On May 25, 2018, the new EU General Data Protection Regulation, or GDPR for short, will come into force. The crucial topic of data protection will then be harmonized across Europe by the GDPR – with significant consequences for your company!
New Obligations for Businesses
Upon the entry into force of the new EU General Data Protection Regulation on May 25, 2018, the existing Federal Data Protection Act (BDSG) will cease to be legally effective. From this date, the European regulation, specifically supplemented in Germany by a new Federal Data Protection Act, will constitute the applicable law.
Companies, irrespective of their size, are mandated to establish appropriate compliance structures by the end of May at the latest. This involves defining substantive principles and measures for data protection compliance and making them binding for employees. Such an undertaking requires a comprehensive audit to identify all data processed within the company and to ensure its legally compliant handling. Furthermore, employees must receive thorough training and awareness. Specifically, businesses are now required to create various records of processing activities and implement process instructions that are adhered to in day-to-day operations. Examples include data processing agreements, confidentiality agreements with employees, and protocols for managing customer inquiries concerning stored personal data.
Requirement for a Data Protection Officer
Businesses frequently overlook the obligation to appoint a Data Protection Officer. This appointment is mandatory whenever a company employs at least ten individuals who process personal data automatically. The employment status of these individuals—whether permanent staff, freelancers, or temporary workers—is irrelevant. If work involves computer usage, automated data processing is presumed. It is crucial to interpret the term 'personal data' very broadly.
The Risk: Substantial Fines and Cease-and-Desist Notices
With the GDPR's entry into force, companies that process data digitally, or have it processed, face significant risks. Firstly, penalties for infringements of applicable data protection law have been substantially increased. Depending on the violation, fines can amount to up to 20 million Euros or up to 4 percent of the group's annual worldwide turnover. Furthermore, the liability for managing directors and internal data protection officers has been expanded; they now face personal liability – and for severe data protection breaches, even imprisonment for up to three years. While audits were infrequent in the past, national supervisory authorities are now mandated by the new European regulations to conduct regular on-site inspections of companies. The relevant authorities are currently being considerably better equipped and staffed. As fines also accrue to public funds, a significantly higher number of audits is anticipated, which will extend to smaller and medium-sized enterprises.
However, an even greater risk lies in the potential classification of data protection infringements as violations of competition law. Consequently, any competitor will be able to issue a costly cease-and-desist notice for such a violation. Even a warning for an inadequate privacy policy on a company's website can quickly lead to costs amounting to several thousand Euros.
We are pleased to assist you in establishing the necessary structures within your company and, where required, assume the role of your (external) Data Protection Officer. Please contact us for a non-binding initial consultation.
GoldbergUllrich Law Firm 2017
Attorney Martin Wagner, LL.M.
Master of Laws for Intellectual Property Law;
Certified Data Protection Officer (TÜV Nord)
