Close Menu
    Latest Category
    • Finance
    • Tech
    • EU Law
    • Energy
    • About
    • Contact
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Login
    • EU News
    • Focus
    • Guides
    • Press
    • Jobs
    • Events
    • Directory
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Home » EU Data Protection Regulation: Where do businesses need to take action now?

    EU Data Protection Regulation: Where do businesses need to take action now?

    Jan Tibor Lelley and Tobias GrambowBy Jan Tibor Lelley and Tobias Grambow1 July 2016Updated:9 July 2024 internet No Comments6 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email
    — last modified 01 July 2016

    After a protracted negotiation and design phase, the EU General Data Protection Regulation (GDPR) was adopted by the European Parliament on 04/14/2016 and entered into force on 05/24/2016. After 20 years, data protection law is at a whole new level and particularly uniform for the European Union.


    Advertisement


    This regulation will be in application as of 05/25/2018 and replace the EU Data Protection Directive (95/46/EC) which has been in force since 1995.

    What are the major changes?

    · Harmonization

    The Regulation aims to provide a unified data protection regime in the European Union, since it will be directly applied in all 28 EU Member States. Implementation by national legislation is not necessary. But there won’t be complete harmonization. The GDPR contains opportunities for national, special, and exceptional regulations at more than 50 points within its over 99 articles. Data protection will therefore remain a hodgepodge, albeit one based on unified core values.

    · Scope of application

    The Regulation also applies to companies based outside the EU, insofar as such companies which are not seated in EU countries offer goods or services to EU citizens or monitor their behavior.

    · Sanctions

    In cases of violations of the Regulation, companies will face considerable penalties. The fines can amount to four percent of the global corporate turnover or € 20 million.

    · Consent

    With regard to actions that have the consent of the person affected in the processing of personal data, it must be a clearly acknowledged action which was assented to unambiguously, without constraint for the specific case and in knowledge of the facts and which must be revocable at any time with effect for the future.

    · Data Protection Officer

    Companies are required to appoint a Data Protection Officer, so far as their core activity requires extensive, regular, and systematic monitoring of persons concerned or extensive processing of particularly sensitive data (such as racial or ethnic origin, health data, etc.) due to their business purpose or its scope according to Art. 9, or data on criminal convictions or offenses according to Art. 10 of the GDPR. There will likely be no changes to the previous legal conditions in the Federal Republic of Germany under which a Data Protection Officer must be appointed. Art. 37 Para. (4) of the GDPR contains a corresponding clause for special arrangements by the Member States. It should be noted that in the future, the duty of the Data Protection Officer includes monitoring of compliance with the GDPR so that a significantly higher risk of liability is to be expected for the Data Protection Officer.

    · One-stop shop

    In the future, EU citizens and companies will need to contact only one Data Protection Authority throughout the EU. This office is obligated to achieve harmonization with the Data Protection Authorities of other countries in the case of transnational aspects of data protection.

    · Registration requirement

    The company responsible for processing the data must report any data breaches to the competent authority within 72 hours of becoming aware of the privacy violation.

    · Privacy by design / privacy by default

    Companies need to design their product offers as data-efficiently as possible and offer privacy-friendly default settings.

    · Data protection impact assessment

    The data protection impact assessment consists of a detailed audit and risk assessment of data processing operations that involve a high potential risk to the rights and freedoms of the data subjects or persons affected. If such a data protection impact assessment shows an actually high risk, the person responsible must take appropriate protective measures or consult the supervisory authority.

    · Security obligation and burden of proof

    The person responsible for data processing must take and implement appropriate technical and organizational measures to ensure and to prove that the data processing is carried out in accordance with the GDPR. The supervisory authority may inspect the security of the data processing. The establishment of a data protection management system will be required as a rule.

    What is now important for employers?

    Art. 88 Para. 1 GDPR contains a clause according to which more specific regulations on data protection in the employment context can be created by the national legislature itself. It is likely that § 32 BDSG (modified if necessary) will remain in force for now in the Federal Republic of Germany. A new attempt for detailed codified employment data protection seems unlikely in the near future. But with regard to employee data protection, national rules must comply with the principles of the GDPR, which can be considered a given in Germany due to numerous Higher Court decisions.

    Furthermore, there is the possibility to process personal data on the basis of a collective agreement. In Germany, these are company agreements and collective agreements in particular. The most important way for personnel management to use company agreements as a permission event for data processing in companies is therefore kept open.

    The GDPR also clarifies that consent is possible in the employment relationship as well. But it is always a prerequisite that the conclusion of an employment contract, its amendment or the promise of an employer’s service is not made subject to a consent for data processing which is not required for this purpose.

    To be an effective legal basis for data processing, company agreements must, however, meet certain requirements, and are accordingly being redesigned or tailored to the requirements of GDPR. This means that appropriate and specific measures to safeguard the human dignity, legitimate interests, and fundamental rights of the person concerned, especially with regard to the transparency of the processing and transfer of personal data within the corporation and the monitoring systems in the workplace, must be regulated.

    Even if the time until the GDPR will actually be applied seems far away, companies should deal quickly with the changes in legislation. The substantial tightening of sanctions and resulting increased risk must be taken as an opportunity by companies to analyze the company’s data protection systems and develop a suitable data protection management system for ensuring and demonstrating compliance with the GDPR. This is the only way to avoid more stringent requirements of the new regulation bill and existence-threatening fines.

    From a labor law point of view, employment contracts and company agreements should be checked against and adapted to the EU General Data Protection Regulation.

    By Jan Tibor Lelley and Tobias Grambow

    Add A Comment
    Leave A Reply Cancel Reply

    You must be logged in to post a comment.

    Jan Tibor Lelley and Tobias Grambow

      Related Content

      Dark internet - Photo by Mikhail Nilov on Pexels

      EU opens investigation into porn sites over child safety

      TikTok - Image by Stefan Coders from Pixabay

      TikTok ads system ‘breaking EU’s online content rules’

      Gaming Fortnite - Image by Pixabay

      EU moves to make Internet safer for children

      Social media - Photo by Magnus Mueller on Pexels

      Commission slams Apple and Meta for breaching the Digital Markets Act, doesn’t stick the landing with fines

      Sponsor: European Digital Rights (EDRi)23 April 2025
      Social media - Photo by Geri Tech on Pexels

      EU fines Apple and Meta EUR 800m for breaching its Digital Markets Act

      Fake news - Photo by Kajetan Sumila on Unsplash

      Brussels integrates disinformation Code into EU’s Digital Services Act

      LATEST EU NEWS
      Danish presidency decorations - Photo © European Union 2025

      New Danish EU presidency aims to deliver on security and competitiveness

      1 July 2025
      Euro - ECB-Photo by Mika Baumeister on Unsplash

      Eurozone investor sentiment remains upbeat – Euro currency news daily

      1 July 2025
      Accessibility - Photo by RDNE Stock project on Pexels

      EU accessibility act into force for key digital products

      30 June 2025
      Christophe Hansen - Photo © European Union 2025

      EU agrees new trade deal with Ukraine

      30 June 2025
      Space satellites - Photo by Kevin Stadnyk on Unsplash

      EU cuts red tape in space

      30 June 2025

      Subscribe to EUbusiness Week

      Get the latest EU news

      CONTACT INFO

      • EUbusiness Ltd 117 High Street, Chesham Buckinghamshire, HP5 1DE United Kingdom
      • +44(0)20 8058 8232
      • service@eubusiness.com

      INFORMATION

      • About Us
      • Advertising
      • Contact Info

      Services

      • Privacy Policy
      • Terms
      • EU News

      SOCIAL MEDIA

      Facebook
      eubusiness.com © EUbusiness Ltd 2025

      Design and developed by : 

      Type above and press Enter to search. Press Esc to cancel.

      Sign In or Register

      Welcome Back!

      Login to your account below.

      Lost password?