Timetable and validity of the Regulation
The General Data Protection Regulation has been in force since 25 May 2016, but apply in full until 25 May 2018 (Art. 99 GDPR).
As this is a European Regulation, it will – in contrast to a Directive which first has to be enacted in national law – apply throughout Europe immediately from this date.
Due to the fully-harmonized effect of the Regulation, no further, stricter or deviating regulations under national law may exist from 25 May 2018, unless the Regulation itself permits member states to adopt such a regulation (so-called saving clause).
1. Market location principle, geographical area of application
European data protection law now also applies to companies which do not have a registered place of business in the EU but which offer goods or services on the European market.
2. Area of application of contract data processing
Whereas contract data processing was previously only possible within Europe, it is now possible using contractors outside Europe, if the further requirements are satisfied. These include specifically the careful selection of the contractor and examination of their technical and organization measures with regard to data protection.
3. Group preferential treatment
The Regulation also does not give groups any preferential treatment, i.e. transmission of data to companies within the same group now constitutes transmission to a third party within the meaning of the law and requires justification as such.
4. Partial preferential treatment for groups
There is much talk currently about the partial preferential treatment for groups. This is based on para. 48 of the Regulation which states that a controller that is part of a group may have a legitimate interest in transmitting personal data within the group for internal administrative purposes. This provides a basis for arguing for justification of such transmission within the general balancing of interests in Art. 6 of the Regulation. While there is no clear rule, it gives companies an opportunity for justification, provided that the other requirements for data processing are met.
5. Information obligations
The Regulation significantly intensifies the collector’s obligations to provide information in order to increase the transparency of data processing.
6. Data collection
Arts 13, 14 of the Regulation define the obligations to provide information in the course of data collection to those affected, which because of their extent have some of the nature of a formal notification of rights. It is necessary to check here what modifications to a company’s systems and contracts or General Terms & Conditions are necessary to meet all the Regulation’s obligations to provide information.
7. Further obligations to provide information
A company must also report data protection violations, cancellation of a restriction on processing, one-time transfer to third parties or further processing for a different purpose. The latter obligation in particular can be relevant for many companies, as a change purpose can arise quickly.
8. Privacy by Design / Privacy by Default
Art. 25 of the Regulation presents the principles of data protection through technical means (privacy by design) and organization means favorable to data protection (privacy by default). Under these companies are required to bear the needs of data protection in mind in the planning and concept phase and to implementation the principles here. In designing and procuring technical means of processing care must be taken to ensure that the technical and organizational measures have been taken for effective compliance with data protection. The same applies to the safeguards in such equipment and systems. It is, for example, to check whether processing software provides an opportunity to save various authorization concepts so that access to date can be limited to those individuals who actually must have access.
It should be borne in mind that the Regulation commits only the controller, and not the manufacturers of data processing equipment and systems. The idea here is that the controller should, because of its own obligations, influence the manufacturers to make the corresponding modifications to comply with the requirements.
Existing equipment and systems must be reviewed for this. In addition, planning of new systems must always be reviewed to see whether these comply with the requirements, and offers, General Terms and Conditions and contracts of any suppliers should be reviewed to ensure compliance with the new requirements.
The requirements for valid consent to data processing have been modified in a number of respects. For example, in future tacit consent will also be sufficient, provided that it is clear. There are accordingly substantial obligations to provide information under the new Regulation with regard to valid consent.
10. Prohibition on tying
A prohibition on tying is included in the Regulation with regard to consent. However, Art. 7 para. 4 of the Regulation merely requires that the link must be considered in the broadest possible terms in assessing consent. There is scope here for interpretation.
11. Continued validity or renewal of existing consent
The question arises whether companies are now obliged under the new Regulation to obtain new consent meeting the requirements of the Regulation even for existing customers. The Regulation states in para.171 that existing consent remains valid provided that it already meets the conditions of the Regulation. Companies are accordingly advised to subject all existing consent to formal and substantial review with regard to the requirements of the Regulation, to ensure that continued use of the data is not illegal.
The Regulation contains an extensive and severe catalogue of penalties for violations against the various requirements.
The Regulation provides for fines up to EUR 10,000,000 or 2% of global annual sales or EUR 20,000,000 or 4% of annual global sales, depending on the violation. This represents a drastic increase in the scale of fines for data protection violations.
Naturally, these amounts are not due immediately for each violation of the Regulation. However, it should be assumed that the legislator did not provide for these substantial amounts on the assumption that the authorities would not make use of them. It should accordingly be assumed that substantially larger fines will be imposed as soon as the Regulation comes into force.
The following overview of the fines for violations also shows that companies are now subject to fines for failure to comply with almost any of their obligations. Companies should accordingly start soon to review compliance with the Regulation’s requirements, in order to avoid a rude awakening and substantial penalties.
|| Arts 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43 GDPR
|| Arts 5, 6, 7, 9, 44-49, 58 GDPR