GDPR FAQ
You have the questions - here are the answers
All questions and answers are Literally and unchanged the Website of the Federal Ministry of the Interior for Construction and Home Affairs taken (as at 27.06.2019)
What are the objectives and main innovations of the General Data Protection Regulation?
Regulation (EU) 2016/679 (EU General Data Protection Regulation) replaces the European Data Protection Directive from 1995 (Directive 95/46/EC) with the aim of harmonising and modernising European data protection law. It promotes the protection of data subjects with regard to the processing of personal data and the free movement of such data (Article 1(1) of the General Data Protection Regulation).
The Member States had implemented the Data Protection Directive, which was in force until 25 May 2018, in very different ways. This patchwork of member state regulations hindered cross-border data flows in the European Union. The General Data Protection Regulation creates a uniform and directly applicable legal framework that ensures the free movement of personal data in the European Union. This is an important prerequisite for the completion of the Digital Single Market and for a level playing field in the European Union. The European Data Protection Board, the association of supervisory authorities of all Member States at the level of the European Union, contributes to a uniform application of the law. In the future, it will make binding decisions on central issues of the General Data Protection Regulation. With the lead supervisory authority at the place of the main establishment, companies with cross-border data processing activities will in future have a central point of contact (so-called one-stop shop principle).
At the same time, European data protection law is modernised and the fundamental right to protection of personal data from Article 8 of the European Charter of Fundamental Rights is strengthened. Data subjects are given more control and transparency in data processing, also and especially in the digital age. The General Data Protection Regulation increases the requirements for legally effective consent of data subjects and expands their rights, especially to information and disclosure. The data protection authorities are given far-reaching remedial powers; in the event of violations of the General Data Protection Regulation, they can impose fines of up to €20 million or 4 per cent of global annual turnover. Companies outside the European Union are also subject to the General Data Protection Regulation if they offer goods or services in the European Union or observe the behaviour of persons in the European Union (so-called market place principle).
To whom does the new legal framework apply?
The General Data Protection Regulation applies in principle to all processing of personal data. The details are set out in Articles 2 and 3 of the General Data Protection Regulation.
Both public (public authorities, courts and other public bodies, regardless of their legal form) and non-public (natural and legal persons, companies and other associations of persons under private law) bodies must comply with the requirements of the General Data Protection Regulation when processing information relating to an identified or identifiable natural person.
Exceptions apply in particular to non-automated processing of personal data not stored or intended to be stored in a filing system - for example, files and collections of files not organised according to specific criteria; to natural persons processing personal data for the exercise of exclusively personal or family activities - for example, private correspondence, address books or the use of social networks and online activities in the context of personal or family purposes; for activities that fall outside the scope of Union law - in particular activities related to national security; for the processing of data for law enforcement and security purposes by competent authorities - this is governed by Directive (EU) 2016/680, adopted at the same time as the General Data Protection Regulation.
The General Data Protection Regulation applies to the processing of personal data insofar as this is carried out in the context of the activities of an establishment in the European Union or in connection with the offer of goods or services in the European Union (so-called place of market principle). This applies regardless of whether the processing takes place in the European Union. The General Data Protection Regulation also applies if the behaviour of data subjects in the European Union is to be monitored or the processing takes place in a place that is subject to the law of a member state of the European Union due to international law provisions. It does not matter whether the data processed concern a citizen of the European Union or not.
Where can I find the most important definitions?
Article 4 of the General Data Protection Regulation contains the central definitions. In the future, the definitions of personal data, controller or processing will therefore be directly and conclusively found in the General Data Protection Regulation.
What changes in data protection principles and legal bases?
The General Data Protection Regulation continues the principles for data processing from the current EU Data Protection Directive 95/46/EC, such as purpose limitation, necessity and data economy, largely unchanged in Article 5.
The purpose limitation principle is complemented by Article 6(4), which specifies criteria for checking compatible purposes. If the original purpose of collection and the purpose of further processing by the same controller are compatible, the data may be further processed on the basis of the original legal basis.
With the new "accountability", the GDPR emphasises the responsibility of data controllers to comply with the principles and to demonstrate it (Article 5(2) GDPR).
Article 6 of the General Data Protection Regulation lists the admissibility criteria for the processing of personal data. It also largely corresponds to applicable European data protection law. As before, any processing of personal data requires a legitimising legal basis - regardless of whether the processing poses a high or low risk to the rights and freedoms of the data subjects. This "prohibition with reservation of consent" is based on Article 8 of the EU Charter of Fundamental Rights.
Processing of personal data shall only be lawful with the consent of the data subject or if the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, for the protection of the vital interests of the data subject or of another natural person, for the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, for compliance with a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority of the controller.
These admissibilities form a conclusive system; however, Member States are allowed to concretise and specify the requirements for the lawfulness of processing in some areas through national data protection law (Article 6(2) and (3) of the General Data Protection Regulation). Many legal bases, especially for the processing of personal data by public authorities, can therefore still be found in general or specific data protection law at national level.
Articles 7 and 8 contain concretising conditions for consent. For the time being, the German legislator has not made use of the possibility to regulate the age limit for a child's consent when using information society services in derogation of the Basic Data Protection Regulation (16 years).
According to Article 9 of the General Data Protection Regulation, the processing of particularly sensitive data is - as before - only permitted by way of exception. These "special categories of personal data" include, for example, data on ethnic origin, political opinions, religious beliefs or sexual orientation, genetic and biometric data and health data. In order to process these data, a legal basis under Article 6(1) is always required and, in addition, an exception to the prohibition on processing sensitive data. The exceptions can be found in Article 9(2) of the General Data Protection Regulation and in national data protection law (e.g. in Section 22 of the BDSG 2018 or in sector-specific federal law).
Article 10 of the General Data Protection Regulation provides special protection for personal data relating to criminal convictions and offences. They may only be processed under official supervision or if provided for by law.
Article 11 of the General Data Protection Regulation stipulates that data need not be stored for the sole purpose of being able to identify a person (e.g. to be able to provide information). This may mean, for example, that if a photograph of a building shows unknown persons, data such as name, address, etc. do not have to be collected in order to inform the person depicted.
Do data subjects' consents continue to apply under the old law?
According to Recital 171, Sentence 3 of the General Data Protection Regulation, consent continues to apply and no new consent is required if "the nature of the consent already given complies with the conditions of this Regulation". The conditions for the continued validity of previously granted consent under the General Data Protection Regulation have been specified by the federal and state supervisory authorities.
What changes in the rights of data subjects?
In order to create greater transparency in the handling of personal data, the General Data Protection Regulation expands the existing data subject rights in Chapter III and at the same time introduces new rights. Details are regulated in Articles 12 to 23.
Article 12 contains general procedural rules for communication with data subjects, processing deadlines and questions of remuneration. Requests from data subjects shall in principle be answered free of charge within one month in clear and plain language.
Articles 13 and 14 of the General Data Protection Regulation regulate the information obligations of the controller towards the data subjects. Compared to the previous legal situation, not only the scope but also the reason for the information is expanded. The data subjects must be informed about the listed aspects not only when the data is collected for the first time, but also whenever further processing for other purposes is intended. The controller must provide the information on its own initiative, i.e. without a request from the data subject. The demarcation of when data is collected from the data subject or not is not easy in individual cases. The view according to which Article 13 of the General Data Protection Regulation presupposes that the data subject must be aware of the collection of data seems preferable. This leads to practical results in the case of video recordings or photographs.
In addition to the information obligations, the data subject has a comprehensive right of access to the personal data concerning him or her under Article 15 of the General Data Protection Regulation. The right of access also includes the right to receive a copy of the processed data free of charge.
Under the conditions of Articles 16 to 18 of the General Data Protection Regulation, data subjects may request rectification, erasure and restriction of processing. The right to erasure also includes the so-called "right to be forgotten": If the controller has made the personal data publicly available and thus accessible to other controllers, the controller shall, in the event of an erasure obligation, take reasonable steps to inform the other controllers that a data subject requests the erasure of all links to or copies of that personal data.
Article 20 grants data subjects the right to data portability for the first time. Accordingly, data subjects have the right in certain cases to receive their data in a structured, common and machine-readable format in order to have it transferred from a controller to another (private) provider without hindrance. According to the standard, this concerns data that the data subject has "actively" provided and not also data that the data controller has first generated, such as location data. With regard to the claim, it should be noted that the rights and freedoms of other persons must not be affected when transferring the data from one controller to another. This may be the case, for example, if not only the data subject but also third parties are depicted in a photo.
Article 21 gives data subjects the right to object to (lawful) data processing on grounds relating to their particular situation. In addition, there is a right to object at any time to the processing of personal data for the purpose of direct marketing. The right to object shall be explicitly pointed out to the data subjects at the latest at the time of the first communication.
The data subject rights do not apply if the General Data Protection Regulation provides for direct exceptions or the Member States have provided for restrictions of the data subject rights via Article 23 of the General Data Protection Regulation. The Federal Data Protection Act 2018 (BDSG 2018), which will apply from 25 May 2018, contains further specific restrictions on data subjects' rights in sections 32-37 for both the public and non-public sectors.
What are the obligations of data processors?
In addition to compliance with the principles for the processing of personal data (Chapter II) and the guarantee of data subjects' rights (Chapter III), Chapter IV of the General Data Protection Regulation contains central provisions for the obligations of data processing bodies. In future, these will result directly from the General Data Protection Regulation. In contrast to the old legal situation, the Federal Data Protection Act, which will apply from 25 May 2018, therefore contains only very few statements on processor obligations.
Many processor obligations are conceptually comparable to the previous legal situation in Germany, but nevertheless require adjustments in official and operational practice.
The essential obligations in data processing are:
- Ensuring appropriate technical and organisational measures to ensure data protection and data security, Articles 24, 25 and 32
- Requirements for commissioned processing, Article 28
- Keeping a register of processing activities, Article 30
- Notification of personal data breaches to the supervisory authority and notification of data subjects, Articles 33 and 34
- Carrying out a data protection impact assessment and prior consultation of supervisory authorities, Articles 35 and 36
- Appointment of a data protection officer, Articles 37 to 39
The obligations to be fulfilled by data controllers are characterised by the concept of risk adequacy: the more likely or severe the risk posed by the data processing, the more extensive and higher the obligations of the data controller. This flexible approach particularly addresses the concerns of small and medium-sized enterprises that process non-risky data. Thus, the technical and organisational measures to ensure data protection and data security must take into account, among other things, the probability of occurrence and severity of the risk posed by the data processing to the data subjects in each individual case.
Companies with fewer than 250 employees are exempt from the obligation to keep a processing register, among other things, if the data processing does not pose a risk to the rights and freedoms of the data subjects.
In the case of security incidents (personal data breaches), the obligation to notify the supervisory authority does not apply if the breach is unlikely to result in a risk to the rights and freedoms of data subjects; there is only an obligation to notify data subjects of an incident if the breach is likely to result in a high risk to data subjects.
The obligation to carry out a data protection impact assessment also only exists where the processing is likely to result in a high risk to the rights and freedoms of natural persons by virtue of the nature, scope, context and purposes of the processing. However, if a data protection impact assessment confirms that the processing would result in such a high risk, there is an obligation to consult the competent data protection supervisory authority in advance.
a) Technical and organisational measures, Articles 24, 25 and 32
Technical and organisational measures serve the purpose of ensuring compliance with the General Data Protection Regulation and being able to demonstrate this in order to fulfil the accountability obligation of Article 5(2) of the General Data Protection Regulation (Article 24(1)). In particular, technical and organisational measures - such as pseudonymisation and encryption as well as measures to ensure the protection goals of IT security - play an important role in ensuring data protection through technology design and data protection-friendly default settings (Article 25) as well as data security (Article 32).
Not all data processing requires the same level of protection. The measures must be suitable in each individual case to ensure a level of protection appropriate to the risk involved (Article 32(1)). In this context, the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, the probability of occurrence and severity of the risk must be taken into account.
b) Commissioned processing, Article 28
With Article 28, the General Data Protection Regulation creates uniform requirements for commissioned processing throughout Europe for the first time. Commissioned processing may only take place if the processor provides sufficient guarantees that the processing will be carried out in accordance with the requirements of the General Data Protection Regulation. In addition, the stipulations mentioned in paragraph 3 must be made between the controller and the processor. This relates in particular to the processor being bound by instructions, the guarantee of confidentiality, compliance with appropriate technical and organisational measures and the support of the controller in fulfilling the rights of the data subject.
§ Section 11 BDSG a.F., which previously determined the requirements for commissioned data processing in German law, was repealed due to the direct applicability of Article 28 of the General Data Protection Regulation and is no longer found in the BDSG 2018.
(c) list of processing activities, Article 30
Article 30 replaces the previous obligation to notify with the obligation of the controller and the processor to keep a register of processing activities with the information mentioned in paragraph 1 and paragraph 2. An exception applies to companies with less than 250 employees under the conditions specified in Article 30(3). The directory serves as an important building block for demonstrating compliance with the General Data Protection Regulation and must be made available to the competent supervisory authority upon request. The processing directory replaces the procedural directory previously required under Section 4g (2) of the old version of the BDSG.
d) Reporting of security incidents, Articles 33 and 34
Security incidents can lead to serious economic and social harm to data subjects, such as financial damage, identity theft, damage to reputation or disclosure of professional secrets. Such a "personal data breach" is defined by the GDPR as any breach of security leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data (Article 4(12) GDPR).
Security incidents must be documented by the controller in accordance with Articles 33 and 34 of the General Data Protection Regulation and reported, including the likely consequences of the incident and the remedial measures taken or proposed, to the competent supervisory authority and the data subjects without undue delay as a matter of principle. If the notification to the supervisory authority cannot be made within 72 hours, the reasons for the delay shall be provided. Information may be provided progressively without undue further delay.
The notification obligation does not apply if the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. Moreover, notification to data subjects must only be made if the incident is likely to result in a high risk for the data subjects. The supervisory authority may order the controller to notify the data subjects.
The system of notification of breaches of the protection of personal data replaces the obligation to inform in the case of unlawful acquisition of knowledge of personal data previously provided for in Section 42a BDSG a.F. and some specialised laws. Under the General Data Protection Regulation, public bodies are now also subject to the notification obligations in the event of security incidents. As before, however, a notification of security incidents may not be used in criminal proceedings against the controller (Section 42(4) BDSG 2018).
e) Data protection impact assessment and consultation obligation, Articles 35 and 36
Processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, their scope, their circumstances and their purposes shall be subject to prior impact assessment by the controller in accordance with Article 35 of the General Data Protection Regulation. If the data protection impact assessment confirms that the processing would result in a high risk, the controller shall consult the competent supervisory authority prior to the start of the processing in accordance with Article 36.
The data protection impact assessment shall include a systematic description of the envisaged processing operations and purposes of the processing as well as an assessment of the necessity and proportionality of the purposes of the processing and the risks for the data subjects. Finally, it identifies the mitigating measures, safeguards, security measures and procedures envisaged to address the risks and ensure that data protection concerns are met. The company or authority data protection officer shall be involved in this process. Where appropriate, the views of the data subjects or their stakeholders shall be sought.
The need for a data protection impact assessment shall be considered in particular when new technologies are used and in the case of large-scale processing operations involving large amounts of personal data or affecting a large number of individuals. The systematic and comprehensive assessment of personal aspects of natural persons on the basis of profiling, the large-scale processing of special categories of personal data within the meaning of Article 9(1) or data relating to criminal convictions and offences pursuant to Article 10, as well as the systematic large-scale monitoring of publicly accessible areas - in particular by means of video surveillance - shall also always be subject to an impact assessment under the conditions of paragraph 3. Supervisory authorities may determine further processing operations for which a data protection impact assessment shall be carried out or for which there is no obligation to carry out an impact assessment.
In future, the data protection impact assessment will replace the prior checking of automated processing operations that pose particular risks to the rights and freedoms of data subjects, which was previously prescribed in Section 4d (5) BDSG old version. It pursues a similar objective as the prior check, but is more structured and is no longer the task of the company or official data protection officer.
Likewise, the data protection impact assessment replaces the obligation to notify the competent supervisory authority of any processing of personal data as provided for by the Data Protection Directive 95/46/EC (formerly § 4d and § 4e BDSG old version). The elimination of the obligation to notify reduces the bureaucratic and financial burden on data controllers. At the same time, focusing on processing operations that are likely to pose a high risk to the data subjects makes the protection of personal data more effective than an indiscriminate, formal obligation to notify the competent supervisory authority.
f) Appointment of company/office data protection officers, Articles 37 to 39
The appointment of company and public authority data protection officers has been provided for in Germany for a long time and has proven its worth. Data protection officers provide public and non-public bodies with internal contact persons for data protection who are familiar with the organisation's data processing operations and procedures and serve as a central point of contact for data controllers, their employees, data subjects and supervisory authorities.
The General Data Protection Regulation now introduces the institution of the data protection officer throughout the EU. The requirements for the appointment, the legal status and the tasks of the data protection officers according to Articles 37 to 39 of the General Data Protection Regulation are largely comparable to the previous legal situation in Germany.
As before, public bodies must always appoint a data protection officer. Non-public bodies are subject to an appointment requirement under Article 37(1) of the General Data Protection Regulation if their core activity consists of processing operations which require regular and systematic monitoring of data subjects on a large scale, or consists of large-scale processing of special categories of personal data or of data relating to criminal convictions and offences.
In addition, Section 38 BDSG 2018 stipulates that non-public bodies must also appoint a data protection officer if they usually employ at least ten persons on a permanent basis for the automated processing of personal data, carry out processing operations that are subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679 or process personal data on a business basis for the purpose of transmission, anonymised transmission or for the purpose of market or opinion research.
The existing legal situation regarding the appointment of company data protection officers is hereby continued.
Data protection officers must have the necessary expertise to perform their duties. Both the appointment of own employees and the appointment of an external person are permissible. It is also possible to appoint joint data protection officers for a group of companies or several authorities.
The tasks of the data protection officers are laid down in Article 39 of the General Data Protection Regulation: Data protection officers shall inform and advise controllers and their employees on matters relating to data protection law, in particular in carrying out the data protection impact assessment referred to in Article 35. They shall monitor compliance with data protection law and the controller's policies for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations. They shall cooperate with and act as a point of contact for the competent supervisory authorities on issues related to data processing.
The controller shall fully support the data protection officer in the performance of his or her activities. He or she shall, in accordance with Article 38, in particular ensure that the data protection officers are properly involved at an early stage in all matters relating to the protection of personal data, have the resources necessary for the performance of their tasks and access to personal data and processing operations, as well as the resources necessary to maintain his or her expertise, and are not subject to instructions in the performance of their tasks.
§ Section 6 (3) to (6) in conjunction with Section 38 BDSG 2018. § Section 38 BDSG 2018 further secures the position of the data protection officer in continuation of the previous legal situation. In order to guarantee their independence, data protection officers may not be disadvantaged because of the performance of their duties. As before, they are subject to special protection against dismissal and removal from office, a comprehensive duty of confidentiality and a right to refuse to testify.
What role will codes of conduct and certification play in the future?
Harmonisation offers enormous opportunities for business, especially for companies operating across borders, as the same rules apply throughout the European Union; however, the high degree of abstraction of the General Data Protection Regulation also presents business with legal uncertainty.
The mechanisms that enable the business community to contribute to the implementation of the General Data Protection Regulation on its own initiative are therefore of great importance. The instruments of codes of conduct and data protection certification are strengthened by the General Data Protection Regulation and serve as an important means of creating legal certainty. They are an important aspect of demonstrating data protection compliance and thereby creating trust. The supervisory authorities are closely involved in the development of rules of conduct and certification criteria and approve them, so that they are instruments of "regulated" self-regulation. Approved codes of conduct and certification mechanisms may be part of appropriate safeguards for data transfers to third countries (Article 46(2)(e) and (f) GDPR).
Through the instrument of codes of conduct (Article 40 of the General Data Protection Regulation), associations and other organisations can clarify the application of the General Data Protection Regulation to specific processing sectors or industries, taking into account in particular the needs of small and medium-sized enterprises. The codes of conduct shall be approved and published by the competent national supervisory authority or the European Data Protection Board. The European Commission may declare the codes of conduct approved by the European Data Protection Board to be generally applicable throughout the EU. The supervision of the codes of conduct may be entrusted to an independent body accredited by the supervisory authorities in accordance with Article 41 of the General Data Protection Regulation. The tasks and powers of the supervisory authorities remain unaffected.
Data protection-specific certification procedures (Article 42 of the General Data Protection Regulation) allow controllers and processors to demonstrate compliance with the General Data Protection Regulation in the certified processing operations. Certification is carried out on the basis of certification criteria approved by national supervisory authorities or, in the case of an EU-wide European Privacy Seal, by the European Data Protection Board (Article 42(5)). The bodies carrying out the certification (certification bodies) must be accredited by the German Accreditation Body (DAkkS) with the involvement of the supervisory authorities (Article 43 General Data Protection Regulation in conjunction with Section 39 BDSG 2018).
For the area of commissioned processing within the framework of cloud computing, which is very important in practice, the Trusted Cloud Data Protection Profile for Cloud Services (TCDP) provides a certification standard based on the applicable Federal Data Protection Act, from which providers and users of cloud services benefit equally. The testing standard was developed as part of the technology programme "Trusted Cloud" of the Federal Ministry for Economic Affairs and Energy and is administered by the Data Protection Foundation. The AUDITOR research project funded by the Federal Ministry for Economic Affairs and Energy is currently adapting and further developing the standard to the General Data Protection Regulation. The aim of the project is in particular the creation of a catalogue of criteria for certification approved by the European Data Protection Board in accordance with Article 42(5) of the General Data Protection Regulation and the development of a testing and certification procedure.
Under what conditions may data be transferred to non-EU countries?
While data transfers to other Member States of the European Union are not subject to any restrictions and an impediment to the free movement of data is inadmissible for reasons of data protection (cf. Art. 1(3) of the General Data Protection Regulation), a transfer of personal data to countries outside the European Union or the European Economic Area (third countries) is only permissible under the conditions of Chapter V.
The purpose of the rules on international data transfers is to ensure comprehensive protection of the fundamental right to data protection (Article 8 of the EU Charter of Fundamental Rights): the high standard of data protection guaranteed within the European Union and the European Economic Area should not be undermined by the fact that personal data can be transferred to third countries without adequate safeguards.
For a third country transfer, the general rules of the General Data Protection Regulation must first be complied with (Article 44 General Data Protection Regulation). In particular, there must be a legal basis for the data transfer in the General Data Protection Regulation or in national data protection law.
In addition, one of the following conditions must be met for a data transfer to a third country:
- Existence of an adequacy decision by the European Commission according to Article 45 of the General Data Protection Regulation. Decisions of the European Commission on an adequate level of protection exist, for example, for Argentina, Switzerland, Canada, New Zealand and Uruguay. One such adequacy decision is the EU-US Privacy Shield of 12 July 2016, according to which personal data from the European Union can be transferred to organisations in the USA that have made a binding commitment to comply with the data protection principles of the Privacy Shield and are listed on the "Privacy Shield List".
- Existence of appropriate safeguards (Article 46 of the General Data Protection Regulation), in particular in the form of Binding Corporate Rules, standard data protection clauses or approved codes of conduct or an approved certification mechanism.
- Existence of an exception under Article 49 of the General Data Protection Regulation, in particular:
§ where the data subject has given his or her express consent,
§ to protect the vital interests of the data subject,
§ if necessary for the performance of the contract,
§ for important reasons of public interest,
§ to pursue legal claims or
§ to safeguard compelling legitimate interests of the controller.
Who monitors compliance with the General Data Protection Regulation?
Compliance with the General Data Protection Regulation and national data protection legislation is monitored and enforced by independent supervisory authorities in all Member States.
In Germany, these are the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the supervisory authorities of the federal states. The BfDI is responsible for supervising the public agencies of the federal government, the joint institutions under the Social Code II (Job Centres) and the companies that provide telecommunications or postal services; otherwise, the supervisory authorities of the Länder are responsible.
An overview of the supervisory authorities and their contact details can be found on the BfDI website.
The supervisory authorities have the extensive powers of investigation, redress and authorisation under Article 58 of the General Data Protection Regulation. In particular, they can issue prohibitions or orders against the controller and impose fines. They also advise national parliaments and governments and investigate complaints from data subjects. In the performance of their tasks, the supervisory authorities are completely independent; in particular, they are not subject to any legal or technical supervision.
The supervisory authorities of the Member States cooperate closely in monitoring and enforcing the General Data Protection Regulation. They provide each other with mutual assistance and can carry out joint measures. Important questions of interpretation and application, especially those with cross-border relevance, are discussed and bindingly decided in the European Data Protection Board, the association of all supervisory authorities of the Member States at EU level. With this consistency procedure, the European Data Protection Board contributes to a uniform application of the General Data Protection Regulation throughout the EU.
The supervisory authority at the place of the main establishment or the only establishment of a company in the European Union acts as the lead supervisory authority in the coordination processes with the supervisory authorities of the other Member States. It is the single point of contact for the controller for issues relating to cross-border data processing (Article 56 of the General Data Protection Regulation). This "One Stop Shop Principle" results in a considerable simplification for data processing companies.
What are the consequences of violating the law?
If a supervisory authority becomes aware of a breach of the General Data Protection Regulation or a national data protection regulation through a complaint or a random inspection, it may warn the controller or issue instructions, orders or processing bans (Article 58(2) General Data Protection Regulation). In addition to or instead of the remedial powers, it may impose fines of up to €20 million or 4 per cent of annual worldwide turnover under Article 83 of the General Data Protection Regulation. The requirement of effectiveness, but also proportionality, must be taken into account in each individual case. The controller can appeal to the courts against legally binding orders of the supervisory authorities (Article 78 of the General Data Protection Regulation).
In addition to lodging a complaint with the competent supervisory authority, data subjects may also bring actions before the competent courts if they consider that their rights have been infringed by the processing of their personal data (Article 79 of the GDPR). If an individual suffers material or non-material damage because of a breach of the GDPR, he or she is also entitled to compensation under Article 82 of the GDPR.
§ Finally, Section 42 of the BDSG 2018 provides for criminal offences for the unauthorised processing of data that is not generally accessible, if the offence was committed commercially, for remuneration or with the intention of enrichment or damage.
What is the function of the BDSG? Why is it no longer full law?
The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG 2018), which will apply from 25 May 2018, supplements the General Data Protection Regulation in those areas where the Member States retain scope for action. Although an EU Regulation is directly applicable in each Member State pursuant to Article 288 of the Treaty on the Functioning in the European Union (TFEU) and therefore does not require transposition into national law. However, the General Data Protection Regulation contains numerous clauses that grant the Member States obligations or options to act ("limping regulation").
The national legislator is generally prevented from merely "copying" directly applicable provisions of an EU regulation in national law (prohibition of repetition). The BDSG 2018 therefore no longer contains comprehensive regulations of data protection law in the scope of application of the General Data Protection Regulation, but only selective additions. Thus, the General Data Protection Regulation directly regulates the rights of data subjects in Chapter III and the BDSG 2018 only provides for supplementary restrictions. For practical application, this means that the General Data Protection Regulation and the BDSG 2018 must be read together. In addition, there may be sector-specific standards.
Within the scope of application of the General Data Protection Regulation, only Parts 1 and 2 (sections 1 to 44) of the BDSG 2018 apply; the provisions of Part 3 (sections 45 to 84), on the other hand, serve to implement Directive (EU) 2016/680 and thus relate solely to the processing of personal data for the purposes of the prevention, detection or prosecution of criminal offences or the execution of criminal penalties by the competent authorities. The final Part 4 (Section 85) contains regulations for the processing of personal data outside of the General Data Protection Regulation and Directive (EU) 2016/680, such as for the purposes of national defence or humanitarian aid.
What is the relationship of the General Data Protection Regulation to existing data protection regulations in national law?
EU law is hierarchically superior to national law. It enjoys priority of application. However, data protection regulations in national law continue to be applicable after 25 May 2018. The federal legislator is working at full speed to adapt its specialised law to the new general data protection law consisting of the General Data Protection Regulation and the BDSG2018. In individual cases, questions of interpretation may arise as the existing laws do not contain any specific references to the General Data Protection Regulation before the adaptation work is completed. In this respect, the national standards must be interpreted in conformity with EU law.
What is the relationship between possibly diverging fundamental rights?
Recital 4 of the GDPR clarifies that the right to the protection of personal data is not an unlimited right. Rather, it must be balanced against other fundamental rights in compliance with the principle of proportionality.
According to Art. 85 of the General Data Protection Regulation, Member States shall bring the right to the protection of personal data into line with the right to freedom of expression and information, including processing for journalistic purposes and for scientific, artistic or literary purposes, by means of legislation. The term legal provision also includes the articles of the Basic Law, such as Article 5 GG, together with the relevant case law.
Under what conditions is the taking and dissemination of personal photographs permissible in the future?
The General Data Protection Regulation does not lead to any significant changes in the previous legal situation regarding the handling of photographs. The taking and publication of a personal photograph is subject to the general regulations of data protection law. As before, photographs may only be processed if the data subject has consented or if a legal basis permits this.
If the recording is based on the consent of the person(s) concerned, this consent can already be revoked at any time under current law. Due to the fact that consent can be revoked at any time and the lack of practicability when recording large crowds of people, consent under data protection law is often not a practicable legal basis under the current legal situation. In addition to consent, other possible legal grounds for taking and publishing images are the performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) or the exercise of the photographer's legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Freedom of expression and information, which are protected and guaranteed by fundamental rights, constitute legitimate interests under Article 6(1)(f) of the GDPR. They are therefore directly involved in the interpretation and application of the GDPR. The GDPR emphasises that the protection of personal data is not an unlimited right, but must be balanced against other fundamental rights in view of its societal function and in compliance with the principle of proportionality (recital 4).
For the publication of photographs, the Art Copyright Act (KunstUrhG) contains supplementary regulations that will continue to apply under the General Data Protection Regulation applicable from 25 May 2018. The Art Copyright Act is based on Article 85(1) of the General Data Protection Regulation, which gives Member States national scope to balance data protection with freedom of expression and information. It does not contradict the General Data Protection Regulation, but fits into the system of the General Data Protection Regulation as part of the German adaptation legislation.
What will change for small associations and voluntary organisations?
In the negotiations on the General Data Protection Regulation, the Federal Government attached importance to an appropriate design that takes into account the special concerns of smaller institutions.
Whether and to what extent the obligations of the General Data Protection Regulation must be fulfilled is therefore primarily determined by the scope, the purposes and the severity of the risk posed by the data processing (so-called risk-based approach). Only institutions whose business purpose (core activity) is the processing of personal data or which carry out exceptional, high-risk data processing operations are subject to the full set of obligations of the General Data Protection Regulation.
If, on the other hand, the data processing does not go beyond a usual, supporting activity (e.g. payroll accounting, membership and contribution administration, operation of an association website), the General Data Protection Regulation does not lead to any significant changes compared to the current legal situation.
The processor obligations of Chapter IV of the General Data Protection Regulation are already known under current data protection law, such as the obligation to take appropriate technical and organisational measures, the appointment of company data protection officers or the creation of a processing directory.
For the technical and organisational measures to ensure data security, the following applies: Not every data processing requires equally high security standards. A level of protection appropriate to the risk is required, taking into account the implementation costs. In the context of normal association or voluntary activities, standard measures such as the storage of personal data in lockable devices, up-to-date operating systems with password protection, access rights and up-to-date virus protection are usually sufficient to meet the requirements.
An operational data protection officer must - as has been the case up to now - generally only be appointed for associations and voluntary institutions if "at least ten persons are permanently engaged in the automated processing of personal data" (Section 38 (1) sentence 1 BDSG 2018). A data protection impact assessment for high-risk data processing, which leads to the appointment of company data protection officers regardless of this threshold, is only indicated in individual cases that clearly deviate from the usual processing activities in associations and voluntary institutions. The obligation therefore does not already apply from ten employees or members, but regularly only when there are more than nine employees working in administration (i.e. in particular in membership and contribution administration as well as payroll accounting). Only these are "permanently" - and not only regularly or on occasion - entrusted with the automated processing of personal data.
Company data protection officers can be employees or external service providers. Data protection officers must have the time resources necessary to fulfil their advisory and supervisory functions, but this by no means requires full time off.
The appointment of company data protection officers on a voluntary basis remains permissible. The following also applies here: Exemption from the obligation to appoint a company data protection officer does not exempt from compliance with data protection law!
The directory of procedures, which was already required in the past, is replaced by the directory of processing activities. The register of procedures describes the essential details of each processing activity, such as the purposes of the processing and a description of the categories of personal data, the data subjects and the recipients.
Although the rights of data subjects to information and access are expanded by the General Data Protection Regulation, they are not new either, with the exception of the right to data portability (Article 20 General Data Protection Regulation). The amended Federal Data Protection Act 2018, which came into force on 25 May 2018, contains supplementary exceptions to the rights of data subjects that tie in with the previous legal situation in Germany under the old Federal Data Protection Act.
The supervisory authorities have meanwhile published a large number of coordinated short papers on the implementation of the General Data Protection Regulation, which also take into account the needs of small and medium-sized institutions. In particular, reference should be made to the handout of the Bavarian State Office for Data Protection Supervision for small businesses and associations, which explains the requirements of the General Data Protection Regulation for typical association activities in practical implementation (for the Free State of Bavaria).
Are fines threatening the very existence of the company?
In order to give particular effectiveness to the fundamental right to the protection of individuals with regard to the processing of their personal data, infringements of the most important provisions of the General Data Protection Regulation are subject to fines of up to €20 million or up to 4 per cent of the total annual worldwide turnover of the preceding business year (Article 83 General Data Protection Regulation).
The imposition of fines for data protection breaches is at the discretion of the supervisory authorities. In addition to or instead of a fine, the other remedial powers of the supervisory authorities under Article 58(2) of the General Data Protection Regulation may be considered. The amount of the fine must also be proportionate. The purpose of the upper limit set by the General Data Protection Regulation is to skim off the profit gained from the infringement, but not the insolvency of a company. The aim is to prevent companies that make high profits from processing personal data from paying for data protection violations "out of petty cash". However, the General Data Protection Regulation does not stipulate a minimum amount.
When deciding on the imposition of a fine and its amount, due account shall be taken of the aspects referred to in Article 83(2), including the nature, gravity and duration of the breach, the intentionality or negligence, the mitigation and prevention measures taken, the level of cooperation with supervisory authorities and any aggravating and mitigating circumstances of the individual case. Especially in the case of minor infringements or disproportionate burdens, the GDPR provides for the possibility of a warning instead of a fine (recital 148).
The procedure and legal remedies of the Administrative Offences Act (OWiG) are available against the penalty notice of a supervisory authority.
Where can I find further information?
At the European level, the Article 29 Working Party, the association of supervisory authorities of all Member States in the European Union, has published common guidelines on key issues of the General Data Protection Regulation. The Article 29 Working Party will be replaced by the European Data Protection Board under the General Data Protection Regulation.
At national level, the Conference of Data Protection Commissioners of the Federation and the Länder has published joint short papers on many important subject areas of the General Data Protection Regulation, which provide interpretative guidance on the practical application of the General Data Protection Regulation.
Some supervisory authorities have also published further interpretative guidance and forms, such as the model form for a register of processing activities under Article 30 of the General Data Protection Regulation.
Further practical aids are published by numerous data protection and business associations.
Finally, an overview of current topics and important developments in data protection is provided by the Stiftung Datenschutz (Data Protection Foundation).