What to Know About the General Data Protection Regulation (GDPR)? FAQ
Total Page:16
File Type:pdf, Size:1020Kb
What to know about the General Data Protection Regulation (GDPR)? FAQ www.bitkom.org What to know about the General Data Protection Regulation (GDPR)? 2 Imprint Publisher Bitkom e. V. Federal Association for Information Technology, Telecommunications and New Media Albrechtstraße 10 | 10117 Berlin Contact Sausanne Dehmel | Member of the Executive Board responsible for security and trust T +49 30 27576 -223 | [email protected] Graphics & Layout Sabrina Flemming | Bitkom Coverimage © artjazz – fotolia.com Copyright Bitkom 2016 This publication constitutes general, non-binding information. The contents represent the view of Bitkom at the time of publication. While great care is taken in preparing this information, no guarantee can be provided as to its accuracy, completeness, and/or currency. In particular, this publication does not take into consideration the specific circumstances of individual cases. The reader is therefore personally responsible for its use. Any liability is excluded. What to know about the General Data Protection Regulation (GDPR)? 3 Table of Contents Table of Contents Introduction ________________________________________________________________ 4 When does the GDPR enter into force? __________________________________________ 5 How does the GDPR apply in Germany? _________________________________________ 5 Which rules remain largely unchanged? _________________________________________ 7 Which are the new elements and most important changes? ________________________ 9 Which processes and documents do I have to review? ____________________________ 17 What are the costs and effort I should expect? ___________________________________ 18 Which company departments should be informed about the changes? ______________ 18 Who provides guidance on interpretation? ______________________________________ 19 What to know about the General Data Protection Regulation (GDPR)? 4 FAQ Introduction The extensive provisions of the General Data Protection Regulation (GDPR) cause small and medium-sized enterprises (SMEs) initial difficulties. »Where to start with implementing the new privacy rules?«, »which processes and procedures need to be set up within the company?« and »how does a GDPR compliant data management look like?« are only few of many puzzling questions. Many of the GDPR’s concepts and principles are more or less the same as under the current EU Data Protection Directive (Directive 95/46/EC) which has been implemented by the Federal Data Protection Act (so called »Bundesdatenschutzgesetz«1 (BDSG)) in Germany. Those who already comply with the current law shouldn’t be too worried. There is no need to start from scratch! Nevertheless, it is essential to review your data protection practices and further develop them in line with GDPR requirements by 25 May 2018 at the latest. Note that there is no blue-print solution for starting the GDPR implementing process. Every company has a different business model which also includes different data processing activities. For example, the provision on health data will have more impact on m-health app developers than on others, whereas a cloud provider might me more concerned by the new liability regime for data processors. These FAQs aim to help companies planning their approach towards GDPR compliance. It high- lights the main changes and new features in EU data protection law. The advice mainly focuses on SMEs and provides them with a checklist to effectively trigger the right processes and proce- dures within the company. 1 For English version see here ↗ here What to know about the General Data Protection Regulation (GDPR)? 5 FAQ When does the GDPR enter into force? The GDPR entered into force on 25 May 2016, twenty days after the publishing in the Official Journal of the European Union. However, the law will only apply after a transition period of two years. This means that from 25 May 2018 onwards all companies within the scope of the GDPR have to be compliant and are subject to enforcement by national data protection authorities (DPAs) and courts. Note This two-year transition period should be urgently used to review and where necessary adapt work flows, processes, contracts and arrangements within your company as DPAs can impose fines if the requirements of the GDPR have not or not sufficiently be fulfilled. How does the GDPR apply in Germany? The data protection rules for companies as laid down, for instance, in the BDSG will be largely replaced by the GDPR. Furthermore, as the GDPR is an EU regulation it will be directly applicable in all EU Member States and will not require any national implementing laws. National legisla- tors will simply enact laws to annul their current data protection legislation. However, there are a number of so called »opening clauses« in the GDPR which provide Member States with discre- tion to introduce additional national provisions to concretize and further specify the application of the GDPR: Example Employment Data: A classic example of such an opening clause is data processing in the context of employment. According to Art. 88 (1) GDPR Member States can provide for more specific rules to ensure the protection of rights and freedoms »in respect of the pro- cessing of employees«. This formulation does neither allow for stricter nor softer rules – it simply leaves room for concretization of the rather general GDPR provisions. No comprehen- sive use of this opening clause and introduction of a new law is expected in Germany due to the short time limits until the application of the GDPR. However, the German legislator will probably keep the existing rule of 32 BDSG. Note Collective agreements like a German employer/works council agreement (so called »Betriebsvereinbarung«) are still valid according to Art. 88 (1) GDPR. Though, it is recommended to review existing agreements and assess whether they are in line with GDPR requirements. Keep in mind that data protection in the employ- ment context is mainly governed by various judgements of German labor courts (predominantly the »Bundesarbeitsgericht«(BAG)2) which still need to be taken into account. 2 English ↗ website of BAG What to know about the General Data Protection Regulation (GDPR)? 6 FAQ Example Children’s Consent under 16: The GDPR gives special protection to children’s per- sonal data. If your organization collects information about children below 16 years you will need a parent’s or guardian’s consent in order to process data lawfully. Member States can lower the minimum age from 16 up to 13 years. Note If you are an EU-wide operating company you should check first which age limit is applicable in each Member State in which you are operating. Remember that consent needs to be verifiable and you bear the burden of proof. Therefore, you should start thinking soon about putting a system in place to verify individual’s ages in practice and to gather guardian consent for the data processing activity. Example German Data Protection Officer: The German government announced that it would use the opening clause in Art. 36 (4) GDPR to maintain the German BDSG-rule which requires every company with more than 9 employees to designate a DPO taking responsibil- ity for data protection compliance. This German rule goes beyond the minimum standard in the GDPR. Note A SME (/start-up) with less than 9 employees should still assess whether it needs to designate a DPO according to Art. 37 (1) GDPR (see more at page 8). Example Collective Redress: The German legislator has already used the opening clause in Art. 80 (2) GDPR by introducing a new law on collective action for enforcement of consumer data protection rights (so-called ↗ »Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts« of 24 of February 2016). This law allows a wide range of third party representatives (consumer associations, chambers, etc.) to seek judicial remedies against companies. Previously, consumer associations could already bring privacy cases against companies before court, however, only in the area of privacy notices (standard terms and conditions). The new law extends this competence to areas where personal data has been unlawfully processed for advertising, market and opinion research, commercial credit bureaus, profiling, address trading or for other »comparable commercial purposes« and many data subjects are affected. In other Member States, which have not enacted such law, consumer associations can only lodge a complaint on behalf of the data subject if they have received a mandate from him or her (compare Art. 80 (1) GDPR). Note Expect in future that consumer associations will equally bring claims for e.g. access of personal data, rectification and erasure or damages on behalf of data subjects. What to know about the General Data Protection Regulation (GDPR)? 7 FAQ Overall, the GDPR does not leave too much room for Member States to enact additional laws in areas which are important to companies since most opening clauses refer to »public interest grounds« such as public health, national security, etc. Germany plans to publish a law in early summer 2017 to fill in some of these gaps. As most provisions of the GDPR are regulated exhaus- tively, companies should already start assessing and adapting their data protection practices. You may find compliance difficult if you leave preparations to the last minute. Which rules remain largely unchanged? ◼ The Regulation keeps the main data protection concepts and principles of the current EU Directive 95/46. Example: Data protection principles like »purpose limitation«, »data minimization« and »transparency« remain largely unchanged. Note Although the »general principles« of data processing have not changed, they will be implemented by strict- er »specific provisions« e.g. the further processing of personal data according to Art. 6 (4) GDPR (purpose limitation), the new duty of data protection by design and default according to Art. 25 GDPR (data minimi- zation) and additional information duties according to Art. 13 and 14 GDPR (transparency). ◼ Data processing of personal data is still prohibited if not explicitly allowed by a legal basis of either the GDPR or other specific legislation (e.g.