Skip to content. | Skip to navigation

Personal tools
You are here: Home topics Internet EU Data Protection Regulation: Where do businesses need to take action now?

EU Data Protection Regulation: Where do businesses need to take action now?

01 July 2016
by Jan Tibor Lelley and Tobias Grambow -- last modified 01 July 2016

After a protracted negotiation and design phase, the EU General Data Protection Regulation (GDPR) was adopted by the European Parliament on 04/14/2016 and entered into force on 05/24/2016. After 20 years, data protection law is at a whole new level and particularly uniform for the European Union.


This regulation will be in application as of 05/25/2018 and replace the EU Data Protection Directive (95/46/EC) which has been in force since 1995.

What are the major changes?

· Harmonization

The Regulation aims to provide a unified data protection regime in the European Union, since it will be directly applied in all 28 EU Member States. Implementation by national legislation is not necessary. But there won't be complete harmonization. The GDPR contains opportunities for national, special, and exceptional regulations at more than 50 points within its over 99 articles. Data protection will therefore remain a hodgepodge, albeit one based on unified core values.

· Scope of application

The Regulation also applies to companies based outside the EU, insofar as such companies which are not seated in EU countries offer goods or services to EU citizens or monitor their behavior.

· Sanctions

In cases of violations of the Regulation, companies will face considerable penalties. The fines can amount to four percent of the global corporate turnover or € 20 million.

· Consent

With regard to actions that have the consent of the person affected in the processing of personal data, it must be a clearly acknowledged action which was assented to unambiguously, without constraint for the specific case and in knowledge of the facts and which must be revocable at any time with effect for the future.

· Data Protection Officer

Companies are required to appoint a Data Protection Officer, so far as their core activity requires extensive, regular, and systematic monitoring of persons concerned or extensive processing of particularly sensitive data (such as racial or ethnic origin, health data, etc.) due to their business purpose or its scope according to Art. 9, or data on criminal convictions or offenses according to Art. 10 of the GDPR. There will likely be no changes to the previous legal conditions in the Federal Republic of Germany under which a Data Protection Officer must be appointed. Art. 37 Para. (4) of the GDPR contains a corresponding clause for special arrangements by the Member States. It should be noted that in the future, the duty of the Data Protection Officer includes monitoring of compliance with the GDPR so that a significantly higher risk of liability is to be expected for the Data Protection Officer.

· One-stop shop

In the future, EU citizens and companies will need to contact only one Data Protection Authority throughout the EU. This office is obligated to achieve harmonization with the Data Protection Authorities of other countries in the case of transnational aspects of data protection.

· Registration requirement

The company responsible for processing the data must report any data breaches to the competent authority within 72 hours of becoming aware of the privacy violation.

· Privacy by design / privacy by default

Companies need to design their product offers as data-efficiently as possible and offer privacy-friendly default settings.

· Data protection impact assessment

The data protection impact assessment consists of a detailed audit and risk assessment of data processing operations that involve a high potential risk to the rights and freedoms of the data subjects or persons affected. If such a data protection impact assessment shows an actually high risk, the person responsible must take appropriate protective measures or consult the supervisory authority.

· Security obligation and burden of proof

The person responsible for data processing must take and implement appropriate technical and organizational measures to ensure and to prove that the data processing is carried out in accordance with the GDPR. The supervisory authority may inspect the security of the data processing. The establishment of a data protection management system will be required as a rule.

What is now important for employers?

Art. 88 Para. 1 GDPR contains a clause according to which more specific regulations on data protection in the employment context can be created by the national legislature itself. It is likely that § 32 BDSG (modified if necessary) will remain in force for now in the Federal Republic of Germany. A new attempt for detailed codified employment data protection seems unlikely in the near future. But with regard to employee data protection, national rules must comply with the principles of the GDPR, which can be considered a given in Germany due to numerous Higher Court decisions.

Furthermore, there is the possibility to process personal data on the basis of a collective agreement. In Germany, these are company agreements and collective agreements in particular. The most important way for personnel management to use company agreements as a permission event for data processing in companies is therefore kept open.

The GDPR also clarifies that consent is possible in the employment relationship as well. But it is always a prerequisite that the conclusion of an employment contract, its amendment or the promise of an employer's service is not made subject to a consent for data processing which is not required for this purpose.

To be an effective legal basis for data processing, company agreements must, however, meet certain requirements, and are accordingly being redesigned or tailored to the requirements of GDPR. This means that appropriate and specific measures to safeguard the human dignity, legitimate interests, and fundamental rights of the person concerned, especially with regard to the transparency of the processing and transfer of personal data within the corporation and the monitoring systems in the workplace, must be regulated.

Even if the time until the GDPR will actually be applied seems far away, companies should deal quickly with the changes in legislation. The substantial tightening of sanctions and resulting increased risk must be taken as an opportunity by companies to analyze the company's data protection systems and develop a suitable data protection management system for ensuring and demonstrating compliance with the GDPR. This is the only way to avoid more stringent requirements of the new regulation bill and existence-threatening fines.

From a labor law point of view, employment contracts and company agreements should be checked against and adapted to the EU General Data Protection Regulation.

By Jan Tibor Lelley and Tobias Grambow

Sponsor a Guide

EUbusiness Guides offer background information and web links about key EU business issues.

Promote your services by providing your own practical information and help to EUbusiness members, with your brand and contact details.

To sponsor a Guide phone us on +44 (0)20 7193 7242 or email sales.

EU Guides