Skip to main content

EU General Data Protection Regulation (EU-DSGVO)

General Data Protection Regulation (GDPR)

After long negotiations, European agreement was reached in December 2015 on an EU General Data Protection Regulation (EU GDPR). This leads to a far-reaching standardization of European data protection law. While there were previously considerable differences due to national legislation based on the EU Data Protection Directive, the General Data Protection Regulation will be applicable law in all member states. Minor differences are to be expected at most due to the possibility of so-called "opening clauses". Opening clauses offer national legislators the opportunity to enact their own national regulations.

Schedule

The EU General Data Protection Regulation (EU GDPR) was adopted by the EU Parliament on April 14, 2016. It was published in the Official Journal of the European Union on May 4, 2016 and came into force on May 25, 2016.

It is therefore applicable from May 25, 2018. Many companies are not yet prepared for the GDPR and its impact on business processes. Therefore, the independent data protection authorities have compiled some tips on how to create an action plan for companies.  

In addition, the Bavarian State Office for Data Protection Supervision (BayLDA) also provides guidance on which questions and tasks must be clarified by the company before May 25, 2018.

Areas of the new regulation

Many areas of data protection are not newly regulated by the GDPR. In particular, the concept of "personal data" in Article 4 remains broad:

"personal data [are] any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Furthermore, the processing of personal data is only permitted on the basis of a permissive circumstance. The permissive elements are listed in Article 6:

  • the data subject has given consent
  • the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures
  • processing is necessary for compliance with a legal obligation
  • the processing is necessary to protect vital interests
  • processing is necessary for the performance of a task carried out in the public interest
  • the processing is necessary for the purposes of the legitimate interests of the controller or a third party.

In the latter case, a balancing of interests against the interests of the data subject is required.

In summary:

The GDPR does not fundamentally change the concept and, to a large extent, the detailed provisions of the current data protection law. Rather, many of the provisions of the EC Data Protection Directive 95/46, which form the basis of the BDSG, are adopted. On the other hand, however, there are also numerous new requirements under data protection law, the fulfillment of which requires correct attention, if only in view of the immensely increased scope of fines.

Ziele und Grundsätze

The objectives of the EU GDPR are the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data (Art. 1(2) GDPR) and the free flow of personal data (Art. 1(3) GDPR).

The aforementioned objectives are to be achieved through the principles of personal data processing set forth in Art. 5 GDPR: Lawfulness, Fairness, Transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality and Accountability.
These are your rights

The EU General Data Protection Regulation brings some innovations to data protection law. These affect not only companies, but also individual citizens. At least when it comes to the rights of data subjects. With Chapter 3 of the current version of the General Data Protection Regulation, the legislator aims to fundamentally strengthen the rights of data subjects and even expands them in some areas. In particular, the new transparency and information obligations of companies lead to significantly stronger protection of data subjects than the currently applicable regulations of the Federal Data Protection Act.

The current version of the General Data Protection Regulation can be found on the website of the North Rhine-Westphalia State Commissioner for Data Protection.