Guide: the most important facts about the GDPR

All important information on the General Data Protection Regulatipon (GDPR), compact and simply explained.

Overview:
  • The GDPR: the basics
  • Data protection: rights and obligations
  • Data Protection Officer (DPO)
  • Sanctions
  • Data Protection Impact Assessment (DPIA)
  • The GDPR and businesses
  • International data transfers
  • Consent to data processing
  • The GDPR and children

The GDPR: the basics

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

The GDPR harmonizes data protection law within the EU for the private and public sectors. This creates a uniform legal framework between the member states. Consequently, a high standard of data protection and corresponding laws apply to all 500 million citizens-

Transparency is a fundamental principle. Data subjects should be enabled to check the collection, processing or use of data or, as the German Federal Constitutional Court has put it, to know and control "who knows what about them, when and on what occasion". In summary it can be said that the GDPR tries to strengthen the rights of the concerning in principle and even expands these in some areas. In particular, the new transparency and information obligations for companies offer significantly stronger protection for the data subject than the old provisions of the Bundesdatenschutzgesetz (German Federal Data Protection Act, BDSG).

A distinction must be made between the material scope and the territorial scope of application.

Material scope of application according to Art. 2 GDPR:

"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

According to Art. 4 No. 2 GDPR, the processing includes "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" of data.

Territorial scope of application according to Art. 3 GDPR:

According to Art. 3 DSGVO, the territorial scope of application of the DSGVO is generally determined by the processing of personal data, insofar as this takes place within the framework of the activities of a branch of a controller or a processor in the EU, irrespective of whether the processing takes place in the EU (Art. 3 para. 1 DSGVO).

The GDPR does not only apply to companies established in the EU. According to Art. 3 para. 2 of the GDPR, the only prerequisite for its applicability is that an offer is directed to a specific national market in the EU or that the data processing serves to observe the behaviour of persons in the EU.

According to Art. 27 para. 1 GDPR, companies which do not have an establishment in the EU but offer goods or services to persons in the Union or observe their behaviour - e.g. through "tracking" or "profiling" - must in principle appoint an EU representative.

The territorial scope cannot be changed by contract. If, however, a member state has adopted a national data protection regulation within the framework of an opening clause, the data protection law of the respective member state shall in principle apply.

The GDPR only applies if personal data is concerned. However, this term is very broad (Art. 4 No. 1 GDPR) and includes, for example, information on

  • name
  • address
  • phone number
  • license plate
  • IP address of a person
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person's sex life or sexual orientation
  • data relating to criminal convictions and offences

The ultimate decision is whether the respective information can somehow be assigned to a person and thus a personal reference can be established.

Yes, there are. This includes, for example, the private and family sphere, i.e. private correspondence, a private address directory or the private use of social networks and private online activities.

Data protection: rights and obligations

Art. 32 para. 1 b) GDPR lists the protection objectives to be ensured when processing personal data. 

  • Confidentiality, i.e. data is not accessible to unauthorised third parties.
  • Integrity, i.e. data cannot be falsified.
  • Availability, that is, data is available when it is needed.
  • The right to information
  • The right to objection
  • The right to rectification, cancellation, and limitation
  • The right to data transferability

According to Art. 23 GDPR, national deviations of the individual member states are possible in certain areas, such as national and public safety issues or important objectives of general public interest.

If personal data is raised with the user, the responsible person must communicate the following information according to art. 13 Abs. 1 GDPR:

  1. the identity and the contact details of the controller and, where applicable, of the controller's representative
  2. the contact details of the data protection officer, where applicable
  3. the purposes of the processing for which the personal data is intended as well as the legal basis for the processing
  4. the legitimate interests in the data processing pursued by the controller or by a third party
  5. the recipients or categories of recipients of the personal data, if any
  6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation
  7. the period for which the personal data will be stored
  8. user rights
  9. the revocability of consents
  10. the right to appeal to the supervisory authority
  11. the obligation to provide personal data
  12. where applicable, automated decision making and profiling

When must data subjects be informed?

In the case of direct data collection, the data subject must be informed at the time of collection in accordance with Art. 13 para. 1 GDPR.

If the data is not collected from the data subject, the person responsible must in principle provide the information in accordance with Art. 14 para. 3 GDPR within a reasonable period, but at the latest after one month. However, if the data is to be used for communication with the data subject or is to be transmitted to a recipient, the information must be provided at the time of establishing contact or the first transmission.

In what form must the information be provided?

According to Art. 12 DSGVO, the information presented above must be provided in a precise, transparent, comprehensible and easily accessible form. It may be transmitted to the data subject in writing or in electronic form.

Yes, if the data is not collected from the data subject, the information obligations pursuant to Art. 14 para. 5 DSGVO are dispensable in three cases:

  • Providing the information is impossible or disproportionately expensive.
  • The collection or transmission of data is required by law.
  • There is professional secrecy or other statutory obligation to maintain secrecy.
Data Protection Officer (DPO)

A data protection officer (DPO) works within an organisation towards compliance with data protection.

According to Art. 39 GDPR, the tasks and duties of a data protection officer are:

  • Informing and advising those responsible, contractors, and employees
  • Monitoring compliance with the GDPR and special national regulations
  • Advice and monitoring in connection with data protection impact assessment
  • Sensitization and training of employees
  • On request: advice and preparation of data protection impact assessments and contact persons for supervisory authorities

The DPO is subject to confidentiality and special protection against dismissal and has the right to refuse to testify.

Article 37 et seq. of the GDPR provides Europe-wide in principle for an obligation to appoint an operational data protection officer, if the business model of the enterprise concerned is based in the core on the systematic monitoring or processing of personal data.

According to § 38 BDSG-neu, there is an obligation to designate a DPO if at least 10 persons in a company are permanently engaged in automated data processing. However, the GDPR contains a catalogue of new ordering obligations; for this reason, companies with fewer than 10 employees should also check whether they are obliged to appoint a data protection officer.

 "The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, [...]" (Art. 37, para. 5, GDPR)

Since the GDPR it has been very easy to become a DPO: Put simply, any person who has either a theoretical or a practical idea can become a DPO. Conclusion: Become a DPO yourself - or hire Christian Allner!

In principle, a company can choose to fill the position of DPO internally or externally. A DPO must report to management, if necessary critically. In the case of an internal DPO, conflicts of interest may arise. The appointment of an external DPO offers several advantages: Companies can concentrate on their core business and benefit from the specific expertise of an external DPO.

The deliberate or negligent failure to appoint a DPO, not appointing a DPO in the prescribed manner or not on time, will be punished according to Art. 83 Para. 4 GDPR with a fine of up to 10 million € or 2% of the worldwide annual turnover, whichever is higher.

Sanctions

In comparison to the old BDSG, the GDPR opens up the possibility of imposing significantly higher fines. The maximum fine in the context of Art. 83 GDPR amounts to 20 million € or up to 4% of the entire annual turnover that has been achieved worldwide in the preceding business year; depending on which value is the higher one.

For example, the deliberate or negligent failure to appoint a DPO, not appointing a DPO in the prescribed manner or not on time, will be punished according to Art. 83 para. 4 GDPR with a fine of up to 10 million € or 2% of the worldwide annual turnover, whichever is higher.

A busniess should obtain professional data protection advice and carry out regular compliance audits. In addition, data processing processes, data flows and the data stock should be documented and the internal organisation should be designed in such a way that data protection concerns are taken into account from the outset. DER Datenschutzbeauftragte Christian Alllner helps you with these tasks and provides you with competent advice.

Data Protection Impact Assessment (DPIA)

With the GDPR, the new instrument of the data protection impact assessment was introduced in 2018 (also DPIA, see art. 35 GDPR). It serves to assess risks and their possible consequences for the personal rights and freedoms of the persons concerned. Basically, it corresponds to the prior checking of the lawfulness of data processing (§ 4d Para. 5 BDSG), which was also known earlier in German data protection law.

According to Art. 35 Para 1 GDPR, a DPIA has to be carried out "[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons,"

Examples of such situations are given in Art. 35 Para. 3:

  • systematic and comprehensive evaluation of personal aspects of natural persons, which (...) serves as a basis for decisions that have legal effects on natural persons or similarly significantly affect them
  • extensive processing of special categories of personal data pursuant to Article 9 Para. 1 GDPR or of data on convictions and criminal offences pursuant to Article 10 GDPR
  • systematic wide-ranging monitoring of publicly accessible areas

Art. 35 Para. 7 defines the minimum requirements for a data protection impact assessment. It must therefore contain:

  • a systematic description of the planned processing operations and the purposes for which they are to be carried out
  • an assessment of the necessity and proportionality of processing operations
  • an assessment of the risks to the rights and freedoms of data subjects
  • the corrective measures envisaged to deal with the risks in order to ensure the protection of personal data and to demonstrate compliance with the provisions of this regulation
  • When carrying out a data protection impact assessment, the advice of the data protection officer (if appointed) must also always be sought (Art. 35 Para. 2 GDPR).

According to Art. 36 GDPR, the supervisory authority must be switched on if the data protection impact assessment after Art. 35 GDPR results in that a data processing without measures means a high risk.

What happens if the supervisory authority concludes that a measure violates the GDPR?

In this case, the supervisory authority will issue advice in written form which has to be implemented within a time limit of eight weeks.

The GDPR and businesses

No, the GDPR does not contain any specific regulations on the protection of employee data.

Does this mean that there is no protection of employee data?

Even though there is no central provision in the GDPR on this subject, employees are not without rights within their employment relationships. Individual regulations of the GDPR (e.g: Art. 9 Para. 2 h GDPR (processing of special categories of personal data) do explicitly refer to employee data protection. The general principles of data processing (Art. 5 GDPR) also apply to the employment relationship.

Whether existing works agreements may continue to be used must be examined on a case-by-case basis and depends on whether the agreements do not undermine the requirements of the GDPR and, in particular, contain sufficient protective measures within the meaning of Art. 88 Para. 2 GDPR.

According to Art. 33 GDPR, yes in principle. Violations of the protection of personal data must be reported to the supervisory authority. According to Art. 33 GDPR, this must be done immediately and without undue delay, if possible within a maximum of 72 hours after the violation became known.

Does the data subject also need to be notified of the data breach?

According to Art. 34 GDPR, yes in principle. The notification should include a description of the nature of the breach and recommendations to mitigate any adverse effects of the breach (see recital 67a GDPR).

No. There is no reporting requirement if a risk to the rights and freedoms of individuals is unlikely.

International data transfers

In principle, the rules laid down in the Data Protection Directive continue to apply. If there is a legal basis for the general transfer of data, the transfer can also take place in a third country. Mechanisms for establishing an appropriate level of data protection are, for example, binding corporate rules (BCR, see Art. 47) and EU standard agreements.

The changing responsibilities of different supervisory authorities is in practice a significant problem, especially when a company operates in several European countries. The European legislator has recognised this problem and anchored the so-called "one-stop shop" principle in the GDPR. Article 56 Para. 1 GDPR stipulates that the supervisory authority in whose jurisdiction the registered office or head office of a company is located is generally responsible for the company. Companies therefore only have to cooperate with the data protection authority of the member state in which the head office of the company is located. Citizens can always complain to the data protection authority of their member state, no matter in which member state the data was misused.

Binding Corporate Rules are an option for internal data transfer to insecure third countries (e.g. USA and China).

In addition to their internal effect, BCRs are also intended to protect the rights of those affected externally.

Article 47 Para. 2 GDPR defines the minimum extent in more detail.

The consistency mechanism is governed by Article 63 GDPR. It obliges all member states to recognize Binding Corporate Rules without restriction. It is used when the flow of data is to exceed the boundaries of the EEA. This binding instrument can resolve conflicts between supervisory authorities. As a result, the harmonization of European data protection law will be promoted.

Consent to data processing

Consent to the processing of personal data enables data subjects to exercise their right of personality and to disclose or not disclose personal information about themselves.

In data protection law, the so-called prohibition applies subject to permission, i.e. data processing is generally prohibited as long as it is not expressly permitted by law or the data subject has consented to the processing. The GDPR holds on to this principle (see for this Art. 6 No. 1a).

Art. 7 GDPR describes the "conditions for consent". The most important requirements for a legally valid declaration of consent are:

  • The free decision of the person concerned
  • Detailed, clear, and specific information of the person concerned
  • Written form of the declaration of consent
  • Revocability of the declaration of consent

Art. 6 No. 1 a GDPR states that data processing is only lawful if the data subject has given consent for one or more specific purposes. Consent must therefore be linked to a specific purpose, which must also be explained in a sufficiently precise manner.

Auf schriftlichem oder elektronischem Wege. Die DSGVO verlangt durch Art. 7 Nr. 1 DSGVO die Nachweisbarkeit der Einwilligung durch die verantwortliche Stelle. Eine konkrete Formvorschrift wird nicht genannt. In Erwägungsgrund 32 zur Datenschutz-Grundverordnung wird klargestellt, dass die Einwilligung nur durch eine eindeutige Handlung zustande kommen soll, die auch in elektronischer Form erfolgen kann, wie zum Beispiel Opt-In (z.B. Setzen eines Häkchens). Eine stillschweigende Zustimmung ist dagegen nicht mehr möglich.

The GDPR and children

Yes. If the processing is aimed at children, information and instructions should be given in a simple language suitable for children, due to the special vulnerability of children. With regard to information society services offered directly to children, the GDPR stipulates that the person having parental responsibility for a child must consent to the processing of a child's personal data.

According to Art. 8 GDPR, the EU member states determine the age limit in the range from 13 to 16 years themselves.

GDPR Art. 8 contains an explicit legal regulation in relation to the consent of children and young people.

If a company offers " information society services" and this offer is made directly to a child, the necessary consent of the child is only effective in Germany if the child has reached the age of 16. In the case of children under the age of 16, the consent of their parents must be obtained.

Yes, prevention or counselling services offered directly to a child do not require parental consent. This is appropriate in order to give children the opportunity to take advantage of counselling services in confidence.