The EU General Data Protection Regulation (GDPR) aims on unifying data protection regulations in all european member states. Therefore National law must be adapted to the EU General Data Protection Regulation.
The only way for Member States to make minor adjustments is through the so-called opening clauses. These must be formulated and reported by the end of the implementation period.
Whose data should be protected?
According to Art. 1 of the GDPR one of the main objectives is to lay down rules relating to the protection of personal data. In this context the protection of personal data processing is also addressed.
Processing of personal data
In addition the EU General Data Protection Regulation contains principles for the processing of personal data. Due to Art. 5 of the GDPR personal data must be processed lawfully, fairly and in a transparent manner.
As a result the appropriate security of data must be ensured. This includes protection against unauthorised and unlawful processing and against accidental loss, destruction or damage caused by inappropriate technical and organisational measures.
Compliance with these principles must be verifiable.
When will the EU General Data Protection Regulation become obligatory?
It took effect on the 24th May 2016. But the Member States have been granted a transition period of two years. This period ends on the 25th May 2018, until then national law must be adapted accordingly.
As soon as the the EU General Data Protection Regulation becomes obligatory, Directive 95/46/EC is repealed. The exact wording can be found in chapter 11 of the GDPR.
The clock is ticking
From now on it is less than one year until the GDPR takes effect and thus applicable in all EU Member States. But at the present time many companies are still struggling with the great uncertainty and the abundance of new guidelines.
According to Bitkom, the industry association of the german information and telecommunications industry, one in three german companies has not yet dealt with the GDPR at all.
High penalties for violations
In the worst case, this can result in fines of millions of euros. According to Art. 83 Par. 4 seq. violations can result in fines of up to EUR 10,000,000. In the case of a company this exceeds up to 2% of its total annual turnover, achieved worldwide in the previous financial year. In addition subsidiaries are included in the calculation.
The maximal possible fine depends on which of these two amounts is the highest. Not to mention that this limit may be doubled in particular cases.
Nonetheless Art. 83 Par. 1 advises the supervisory authority to impose the penalties effective, proportionate and dissuasive. It is therefore unlikely that a small business owner will have to pay fines in the millions. But “effective” and “dissuasive” are, in this context, very broad terms.
Unfortunately, there are still no clear guidelines as to how companies should deal with the law. To remedy this situation, the Data Protection Conference (DSK) has published a number of short papers for practical implementation (unfortunately these are only available in german). Further short papers are to follow.
In conclusion, we trust that all companies will now start implementing the EU General Data Protection Regulation. Hopefully the supervisory authorities will, at least in the early stages of the process, show mercy before justice. Because one thing is for sure, the GDPR is coming.