GDPR: EU General Data Protection Regulation

1. Do the same data protection standards now apply everywhere in the EU?

Yes...

The European General Data Protection Regulation is directly applicable law. This means that the General Data Protection Regulation does not have to be implemented in independent national law. It applies equally in all EU states. The European Data Protection Board ensures compliance with the EU GDPR and consistency of application.

... but:

However, the EU GDPR contains some open regulations that national European legislators may supplement or fill out. This is known as so-called opening clauses. One example of a national supplementary regulation is the new BDSG in Germany.

2. Who does the European General Data Protection Regulation (the “EU Data Protection Act”) apply to?

Anyone using the European Union as a market is bound by data protection regulations applicable throughout Europe. That means:

• The European General Data Protection Regulation, also known colloquially as the “EU Data Protection Act” or “EU Data Protection Act”, applies to all companies based in the EU.
• It also applies to all companies that have their headquarters outside the EU but one or more branches in the European Union.
• The General Data Protection Regulation also applies to companies whose headquarters are outside the EU but which process personal data from EU citizens.

3. The most important contents of the General Data Protection Regulation at a glance

4th European General Data Protection Regulation: 6 points that companies must pay particular attention to

Companies that process personal data must particularly protect it in accordance with the General Data Protection Regulation. Personal data is information that can be attributed to a natural person. This includes, for example, name, address, IP address, date of birth, etc.

To do this, companies must consider the following points, among others:

1. Consumer-friendly default settings

Consumer data should be protected as comprehensively as possible without any special adjustments (see Art. 25 GDPR). For companies, this means: Even when developing digital processes, care should be taken to ensure that the level of data protection is high (privacy by design). Companies are also required to set consumer-friendly default settings (privacy by default).

2. Register of processing activities

In accordance with Art. 30 GDPR, the entrepreneur must keep a (written or electronic) register of his processing activities. It must include, among other things, the following:

• Company name and address
• Categories of affected persons
• Purposes of data processing
• Categories of personal data
• Categories of data recipients
• Where applicable, transfers of personal data to a non-EU state
• Deletion periods for the various categories of data

According to the EU GDPR, this directory is intended for internal company use. However, it must be submitted to the data protection authority upon request.

3. Data protection impact assessment

Companies are required to carry out an impact assessment of new forms of data processing, provided that there is a high risk of a data protection violation (Art. 35 GDPR). This means that companies must proactively contact the supervisory authority and explain the possible data protection consequences of a proposed measure.

However, the requirements for the impact assessment are legally disputed. Individual legal advice is therefore highly recommended.

4. Appointment of a data protection officer

According to Art. 35 ff. GDPR, companies must appoint a data protection officer (DPO) if at least one of the following conditions is met:

1. The company processes special categories of data (in accordance with Art. 9 GDPR).
2. Comprehensive regular and systematic monitoring of affected persons is part of the company's core activity.
3. More than 20 people in the company are involved in the processing of personal data.

5. Accountability

According to Art. 5 GDPR, data controllers must be able to prove upon request that all data protection principles are being complied with in the company.

6. Reporting requirement

If, for example, a data breach results in a breach of data protection requirements, the respective company must, in accordance with the General Data Protection Regulation,

• report this to the competent supervisory authority within 72 hours and
• inform the person or persons concerned.

Exception: If the infringement “is not likely to result in a risk to the rights and freedoms of natural persons,” the incident does not have to be reported (Art. 33 GDPR). In order to be able to assess when this exemption applies, you should seek advice on data protection law.

5. EU GDPR for consumers: 3 new features you should know

The European General Data Protection Regulation strengthens the rights of data subjects across the EU.

1. Consent to data processing

   Personal data may only be processed with the consent of the person concerned. Children and adolescents under 16 years of age need parental consent. Data subjects can also withdraw their consent at any time.
2. Right to delete

   If a data subject withdraws their consent or if the purpose of data processing ceases to apply, data processing bodies must delete the corresponding data (Art. 17 GDPR).
3. Right to information

   As part of the EU GDPR, consumers' rights to information have been expanded. On request, data subjects must be informed not only about the purpose of data processing, but also about the duration of the processing and their associated rights (Art 15 GDPR).

The position of consumers is strengthened not least by the threat of heavy fines for infringements.

6. A sensitive point: Right to data portability under the European General Data Protection Regulation

According to Art. 20 GDPR, the person concerned has a standardized right to data portability. This means: He may request that his data be transferred from one responsible body to another. This must not happen without his consent.

How this provision of the General Data Protection Regulation can be implemented in practice is still very controversial in view of the various data and processing formats. To avoid pitfalls, you should seek individual advice on this!

7. One year of the European General Data Protection Regulation — that has changed since its introduction

A lot has happened in this area since the introduction of the General Data Protection Regulation. For example, the EU GDPR has already been amended, for example in the so-called Second Data Protection Adjustment and Implementation Act (2nd DSAnPuG). This states, among other things, that from 26.11.2019, a data protection officer must only be appointed with 20 employees and not, as before, with 10 employees who are constantly entrusted with the processing of personal data.

Warning wave through the General Data Protection Regulation

Just a year ago, many companies were downright afraid that the entry into force of the EU General Data Protection Regulation would result in a huge wave of warnings from supervisory authorities. There has been no such thing so far, but the authorities across Europe are consistently taking action. In 2019 alone, seven millions of dollars in fines were imposed on companies for breaches of the GDPR.

Stronger data protection awareness

Since then, the topic of data protection and the correct handling of data has been discussed intensively in the media. Consumers therefore know more about their own rights with regard to data protection & GDPR and often take the regulation more seriously than companies.

In the overview shown below, you can see, based on just a few figures, how the situation has changed within a year. You will find that the EU GDPR has arrived.

8. How Proliance is helping you implement the GDPR

For companies, the General Data Protection Regulation meant that a number of internal processes had to be adjusted. In addition, data protection managers and employees must always be kept up to date in order to be able to quickly implement any changes that have been decided upon. Proliance helps companies implement all data protection requirements of the GDPR. Companies can rely on our innovative Proliance 360 data protection software, which guides companies step-by-step through internal data protection tasks and provides samples, templates, employee training and much more. If companies do not want to entrust an internal person with the issue of data protection due to the time intensity, they can rely on the solution with an external data protection officer from Proliance, who will assist companies with all data protection issues.

9. Is your website really ready for the GDPR?

According to the GDPR, anyone who has an Internet presence is required to provide a privacy policy and an imprint. But there is much more that, according to the General Data Protection Regulation, there is much more to consider on websites. From correct encryption to tracking and correct form integration, there is a lot that website operators need to know and consider. There is one goal behind all of this: to protect website visitors' data. Proliance has developed an automated website check that enables website operators and responsible persons to automatically analyze their website. In the subsequent results report, they receive an analysis of the implementation of the GDPR on the audited website. In this way, vulnerabilities on websites can be identified and repaired.

10. GDPR FAQ

What is the GDPR?

The General Data Protection Regulation, or GDPR for short, is a regulation of the European Union. This regulation is intended to standardize data protection standards across the EU. Specifically, the GDPR concerns personal data that companies, corporations, authorities, practices and associations collect, process and store. The GDPR provides controllers with rules of conduct for the correct processing of personal data.

GDPR: How long has it been in force?

Since May 25, 2018, the General Data Protection Regulation has also been binding in Germany. The GDPR therefore takes precedence over the new BDSG. However, both laws do not replace each other, but rather complement each other.

Who does the GDPR apply to and what does the GDPR regulate?

The European Union's General Data Protection Regulation regulates how companies, corporations, authorities, practices or associations must handle the personal data of their customers and employees or members. The GDPR applies to all EU member states and thus standardizes European data protection.

As a consumer, what can I demand from companies as a result of the GDPR?

The GDPR supports consumers: What is new in particular is that consumers can demand that companies completely delete their data (so-called “right to be forgotten” under Article 17 GDPR). Companies must comply with this request as quickly as possible if the collected data does not have to be stored in accordance with legal retention periods.

What is personal data under GDPR?

The GDPR requires the protection of personal data. Personal data is data relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). In addition to legal entities, majorities and groups of persons as well as deceased persons are excluded. Specifically, personal data includes names, telephone numbers, e-mail addresses, IP addresses or postal addresses.

How can companies report a data breach?

Companies that violate data protection and have a data breach within the company must report this to the competent supervisory authorities in accordance with the reporting and notification requirements (in accordance with Article 33 GDPR) if this breach is likely to result in a risk to the rights and freedoms of a data subject. A guide to data breaches is available for download here.