New Data Protection Regulation to Come

Starting on May 25th 2018, the EU basic regulation for data protection (EU-DSGVO) will come into effect, in order to standardize the European data protection laws. The new documentation- and reporting obligations, however, bring with them the threat of greater administrative efforts for companies. 

Data protection regulation com. Foto: Alex Fischer

New data protection regulation  to come. Foto: Alex Fischer

This is because the EU-DSGVO contains several new features. The loss or abuse of data, for example, must be reported to the national supervisory authority within 72 hours after becoming aware of it. “It’s still unknown exactly which authority this will be,” Frank Huster, managing director of the German Freight Forwarding and Logistics Association (DSLV) announces upon request. But one thing is certain: if the affected person’s individual rights aren’t violated, the reporting obligation doesn’t apply.

Reporting every data breach

Something that might also contribute to increased expenses: every data breach must be documented. And: data breaches shouldn’t be taken lightly. The fines are tremendous. A violation can mean a fine of up to 20 million euros or four percent of worldwide total revenue. This could jeopardize the existence of some companies. But these high penalties only take effect in especially serious cases – for example for violations against the data handling policy or for processing without legal basis. So there’s no reason to panic. Upon trans aktuell’s request, the Federal Association of Transport and Logistics in Industry and Trade (BWVL) also surmises that supervisory authorities will only start monitoring and fining after a transition period – because of the complexity of the changes.

Privacy by Design

Important: data protection will be anchored to the development phase of products and services (“Privacy by Design”). For software, for example, this means: the data minimization of user data, as well as pseudonymization and anonymization, is already an important criterion during development or purchasing.

In addition, data users must meet extended information obligations when the EU-DSGVO comes into effect. A client or employee, for example, must be notified before the data is collected. The affected persons must also be notified about what the data will be used for. In addition, a different application of the collected data isn’t possible at a later time. Equally, the EU-DSGVO demands a directory of all processing activities. The company must submit these during inspections. The data user has special information obligations for direct- and third-party surveys, respectively (article 13 EU-DSBVO).

Employees may request information about data

As has been the case for the previous legal situation, employees may request information about saved personal data – via an informal application and without stating a reason. The so-called right to information is described in detail in EU-DSGVO’s article 15. Companies are well-advised to prepare themselves organizationally in a timely manner for a quick and correct provision of information.

As it has until now, the deletion of personal data still takes up a lot of space in the new EU-DSGV. In Germany, the right to delete data is already in effect if and when the storage of data isn’t necessary for mandatory contractual or legal reasons. This is also explicitly specified as a “right to be forgotten” in the new EU-DSGVO. For example, if an affected person revokes his consent for data collection and no other legal basis takes effect, the personal data must immediately be deleted independently by the responsible party (article 17 EU-DSGVO).

However: the right to be forgotten isn’t yet regulated on the internet. Upon inquiry by trans aktuell, the BWVL explains: “This is a really big scope for which we don’t know yet what the implementation could specifically look like.” So far, not all new features of the EU-DSGV are being met with a consistently positive response. There’s also criticism. The DSLV, for example, explains that the full harmonization of data protection pursued by the EU Commission won’t be reached. There are too many flexibility clauses.

Special caution during transference to non-member countries

Special caution is advised if and when personal data is to be transferred to so-called non-member countries, those being countries outside of the European Union. The EU-DSGVO stipulates special regulations for this case (article 9, 44 and 45). Personal data may therefore only be transferred to a non-member country if it has an appropriate level of protection from the legislature’s point of view. The deciding factors for this are criteria like rule of law, as well as respect for human rights and fundamental freedoms.

Compact information

The Data Protection Conference (DSK) is currently developing guidelines for the new data protection law and is publishing them bit by bit online. The so-called brief papers with the compact information can be retrieved via QR-Code on the right side of the title image. Upon inquiry of trans aktuell, the DKS announced to add more brief papers by May 25th 2018. The QR-Code on the left leads to the topic page data protection of with further information.

Important to know

  • Only a short transition period left until May 25th 2018
  • Clients may request the deletion of personal data. The company must comply.
  • If violated, fines of up to 20 million euros or four percent of worldwide total revenue are possible.
  • Along with the EU-DSGV, the new Federal Data Protection Act (BDSG-new) takes effect on May 25th. The latter closely orients itself on the EU-DSGV, while still leaving some leeway.

To consider during implementation

  • Implementing information obligations and deletion concepts
  • Adjusting data protection organization
  • Organizing reporting requirements
  • Adjusting service relationships
  • Establishing documentation
  • Adjusting IT-security
  • Adjusting bargaining agreements


List of things to do by May 25th

  • Check if the information obligation towards affected persons are already being fulfilled in conformity with EU-DSGVO, according to the existing data handling processes.
  • Analyze the actual state with regard to the company’s current processes, for example documentation as well as bargaining agreements. Then create and execute a gap analysis between actual and target state.
  • Examine technical and operative procedures – for example the reaction to information leakage. Because of the very short legal reporting deadline of 72 hours, it’s best to set up a crisis management.
  • Create a complete directory of processing activities. This directory serves as the foundation for a structured data protection documentation.
  • Appoint an occupational data protection officer (DSB). Consequently, the coordination of the company’s interests in data protection laws should be tied to a position, if that’s not already the case. The DSB can also be supplied by an external service provider.


Support for implementation of the basic regulations

The Federal Ministry for Economic Affairs and Energy (BMWi) and the German Chamber of Industry and Commerce (DIHK) advise small and mid-sized companies about the EU data protection basic regulations (DS-GVO) in so-called Road Shows. According to BMWi and DIHK, they will offer approximately 25 to 30 appointments within the first six months, at which they inform small and mid-sized companies about the proper procedures. The BMWi will send a speaker to each appointment and will provide the respective Chambers of Industry and Commerce with a checklist of tips in advance.


Related articles
Magazine Topics
- DEKRA Solutions - Magazine