direct marketing

  • The German DPAs note that EU member states have very different traditions regarding direct marketing and, thus, data subject expectations also differ.
  • Suggestion solution: The EU legislature should create more detailed direct marketing provisions.

8. Profiling

  • The German DPAs describe profiling as “one of the key data protection policy challenges of our times”. They state that most of the GDPR provisions do not cover “profiling as such” and, thus, assessments usually have to be based on the general elements set forth in Article 6 GDPR.
  • Suggested solution: The GDPR provisions on profiling should be amended, providing greater transparency and more control to data subjects. Further, the only possible legal bases for profiling should be consent or contractual necessity.

9. Accreditation

  • The German DPAs and Germany’s accreditation body are in dispute over whether the German accreditation body must also be involved in accreditation under Article 41 GDPR.
  • Suggested solution: It should be clarified that the German DPAs are the only body responsible for accreditation under Article 41 GDPR.

Comment

The Report highlights some of the key practical issues when it comes to GDPR implementation, requiring further clarification by the legislature or the supervisory authorities themselves. It remains to be seen if the EU Commission will include these comments into their report in the upcoming months.