GDPR

The GDPR (General Data Protection Regulation) is the central piece of data protection legislation that is binding for all member states. The regulation aims to protect the fundamental rights of natural persons and their right to the protection of personal data. It is also the EU's response to the increasing challenges of digitalization. All relevant news on the General Data Protection Regulation is available from the Europe.table editorial team. GDPR: What is the current status? Until 2018, data protection was regulated very differently in the individual EU member states. The GDPR, which consists of a total of 99 articles, replaced the Data Protection Directive, which had been in force since 1995. The adoption of the GDPR not only ensured uniform regulation in the individual member states and the respective companies, but also adaptation to digital changes. The GDPR is also binding for non-EU countries in the European Single Market (Iceland, Liechtenstein and Norway) and, like the previous Data Protection Directive, the revised General Data Protection Regulation is based on the principles of "purpose limitation and data minimization". This means that personal data may only be processed for the purpose of the service and not for independent services such as advertising (purpose limitation). In addition, the content and scope of the data collected is also limited to a defined purpose: additional information may not be collected in the interests of data minimization. What does the GDPR change for consumers? There are fundamental changes to the GDPR, particularly with regard to consumer privacy. The principles of "privacy by design" and "privacy by default" regulate the greatest possible data protection by default settings. To this end, consumers must be informed in advance which data processing is irrelevant for the fulfillment of the contract. Consent must be given for any further processing of the data, which can be revoked at any time, and consumers must be informed about the purpose of the data collection and can request rectification and erasure in the event of unlawful or incorrect data processing. They can also object to inappropriate data processing. Data protection authorities and consumer advice centers help with the implementation and enforcement of data protection rights. Data subjects can also obtain information rights and assert claims for damages there. GDPR: status in the EU The GDPR applies to all service providers and suppliers of goods operating on the European market. This also includes companies without a registered office in the EU. For data processing in non-EU countries, the rights to information, access, rectification, erasure if necessary, objection and complaint continue to apply. In 2020, the European Court of Justice (ECJ) ruled that US companies may not transfer personal data of EU citizens to the USA. An Austrian data protection activist had taken legal action against the transfer of Facebook data to the parent company in the USA and was proved right. With this ECJ ruling, the so-called "Privacy Shield Agreement" was declared invalid, after the predecessor agreement "Safe Harbor" had already been overturned in 2013. However, US companies can continue to use the standard contractual clauses created by the EU. Data processing outside the EU: US Privacy Shield Originally, by complying with the Privacy Shield, companies only undertook to process personal data outside the EU if comparably strict data protection guidelines apply there. Following the ECJ ruling, this is no longer possible in the USA without further ado. The court ruling therefore has data protection implications for multilateral corporations such as Facebook or Google, which are based in the USA. According to data protection experts, this increases the pressure on data protection guidelines worldwide. Violations of the ruling could result in fines. According to Article 83(5) of the GDPR, fines can amount to up to USD 20 million or four percent of annual global turnover. GDPR: Implementation in Germany With the decision of May 25, 2018, the regulation also applies in Germany. Previously, the Federal Data Protection Act (BDSG) regulated data protection in Germany on the basis of the fundamental right to informational self-determination. In addition, until May 2018, each federal state had its own state data protection law, with significantly higher fines, for example, representing a significant and direct change in the EU-wide General Data Protection Regulation. Another specific change is that data protection officers must be appointed in all companies when the GDPR comes into force. Exceptions are small companies in which fewer than 20 people are involved in the processing of personal data. The authorities responsible for data protection violations and corresponding fines in Germany are the Federal Commissioner for Data Protection and Freedom of Information and the individual state commissioners for data protection. GDPR is a burden for SMEs In a report on the implementation of the GDPR, the EU Commission concludes that the directives are particularly difficult to implement for small and medium-sized enterprises. Above all, there would be additional costs due to employee training. The EU member states would also have to strengthen the work of the national data protection authorities and support particularly burdened countries such as Ireland and Luxembourg. In principle, however, the EU Commission celebrates the GDPR as a success and an opportunity for global data protection standards.