The GDPR is coming: businesses should take note now
The General Data Protection Regulation must be implemented on 25 May 2018. It will involve numerous new developments with regard to rules under data-protection law. These will affect both the detailed content of requirements governing the legality of data-processing operations, and such formal procedures such as documentation and duties of information. Since the Regulation, unlike Directives, does not require any transitional period or implementation, from 25 May it will also apply directly in Germany in the form promulgated by the EU. Businesses which have not so far aligned their processes with the rules of the GDPR should begin with this changeover immediately, since there are many processes within a business which are affected by the changes. This article is designed to provide an overview of the most important areas affected by the GDPR and of the legal requirements which the changeover in question must meet. In particular, the transparency regulations in the General Data Protection Regulation will be associated with significantly higher expenditure of time and resources than were due under the previous regulations in the German Data Protection Act. The regulatory authorities may accordingly be expected to keep a particular eye on this very area. To avoid the considerable risk of fines under the GDPR, businesses should therefore design their information and documentation processes particularly in as transparent a way as possible.
Previous data-protection declarations should be urgently revised. The most important reason for this is the extension to duties of information under the GDPR compared with the previous legal situation under the German Data Protection Act (BDSG).
Thus Art 13 of the GDPR stipulates that the data subject must be informed inter aliaof the processing entity’s controller, of the purpose (separately for each individual data-processing operation) and period of such data processing, of their rights of information and objection, and – should such data processing be based on Article 6, Paragraph 1, Subsection f of the GDPR – the justified interests pursued by the controller or third party. In general the data subject must be informed of all the data subject’s rights. These include the right of information, correction, deletion, restriction, objection and data transferability. In addition, the data subject must be informed how far the decision is made solely on the basis of automated data processing (particularly profiling). Care must be taken to ensure that the data subject is provided with the information immediatelyupon data collection, e.g. when ordering a newsletter or concluding a sale in an e-commerce transaction, but also possibly prior to concluding the purchase contract, e.g. when registering. Art. 12 of the GDPR requires that this information about the data subject be set out in a “transparent, comprehensible and easily accessible form in clear and simple language.” The GDPR allows a verbal, written or electronic transmission of such information to suffice. Particular care must be taken to ensure easy comprehensibility of information when dealing with children. The duty of information only fails to apply if, in the case of a data-processing operation, the data subject already possesses the requisite information. Businesses bear the burden of proof that this is so. In this process the documentationrelating to the implementation of these rules, particularly in the data-protection declaration, is to be recommended. Breaches of the duty of consideration and documentation are sanctioned by high fines under the GDPR; they may amount to up to 4% of annual turnover or 20 million Euros.
If the legal basis on which the data processing is carried out is a declaration of consent, it should be noted that this is possible informally under the GDPR. Under Art. 7, No. 3 of the GDPR the data subject must always be notified of their right of objection with regard to the declaration of consent. If particular prior conditions are met, the consent obtained under the German Data Protection Act (BDSG) may continue to apply. With regard to the revocation of consent, businesses should take care not only to ensure that the data subject has been notified to this effect, but also to ensure that processes are in place for an uncomplicated implementation of the right of objection and of the other rights of the data subject.
With regard to the concepts of privacy by design and privacy by defaultwhich are established in the GDPR, i.e. concepts of prior data-protection-friendly technical settings, care must be taken to ensure that the data subject can follow the whole sequence of data processing transparently. A data-protection declaration formulated to this effect may also form the right basis for this purpose.
Contract data processors
Pursuant to the stricter requirements of information and documentation, care must be taken above all to supply precise documentation in connection with contract data processors. Art. 14 of the GDPR regulates duties of information to this effect should the data not be collected by the controller himself but by a third party (e.g. credit-research agencies). The duties of information incumbent upon a business employing credit agencies etc. are therefore basically comparable with those of Article 13 of the GDPR, but to these is subjoined the duty to state the source from which the information comes. Article 13 notwithstanding, the information need not be supplied immediately; a maximum period of one month following the data processing is sufficient. To meet these duties of information, businesses must precisely document all instructions and all their work with contract data processors. This can also minimise the risk of fines for breaches of the transparency rule.
When involving contract data processors, along with duties of documentation, care must be taken to provide precise liability rules and liability agreements which delimit risk areas and comprise possible recourse measures. In this way it will be possible to minimise the commercial risk of breaches of the GDPR, since as a basic principle the business employing a contract data processor is liable in its external relations, but it would be unfair if the business had to bear the costs of such breaches alone. Businesses should therefore take care to ensure that they can proceed against contract data processors by way of their internal relations.
Data breaches and reporting duties
With regard to data breaches, a check must be made on internal corporate processes to ascertain whether emergency systems exist to tell staff how, for instance, cyber attacks are to be repelled, how the duties of reporting set out in Art. 33 and Art. 34 of the GDPR are to be implemented, and which of the company’s staff serve as personal contacts. According to a current study by the business association bitkom, only 4 out of 10 businesses are prepared with an emergency system for cyber attacks.
Right of data transferability
Among the rights enjoyed by data subjects, the right of data transferability under Art. 20 in particularly is a completely new development in comparison with the previous legal situation. This case treats in particular of the situation involved in entering personal data into a social network and the wish for a change of provider. In this case the data subject can require from the initial provider that their data be transferred to the new provider in a current, machine-readable and electronic format. Thus businesses must create the technical conditions which allow of this format and a corresponding transferability. The right of transferability is intended above all to make a change of provider easier, a process from which customers might shy away because of excessive obstacles in constructing new accounts etc. Along with the possibility, once the data have been supplied, of carrying out the transfer himself, the data subject may also require an automatic transfer from the initial provider to the second one. The right of data transferability in this form is only to be found for the first time in the GDPR and, along with social media, may apply e.g. in HR systems in case of a change of employer.
Privacy by design or default
Article 25 of the GDPR contains rules on privacy by design and privacy by default. Businesses should therefore check to see whether their data-processing operations meet these rules governing prior data-protection-friendly settings.
Special industry-specific characteristics
Along with these regulations, the GDPR contains some rules governing the processing of particular categories of personal data, such as health data. Businesses should therefore check, with reference to their specific sector or industry, whether the personal data which they are processing meets the particular requirements of the GDPR in this respect.
In addition, businesses are strongly recommended, for various reasons, to train their staff in the new developments marked by the GDPR. Not only the timely implementation of reporting duties, but also the process of balancing interests or obtaining declarations of consent, may create risks involving fines in the individual case, which can be avoided by training courses. In particular, staff having direct customer contact and IT departments should be in the forefront here.
HR and works council
Not only the processing of customers’ personal data, but the data of staff as well, are affected by the changeovers of the GDPR. The works council and HR department should therefore likewise be informed of the changeovers under the GDPR. Thus, for example, the right of data transferability may in some circumstances be applicable when there is a change of employer with regard to the data stored in the HR system.
Summary and recommended action for businesses
Business are recommended to note the further decisions of the courts and continued legislation at both German and European level, such as the recommendations of the Article 29 Data Protection Working Party and similar commentaries. We too shall continue to keep you up to date in all matters of the GDPR.