It applies - the new GDPR!
What do companies need to consider as a result of the new EU General Data Protection Regulation (GDPR)? Questions and answers.
The EU's stricter data protection law applies. The European Commission Representation in Germany has compiled frequent questions and answers.
What are the advantages of the new GDPR?
Under the reform, citizens will have more control over their personal data. The new rules ensure that companies and institutions must say exactly what data they want for what purpose. For citizens, this regulation brings various advantages:
- The "Right to be forgotten": If a citizen does not want his or her data to be processed, the data must be deleted if there is no legitimate reason for storing it. This is exclusively about protecting privacy; no past events are to be deleted or even freedom of the press restricted.
- Access to own data: Citizens are better informed about how their data is processed. This information must be clear and understandable. A Right to data portability makes it easier for citizens to transfer personal data between different providers.
- The right to know if your own data has been hacked: Companies and organizations must notify national supervisory authorities of all data breaches that have created a risk for the data subject. In addition, the data subject must be informed as soon as possible of any high-risk breaches so that he or she can respond accordingly.
- Data protection through technology and data protection-friendly default settings: "Privacy by design" and "privacy-friendly default settings" are now essential elements of EU data protection legislation. Privacy safeguards are being integrated into the development of products and services at an early stage, and privacy-friendly default settings are becoming the norm in social networks or mobile apps, for example.
The most important changes for companies?
The new GDPR builds on the rules of the Data Protection Directive that have been in place for more than 20 years. The basic principles of data protection are not changed, but updated and modernized. The decisive innovation is that a uniform European data protection law now replaces the various laws of the member states. A common data protection regulation will be created from the 28 different laws. This will create a uniform and clear set of rules for companies and public authorities, making it easier and cheaper to do business across the EU.
The "one-stop store" will also create a central point of contact for companies. Companies will then only have to address one single authority and not 28 authorities. This will ensure the necessary legal certainty for business activities. Companies will benefit from faster decisions, a single point of contact (elimination of multiple contact points) and less bureaucracy. In addition, they can rely on uniform decisions for the same processing activities in several member states.
The new data protection rules apply to all companies, regardless of where they are based. This means companies based outside Europe must follow the same rules if they offer goods or services in the EU.
Unnecessary bureaucracy?
The General Data Protection Regulation removes obstacles to growth at European level, especially for small companies. For example, it abolishes formalities such as general notification requirements that were common in many member states. And there will be a single data protection regime across the EU in the future, with a single point of contact and a uniform interpretation of the rules. This will also benefit medium-sized companies that offer their products or services in other member states. They no longer need to hire a lawyer to adapt to regulations there.
And anyone who complies with the rules of the currently applicable Data Protection Directive should not have too much difficulty implementing the General Data Protection Regulation. The basic principles have not changed.
What are the exceptions for smaller companies?
The General Data Protection Regulation deliberately provides for fewer obligations for smaller companies. For example, if a smaller company is not primarily engaged in processing personal data, it does not need to appoint a data protection officer or prepare a detailed data protection impact assessment. Such companies do generally have to document their data processing if they regularly process personal data and make this available to the data protection authority upon request. However, a simple one-page listing will suffice here.
For example, a craft business that only stores information about its employees or customers for its own purposes and does not resell this information basically only needs to ensure that this data is stored securely. A small bakery does not need a data protection impact assessment.
Does the GDPR conflict with other data processing laws?
In principle, there are no conflicts here. The GDPR allows special clauses for the processing of personal data if required and does not prevent companies from complying with their legal obligations.
On the contrary, if national or European law imposes a legal obligation on employers to process data, this is lawful under the Data Protection Regulation. The important thing here is that in such cases the employee is clearly and fully informed about the processing of his or her data.
Who is responsible for prosecuting violations of the data protection regulation? How can uniform application in the individual member states be guaranteed?
In the future, there will not only be uniform data protection regulation throughout Europe, but also much closer cooperation between the national supervisory authorities. In the new European Data Protection Board, which includes the heads of the national data protection authorities, uniform application will be regularly monitored.
The GDPR also introduces the so-called "one-stop store" mechanism, which ensures cooperation between data protection authorities when a company's activities involve data processing operations in several Member States. There is a single point of contact for the company and a uniform interpretation of the rules by the highest supervisory authority of the Member State where the company's main establishment is located.
What penalties will companies face if they violate the new data protection regulations?
The data protection authorities are authorized to penalize violations of the data protection provisions. They can take remedial action or impose fines. However, the decision on fines must always be proportionate and take into account all the circumstances of the individual case. To this end, the penalties are proportional to the size of the organization. Those who fail to apply the requirements of the data protection regulation face penalties of four percent of their annual turnover. This ensures that global companies and Internet giants also have an interest in complying with the rules.
Do companies have to expect fines if they fail to implement all the requirements?
In principle, there is no grace period. After a two-year transition period, the regulation will come into force on May 25, 2018. Companies have therefore had two years to prepare for the new rules. However, the national authorities will certainly pay attention to the proportionality of the sanctions.
There are clear criteria: If a company cooperates or the number of people affected is manageable, it does not have to fear draconian penalties. If, on the other hand, a company conceals a data leak and does little to clear it up, the authorities will get serious.
Tools: 7 steps for companies
Specifically for companies, the Commission has developed a Guide also published in German on the web, in which the most important questions are answered. In addition there is an overview "Seven steps for companies to prepare for the General Data Protection Regulation".
For more background information here
Source: EU Commission, Representation Germany