The new EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. Most of us have probably received notifications from their banks, social networks, and other service providers recently informing about changes in their data protection regimes and asking for consent. Admittedly not an unprecedented event and thus quickly forgotten. This time though the changes are significant and bring about far reaching consequences for almost everyone doing business within the EU. Meanwhile the new ePrivacy Regulation (ePR) is also under way.
The importance of the GDPR can easily be illustrated by the penalty range. Violations can be very expensive, even small and medium-sized enterprises (SME) have to fear penalties in the range of four to five digit numbers. While large corporations have already adjusted to the new regulation it is especially the SMEs that do not seem to have realized the significance of it. A representative survey from 18 April 2018 amongst German SMEs shows that only one fifth of them have made or are planning to make corresponding arrangements.
Against this background the following article tries to give a summary of the implications of the GDPR together with recommendations for action. It shall generally refer to the situation in the whole EU. Where member states are given room for separate provisions by way of flexibility clauses it shall refer to the situation in Germany only. Articles without reference to a law relate to the GDPR.
Scope of application
All processing of personal data fall within the material scope of application (art.2). Personal data are defined as data relating to identified or identifiable persons. Any processing, be it wholly or partly automated or non-automated (art. 4 (2)) basically occurs with any handling of such data.
The territorial scope (art.3) refers to activities of an establishment within the EU as well as to establishments outside the EU as long as goods and/or services are offered to customers within the EU. It is irrelevant whether the data is processed within the EU or not, also whether it is done by the controller or a processor (see below 4).
Digression: the ePR will be applicable also where non-personal data are being processed. After its entry into force its scope of application would therefore have to be checked at this point, until then the EU directive 2002/58/2002 remains effective. In Germany, the new Federal Data Protection Act (FDPA) as well as other laws may have to be checked as well.
Personal data processing is generally prohibited unless the conditions mentioned in article 6 are met (ban with permit reservation). Such are either the consent of the person concerned (art. 6 (1)), or an underlying contractual relationship (art. 6 (2)), or the fulfilment of obligations deriving from other laws (art. 6 (3)), or vital interests (art. 6 (4)), or duties in the public interest (art. 6 (5)), or one’s own overriding interests (art. 6 (6)).
Any consent (art. 6 (1)) must be given unambiguously, voluntarily, on an informed basis, and for a particular case. Furthermore, reference to the right of withdrawal is indispensable. In case of balancing interests (art. 6 (6)) it is appropriate to take the reasonable expectation of a person concerned into account.
Apart from that any processing no matter what the legal basis is only justified if it relates to specified, explicit and legitimate purposes (art. 5 (1b)), if the relevant data are correct/updated and if the storage of data is appropriate to reach the respective purpose. In this respect, appropriate technical and organizational measures are to be implemented (art. 25). Special categories of data (art. 9) are subject to increased safety requirements.
Any controller must be able to provide evidence regarding the compliance with the above requirements to the authorities at any time (art. 58). Furthermore, controllers have duties to inform persons concerned and third parties (art. 13, 14; § 29-37 FDPA). Concerned persons have rights to erase and to limit the amount of data (art. 17, 18), which implies that their access to all relevant information (art. 15). Therefore, we strongly recommend to keep a relevant record.
Records of processing activities
The GDPR states that every establishment has to keep a record of all processing activities (art. 30). Organizations with less than 250 employees may be exempted to keep a record under the condition that the relevant processing does not present a risk to privacy rights, is not only occasional and does not include special categories of data. Whoever now feels addressed may take two points into account: first, any payroll accounting already counts as not only occasional processing. Therefore, for most companies there will not be any exemption. Second, discharge in case of an audit or even a violation will only succeed by means of appropriate documentation in the form of the named record. Such records are non-public and have to comply with certain content requirements.
Controller and processor
Controllers are persons who deal with personal data of others and effectively decide if and how data are being processed (art. 4 (7)). Companies thus have to appoint someone as controller, even in case data are being processed by external service providers.
Such service providers process data on behalf of the controller (art. 7 (8)). Without the authority to issue instructions they are not defined as processors (e.g. tax advisory). The controller is generally liable for any misconduct of the processor. We therefore strongly advise to carefully chose any such service provider and to carefully draft any underlying agreement.
Data protection officers (art. 37-39) are to be appointed only if the core activity of a respective company is either to process data of special categories (sensitive data) or if it is to regularly, extensively, and systematically conduct surveillance of natural persons.
Data security and protection faults
The GDPR explicitly states data security (art. 32). Information is to be concealed from unauthorized persons, shall not be manipulable, and has to be available at all times. Encryption in particular plays a major role here, varying from email servers, websites, documents, wifi networks, mobile devices, etc. IT security should therefore always be management issue, not least in one’s own economic interest.
Companies generally have to notify the authorities of any breach regarding data protection (art. 33), otherwise heavy fines may be imposed. Also, the concerned persons have to be informed in case of high risk of exposure and if no sufficient technical and organizational measures for security protection had been installed (documentation!). A breach is assumed if safety deficiencies unintentionally and/or unlawfully lead to loss, deletion, alteration or unauthorized disclosure of data.
Authorities, sanctions and liability
The competent supervisory authorities (art. 52 et seqq.) are independent and not only have far-reaching powers but also the duty to assist controllers and concerned persons on request – we recommended to consult with them. They may impose high fines should the controller not abide by the rules stipulated in the GDPR (art. 83). Furthermore, persons concerned are entitled to compensation regarding their – probably more often immaterial – damages (art. 82).
Digression: the authorities named by the ePR are identical with those named by the GDPR, the scope of liability will probably very similar as well.
The measures to be taken will vary from case to case. The independent German Data Protection Agencies recommend the following:
- Modification of relevant structures and processes;
- Determining the legal basis, the purpose of data processing as well as documenting the balancing of interest (if taken place);
- Implementation of obligations to provide information, of lawful interests of concerned persons, and of concepts for deletion of data;
- Modification of one’s data protection regime;
- If necessary appointment of a data protection officer;
- Response mechanisms for data breaches;
- Organisation of reporting obligations;
- Modification of service relationships;
- Development of a comprehensive documentation/records;
- Modification of IT security;
- If necessary modification of agreements regarding the operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.