0
days
0
hours
0
minutes
0
seconds
to the direct effect of the

General Data Protection Regulation (GDPR)

Get your information & act now!

What does GDPR mean?

GDPR means General Data Protection Regulation which will apply directly in all member states of the European Union from 25.05.2018.

Objectives of the Regulation

Besides harmonizing data protection law in Europe, another goal of the Regulation is to strengthen the rights of those affected and data security.  At the same time the documentation and proof obligations of the companies are expanded.

Timetable and validity of the Regulation

The General Data Protection Regulation has been in force since 25 May 2016, but apply in full until 25 May 2018 (Art. 99 GDPR).  As this is a European Regulation, it will – in contrast to a Directive which first has to be enacted in national law – apply throughout Europe immediately from this date.  Due to the fully-harmonized effect of the Regulation, no further, stricter or deviating regulations under national law may exist from 25 May 2018, unless the Regulation itself permits member states to adopt such a regulation (so-called saving clause). 

General Data Protection Regulation (GDPR) checklist

Compact information on GDPR for free!

Our Services

Establishing Compliance

Here‘s how we approach the GDPR challenge to help you become compliant.

Maintaining Compliance

The GDPR challenge is not over when compliance has been established. Here‘s an overwiev of the additional services we provide.

Material changes from previous legal position 

The Regulation retains many established concepts and principles. It accordingly retains the general prohibition on processing personal data subject to permission, as was previously the case under the data protection directive 95/46/EC. Even so, several points were naturally added or treated differently. The following sections accordingly highlight briefly the material aspects of the new rules.

1. Market location principle, geographical area of application

European data protection law now also applies to companies which do not have a registered place of business in the EU but which offer goods or services on the European market. 

2. Area of application of contract data processing  

Whereas contract data processing was previously only possible within Europe, it is now possible using contractors outside Europe, if the further requirements are satisfied. These include specifically the careful selection of the contractor and examination of their technical and organization measures with regard to data protection. 

3. Group preferential treatment

The Regulation also does not give groups any preferential treatment, i.e. transmission of data to companies within the same group now constitutes transmission to a third party within the meaning of the law and requires justification as such. 

4. Partial preferential treatment for groups

There is much talk currently about the partial preferential treatment for groups. This is based on para. 48 of the Regulation which states that a controller that is part of a group may have a legitimate interest in transmitting personal data within the group for internal administrative purposes. This provides a basis for arguing for justification of such transmission within the general balancing of interests in Art. 6 of the Regulation. While there is no clear rule, it gives companies an opportunity for justification, provided that the other requirements for data processing are met. 

5. Information obligations 

The Regulation significantly intensifies the collector’s obligations to provide information in order to increase the transparency of data processing. 

6. Data collection 

Arts 13, 14 of the Regulation define the obligations to provide information in the course of data collection to those affected, which because of their extent have some of the nature of a formal notification of rights. It is necessary to check here what modifications to a company’s systems and contracts or General Terms & Conditions are necessary to meet all the Regulation’s obligations to provide information. 

7. Further obligations to provide information

A company must also report data protection violations, cancellation of a restriction on processing, one-time transfer to third parties or further processing for a different purpose. The latter obligation in particular can be relevant for many companies, as a change purpose can arise quickly. 

8. Privacy by Design / Privacy by Default

Art. 25 of the Regulation presents the principles of data protection through technical means (privacy by design) and organization means favorable to data protection (privacy by default). Under these companies are required to bear the needs of data protection in mind in the planning and concept phase and to implementation the principles here. In designing and procuring technical means of processing care must be taken to ensure that the technical and organizational measures have been taken for effective compliance with data protection. The same applies to the safeguards in such equipment and systems. It is, for example, to check whether processing software provides an opportunity to save various authorization concepts so that access to date can be limited to those individuals who actually must have access. 

It should be borne in mind that the Regulation commits only the controller, and not the manufacturers of data processing equipment and systems. The idea here is that the controller should, because of its own obligations, influence the manufacturers to make the corresponding modifications to comply with the requirements. 

Existing equipment and systems must be reviewed for this. In addition, planning of new systems must always be reviewed to see whether these comply with the requirements, and offers, General Terms and Conditions and contracts of any suppliers should be reviewed to ensure compliance with the new requirements. 

9. Consent

The requirements for valid consent to data processing have been modified in a number of respects. For example, in future tacit consent will also be sufficient, provided that it is clear. There are accordingly substantial obligations to provide information under the new Regulation with regard to valid consent.

10. Prohibition on tying

A prohibition on tying is included in the Regulation with regard to consent. However, Art. 7 para. 4 of the Regulation merely requires that the link must be considered in the broadest possible terms in assessing consent. There is scope here for interpretation. 

11. Continued validity or renewal of existing consent

The question arises whether companies are now obliged under the new Regulation to obtain new consent meeting the requirements of the Regulation even for existing customers. The Regulation states in para.171 that existing consent remains valid provided that it already meets the conditions of the Regulation. Companies are accordingly advised to subject all existing consent to formal and substantial review with regard to the requirements of the Regulation, to ensure that continued use of the data is not illegal. 

12. Penalties

The Regulation contains an extensive and severe catalogue of penalties for violations against the various requirements.

 

The Regulation provides for fines up to EUR 10,000,000 or 2% of global annual sales or EUR 20,000,000 or 4% of annual global sales, depending on the violation. This represents a drastic increase in the scale of fines for data protection violations. 

 

Naturally, these amounts are not due immediately for each violation of the Regulation. However, it should be assumed that the legislator did not provide for these substantial amounts on the assumption that the authorities would not make use of them. It should accordingly be assumed that substantially larger fines will be imposed as soon as the Regulation comes into force. 

 

The following overview of the fines for violations also shows that companies are now subject to fines for failure to comply with almost any of their obligations.  Companies should accordingly start soon to review compliance with the Regulation’s requirements, in order to avoid a rude awakening and substantial penalties. 

EUR 10.000.000 Arts 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43 GDPR 
EUR 20.000.000 Arts 5, 6, 7, 9, 44-49, 58 GDPR 

Blog 

In depth information on topics regarding the GDPR.

Corporation privileges in data protection

Data processing between entities within a corporate group according to the GDPR.

Processing: Changes in data protection regulations

Information on the new principles of processing.

Privacy by Design and Privacy by Default (GDPR)

Information on the new principles of Privacy by Design and Privacy by Default.

General Data Protection Regulation (GDPR)

In-depth information on the objectives, timetable & validity of the regulation and material changes from previous legal position.

What is GDPR.NINJA?

GDPR.NINJA is a service provided by Rickert Rechtsanwaltsgesellschaft mbH to support companies in the area of data protection. The offer includes consultancy and support for the current statutory data protection requirements and in particular the legally compliant implementation of the General Data Protection Regulation. If needed, we offer a interdisciplinary cooperation with experts from the respective member state of the EU or the USA, to ensure a comprehensive and consistent compliance with data protection requirements.

Contact

Got questions? We're here to help!

Contact Form

Law office Rickert Rechtsanwaltsgesellschaft m.b.H.
Kaiserplatz 7 - 9, 53113 Bonn

Talk to us+49 (0)228 - 74 89 80

Copyright Rickert Rechtsanwaltsgesellschaft © 2017