The General Data Protectin Regulation (Regulation (EU) 2016/679)
The GDPR is replacing the Data Protection Directive 95/46/EC from 1995. In contrast to the Directive, the GDPR is directly applicable throughout the European Union. In essence, it continues the existing basic priciples of data protection (prohibition with permission, data minimation, purpose limitation and transparency) and develops them further.
In addition, a further central principle, the assurance of data security was introduced. Taking the current state of technology into account.
Here you'll find the most important facts:
The liability of owners and managing directors for breaches of data protection rules remains the same. This liability is, as already now, not transferable.
However, the amount of possible fines will change dramatically.
Former fines had been rather sparse, and, apart from individual cases, imposed at moderate heights (a few hundred to several thousand of euros). Now, a significant increase of inspections and the thereof resulting proceedings can be expected. Fines are to be imposed up to an amount of € 20 million or 4% of the world-wide turnover of the previous year (the higher value is set).
A paragraph in the GDPR (Art. 83 para. 1) states that a fine has to be "...effective, proportionate and dissuasive in every individual case".
Thus, the GDPR is one of the few laws (if not the only one) that stipulates that a penalty has to have a deterrent effect.
The objectives of the EU-GDPR are the protection of the fundamental rights and fundamental freedoms of natural persons, in particular their right of protection of personal data, as well as the right of data portability.
The leading objectives are to be achieved through the principles of personal data processing: legality, good faith, transparency, purpose-limited, data minimization, correctness, storage limitation, integrity and confidentiality, accountability.
The GDPR does not completely change the European Data Protection Law, but it has a number of significant changes affecting daily work. The same data protection standards will apply in all EU countries. There are no data privacy "withdrawal rooms" within Europe.
What are the rights of a data subject?
- Right of information
- Right of access
- Right to rectification, erasure, restriction of processing
- Right to data portability
Those affected have easier access to their data. Everyone has the right to know what and which data is processed. In addition, the data subject will be entitled to receive clear and easily understandable information about who, for what purpose, and where his data is prcessed.
Affected persons must be informed in more detail if data has been compromised or lost. This allows the person concerned to take own protective measures.
Your personal data belongs to you, not to the processing Internet service. With GDPR, the data subject has the right to simply move data from one Internet provider to another.
The right to be forgotten is strengthened. It is easier to delete once published information.
The transparency and information requirements companies have to follow, lead to a significantly stronger protection of the affected parties than the regulations of former German Federal Data Protection Act (BDSG).
The obligation to report data breaches to the supervisory authorities is exacerbated.
If such an infringement is detected, it must be reported immediately (within 72 hours) to the competent supervisory authority. If the data protection infringement is likely to be a high risk (this is true in any case when health or bank / credit card data are affected), the affected person must be informed by the company in addition.
Failure to notifiy the supervisory authority and / or the concerned parties constitutes a violation of the GDPR.
Companies have to conduct a data protection impact assessment before personal data is processed electronically.
The company has to determine possible effects of the processing to the protection of the personal data. An impact assessment is always necessary if the nature, scope, circumstances and purpose of the processing are likely to pose a high risk to the personal rights and freedoms of the persons concerned.
Practically every company is obliged by the GDPR to keep a so-called "record of processing activities" following the exact requirements of the GDPR.
Contrary to the previous procedure no public part has to be available. The record may also be held electronically only and must be presented at the request of the supervisory authorities.
Violations of the obligation to keep the list will be punished with fine (up to € 10 million).
The "data processing on order (Auftragsdatenverarbeitung)" anchored in the BDSG becomes "processing (Auftragsverarbeitung)" in the GDPR.
As before, the client is responsible to follow the rules of GDPR. The extended content requirements for the agreement to be concluded and a joint liability of the client and the contractor is new with GDPR.
The integration of subcontractors, which has hitherto been possible without any formalities, has been formalized in the GDPR. Liability is also extended to subcontractors.
Technological and organizational measures (TOM) are already known from the former BDSG. The GDPR, however, makes TOM much more important and requires constant adaptation to technology and risk.
TOM shall be implemented, taking cost and expenses into account, that:
- a reasonable level of protection is achieved
- the actual state of the art technology is implemented
- nature, scope, circumstances and purpose of data processing is taken into account
- probability of occurrence and severity of risks to the persons concerned is taken into account
Now TOM must also be fulfilled in the context of data processing by the processor.
Although DSGVO is already applicable, it is not too late to take action. Supervisory authorities recognize that implementation is not an easy task.