Need for action by business enterprises and public authorities: The new data protection law 2018

Data protection law has been revised throughout the EU. The new regulations will become binding as of 25 May 2018.

1. What new regulations will apply as from 25 May 2018?

  • General Data Protection Regulation
    The core of the new data protection law is the “General Data Protection Regulation” (GDPR) of the European Union. One of the objectives of the GDPR is the harmonisation of the data protection levels within the EU; therefore, it will be directly applicable in each EU Member State. In some parts, the GDPR contains “flexibility clauses”, which allow the individual countries to structure specific areas of data protection themselves.

  • German Federal Data Protection Act
    Accordingly, the German Federal Data Protection Act (GFDPA) will be updated and will apply in addition to the GDPR. Germany has, for example, made use of the leeway provided by the GDPR by a revision of the GFDPA in the areas of data protection officers and administrative offences.

  • ePrivacy Directive

    The “ePrivacy Directive” applies to the Internet and the related provision and use of electronic communications services. The ePrivacy Directive applies, in particular, to website operators and contains provisions regarding cookies and direct advertising.

2. Who is subject to the new law?

Generally, data protection law applies to anyone. While it grants to persons who provide their personal data (data subjects) comprehensive rights of protection and information, it imposes duties on business enterprises and public enterprises which process data (data controllers). Business enterprises and public authorities should review whether their processes in relation to personal data are compatible with the new data protection law.

Special attention must also be paid to the extended territorial applicability of the GDPR, which now no longer ends at the external borders of the EU. Rather, it also applies to data processing activities by business enterprises which have a business seat outside the EU, i.e., in “third countries”, while their activities focus on offering goods or services to persons within the EU or the monitoring of their behaviour.

3. Where does a need for action exist?

Although Germany has already had high legal standards in relation to data protection, the reform will result in a need for action.

We set out below some topics to which special attention should be paid as a result of the new law.

  • Extended duties to provide information

    Prospective and existing customers whose data are to be collected and processed must be comprehensively informed of the data processing in a precise, understandable and easily accessible form and in clear and simple language. In addition to a large number of additional topics which must be observed depending on the specific situation, information must be provided regarding the contact details of the data protection officer, the recipient or group of recipients in the case of the transmission of data, the intention (if any) to transmit data to a third country, the existence of a right of appeal to a regulatory authority, the question whether the provision of the personal data is required by law or contract, or is required to conclude a contract, and - if the data are not collected from the data subject directly - the source of the data.

    In that context, it will also be required to update the privacy statements, in particular, in the online sector.

    Additional duties to provide information to regulatory authorities and data subjects will arise in the event of a violation of the protection of personal data, e.g., if a third party was able to access a database without authorisation.
  • Commissioned data processing

    Existing contracts with commissioned data processors tailored to § 11 GFDPA might no longer meet the minimum requirements set by article 28 GDPR. The liability risk of commissioned data processors will increase. A differentiation between commissioned data processing and the assignment of functions is no longer made, so that a party will either be a data controller of a commissioned data processor.

    There will be the option of “joint control”, i.e., joint responsibility for the data processing of various parties involved.
  • Privacy by design and by Default

    The requirements, “privacy by design” and “privacy by default”, impose on data controllers a duty to use data protection-friendly systems and settings in advance, i.e., before the implementation of new processing procedures. The objective is to encourage data controllers to consider data protection law as early as at the conception stage of new data processing procedures. Measures to be taken in that context must be guided by the principle of data scarcity and the use of protection mechanisms (such as encryption or pseudonymisation).
  • Data protection officer

    The duty to appoint a data protection officer (“DPO”) always exists for governmental institutions. Private business enterprises must, inter alia, appoint a DPO if their core activities consist of the comprehensive, regular and systematic monitoring of data subjects, if more than nine persons are regularly in charge of the automated processing of personal data, or if data processing activities require a “data protection impact assessment” in accordance with article 35 GDPR.

    Please note that there exist additional constellations where a DPO must be appointed. In case of doubt, we recommend that the specific business enterprise be reviewed in that respect.
  • Records of processing activities

    Each data controller must keep records of all data processing activities within their area of responsibility. Generally, that duty exists for business enterprises with more than 250 employees, and for smaller enterprises in defined exceptional cases. The individual case must also be reviewed in that respect.

    Owing to the accountability for the compliance of data processing with the GDPR, it will, however, always be advisable to keep records of processing activities.

4. How are violations punished?

Under the new law, violations of data protection regulations will become substantially more expensive. There will exist hefty upper limits for fines in an amount of EUR 20 million, or 4% of the global annual turnover in the preceding financial year. Violations of duties to provide information will also be punishable by a fine in future.

Appeals before the competent regulatory authorities will continue to be possible, and the regulatory authorities will still be able to issue warnings and processing prohibitions. Legal action may be taken in relation to claims for damages or appeals from decisions by the regulatory authorities.

Not least because of the substantial fines, it can be expected that the regulatory authorities will increase their activities. Practice will show what the details will be like.

Please do no hesitate to contact us in all queries relating to data protection.

Contact Person

Dr. Karolin Nelles, LL.M., Lawyer, Hanover (Germany)
Frank Becker, Lawyer, Hanover (Germany)
Sarah C. Schlösser, Lawyer, Hanover (Germany)
Rüdiger Erfurt, Lawyer, Osnabrück (Germany)