On 25 May 2018, the new EU General Data Protection Regulation, DSGVO for short, will come into force. The important topic of data protection will then be harmonised throughout Europe by the GDPR - with significant consequences for your company!
New obligations for companies
When the new EU General Data Protection Regulation comes into force on 25 May 2018, the previous Federal Data Protection Act (BDSG) will lose its legal force. From that moment on, the European Regulation will become applicable law, which will be specifically supplemented in Germany by a new Federal Data Protection Act.
Companies, regardless of size, are required to establish suitable compliance structures by the end of May at the latest. Factual principles and measures for compliance with data protection must be established and bindingly regulated for the employees. This requires a comprehensive examination of what data is generated in the company and whether this data is handled in a legally compliant manner. In addition, employees must be comprehensively trained and sensitised. In concrete terms, companies must now create various procedure directories and process instructions that are also observed in day-to-day business. These include, for example, agreements on commissioned data processing, confidentiality agreements with employees or regulations on the processing of customer enquiries regarding stored personal data.
Necessity of a data protection officer
Often neglected in companies is the obligation to appoint a data protection officer. This is always required if the company employs at least ten employees who process personal data automatically. Whether these are permanent employees, freelancers or temporary workers is irrelevant. If work is carried out on a computer, it must be assumed that the data is processed automatically. The term "personal data" is to be understood in an extremely broad sense!
The danger: Massive fines and warnings
For companies that process data digitally or even just have it processed, enormous dangers arise with the entry into force of the GDPR. On the one hand, the fines for violations of applicable data protection law will be painfully increased. Depending on the violation, fines of up to 20 million euros or up to 4 percent of the group turnover may be due. In addition, the liability of managing directors and internal data protection officers has also been extended; they now face personal liability - and in the case of massive breaches of data protection, even a prison sentence of up to three years. While in the past one hardly had to expect an audit, the national supervisory authorities are now forced by the new European regulations to carry out regular on-site audits in the company. The corresponding bodies are currently already considerably better equipped and staffed. Since fines also accrue to the public purse, a significantly higher number of audits can be expected, which will then also take place in smaller medium-sized companies.
Even more dangerous, however, is the risk that violations of data protection will be classified as violations of competition law in the future. Every competitor will therefore be able to issue a warning against a violation with costs in the future. Even a warning for a faulty data protection statement on a company's website can quickly be associated with costs of several thousand euros.
We would be happy to support you in setting up the necessary structures in your company and, if necessary, take on the task of (external) data protection officer for you. Contact us for a non-binding initial consultation.
GoldbergUllrich Attorneys at Law 2017
Martin Wagner, LL.M., Attorney at Law
Master of Laws in Industrial Property;
Certified data protection officer (TÜV Nord)
