GDPR: Eight Months – Review and Outlook | BIIA.com | Business Information Industry Association

Balance Sheet of the 13th European Data Protection Day on January 28, 2019 in Berlin

For eight months now, the EU General Data Protection Regulation (DSGVO – German abreviation for GDPR) has become directly applicable law. The DSGVO is supplemented by numerous national regulations such as: B. the Federal Data Protection Act, the state data protection laws and more than 150 technical laws, which are also to be considered in accordance with the existing opening clauses.

On January 28, 2019, the 13th European Data Protection Day took place in Berlin. The balance sheet of the Data Protection Day, which was attended by representatives of the supervisory authorities, politics and business as well as two employees of Creditreform Compliance Services GmbH, is as follows.

Rarely does a topic stir up the minds of many people like the DSGVO. This was reflected in the lectures and reports of the guests from politics and practice. The DSGVO has arrived at the people! Fortunately, the feared warning wave failed to materialize. The DSGVO can be said to have succeeded – despite the overreaction, the concerns, the uncertainties and the need for interpretation. However, it requires implementation with a sense of proportion as well as readjustment in detail, without having to re-make everything. Among other things, it is important not to minimize the data protection standards, but to make them more practicable in some areas.

The specification needs to be filled in by the supervisory authorities and the practice. B. by short papers, guidance, but also judgments.

The real innovation of the GDPR is a strengthened system of sanctions and their enforcement. Thus, the DSGVO strengthens the topic of data protection on the compliance issue in companies and the position of the supervisory authorities. This was followed by an orientation towards antitrust law, so that market violations do not outweigh fundamental rights violations.

New are therefore, inter alia, the sanction options in Art. 83 para. 1 DSGVO z. B. for the non-implementation of technical data protection.

The DSGVO is technology-neutral and technology-open and thus formulated timelessly. In particular, the idea Privacy by Design is not a novelty. Privacy by Design requires the adoption of appropriate technical and organizational measures (TOMs) to implement the Privacy Policy. This means in particular data minimization through pseudonymisation or anonymization, use of encryption methods and transparency for those affected.

The first examples where the implementation of technical data protection was punished in the EU are known to all of us.

So it was the Knuddels GmbH, which was fined 20,000 euros, because it stored passwords of their users in plain text, that is unencrypted. The competent authority in Portugal has imposed a fine of 400,000 euros on the CHBM clinic in Portugal. Even though a role-based rights concept was in place, the role of “doctor” and thus the access rights to patient data reserved for doctors was assigned to numerous other persons.

Not least through such and other data scandals data protection has moved into the public interest and the importance of data protection in the public grown significantly.

In addition to the positive experiences, the discussion also showed that it is precisely the small to medium-sized enterprises (SMEs), such. B. craft enterprises, which are affected by great uncertainties in the implementation of the GDPR and therefore partially reject the provisions of the Regulation. The implementation of the GDPR binds resources and requires know-how, which often has to be purchased first. Although the risk-based approach is enshrined in the GDPR and therefore facilitations for smaller companies are possible, however, z. For example, the simplification in the GDPR, according to which a processing list is to be maintained for 250 or more employees, is usually ineffective. Because as soon as employee data (and thus also special categories of data such as illness, religious affiliation, etc.) are processed, the exception should not apply to any craft business. In this respect, an adaptation of the previous processes with a sense of proportion and at the same time a critical examination, whether the necessary processes and documentation are established, also need to be done.

Many of the obligations companies have to fulfill have not first arisen with the GDPR. The obligation to appoint a data protection officer, if usually at least 10 employees are entrusted with the automated processing of personal data, it was long before the GDPR. Likewise the obligation to conclude contracts with contract processors. Only the new sanction options have strengthened the focus here.

Ultimately, creating a level of transparency for those affected requires new certification procedures that look at existing data protection management systems in the organization. Thus, data protection can also become a competitive advantage.

CONCLUSION: The GDPR not only contains prohibitions, but also opens up possibilities. Both require a substantive discussion, which was made possible by the 13th European Data Protection Day. More importantly, he has shown that the issue of data protection and GDPR has not yet been finally clarified and that there are still many unanswered questions to which the answers have yet to be given by the supervisory authorities and the courts. In all this, the appropriateness and proportionality in each case will play a role.