de en
Nexia Ebner Stolz

Legal Advice

The EU's General Data Protection Regulation is coming - what will this mean for companies?

The time is approaching: the EU General Data Protection Regulation ("GDPR") will be immediately applicable throughout the EU as of May 15, 2018, with priority over national law. Germany has enacted a supplementary law for this purpose, which specifies the requirements of the GDPR and will replace the current Federal Data Protection Act (BDSG) as of May 15, 2018.

Until then, com­pa­nies still have time to adapt to the new regu­la­ti­ons. Data pro­tec­tion aut­ho­ri­ties may not impose sanc­ti­ons until after that date.

The EU's General Data Protection Regulation is coming - what will this mean for companies?© Thinkstock

Objec­ti­ves and scope of the GDPR

The aim of the GDPR is to create a uni­form level of data pro­tec­tion throug­hout the EU. Up to now, each mem­ber state had its own data pro­tec­tion regu­la­ti­ons, which were only partly based on EU law. Howe­ver, digi­ta­liza­tion does not stop at natio­nal bor­ders, so the varying requi­re­ments of natio­nal laws pose a pro­b­lem for com­pa­nies ope­ra­ting across bor­ders. The GDPR aims to remedy this situa­tion and, above all, to ensure uni­form rules and con­di­ti­ons of com­pe­ti­tion for data pro­ces­sing. The GDPR app­lies not only to data-pro­ces­sing firms estab­lis­hed in the EU, but also to data-pro­ces­sing firms from out­side the EU that col­lect data on “af­fec­ted per­sons” in the EU.

The GDPR regu­la­tes the pro­tec­tion of per­so­nal data. Per­so­nal data is all the data used to iden­tify a natu­ral per­son ("affec­ted per­son"). The GDPR is aimed at pub­lic aut­ho­ri­ties and all natu­ral and legal per­sons ("res­pon­si­ble par­ties" and "con­tract pro­ces­sors") who pro­cess per­so­nal data. Pro­ces­sing means, for example, the col­lec­tion, col­lec­tion, orga­niza­tion, sto­rage, modi­fi­ca­tion, use, trans­mis­sion and dele­tion of data - in short, any ope­ra­tion invol­ving per­so­nal data. Every com­pany has a great deal of such data (the Regu­la­tion men­ti­ons emp­loyee and custo­mer data, but also sup­p­liers and busi­ness con­tacts often con­tain per­so­nal data as well).

New acco­un­ta­bi­lity for data-pro­ces­sing com­pa­nies

The GDPR defi­nes nume­rous spe­ci­fic obli­ga­ti­ons that com­pa­nies must ful­fil. These tasks and res­pon­si­bi­li­ties partly cor­res­pond to the pre­vious regu­la­ti­ons of the Ger­man Federal Data Pro­tec­tion Act, but are to a large extent dif­fe­rent or new.

Per­sons res­pon­si­ble, e. g. the com­pa­nies, are now acco­un­ta­ble for com­p­li­ance with these data pro­tec­tion regu­la­ti­ons, i. e. they must prove com­p­li­ance with them. They must set up and docu­ment their pro­ces­ses in such a way that the data pro­tec­tion aut­ho­ri­ties can prove that the data pro­ces­sing of per­so­nal data com­p­lies with data pro­tec­tion requi­re­ments.

Con­c­rete need for action

The need for adapta­tion must be deter­mi­ned indi­vi­dually for each com­pany. Howe­ver, com­pa­nies should address at least the fol­lo­wing issues:

  • adapt or enter into con­tracts for order pro­ces­sing (with ser­vice pro­vi­ders),
  • custo­mize or create a pro­ces­sing directory,
  • per­form pri­vacy impact assess­ments,
  • adapt or set up tech­ni­cal and orga­niza­tio­nal mea­su­res,
  • pro­vide or adapt infor­ma­tion for affec­ted per­sons,
  • estab­lish inter­nal pro­ces­ses to ful­fil the rights of the par­ties con­cer­ned,
  • appo­int a data pro­tec­tion offi­cer,
  • estab­lish inter­nal pro­ces­ses for repor­ting data pro­tec­tion bre­a­ches,
  • adapt or set up data pro­tec­tion mana­ge­ment sys­tems,
  • train emp­loyees.

The fol­lo­wing pro­ce­dure is recom­men­ded as a con­c­rete action plan by May 2018:

  1. deter­mine the need for pro­tec­tion of the per­so­nal data pro­ces­sed
  2. ana­lyze and eva­luate risks to per­so­nal data
  3. define and imp­le­ment mea­su­res to pro­tect per­so­nal data
  4. docu­ment the results.
Points 1 and 2 are based on the sen­si­ti­vity and scope of per­so­nal data on the one hand, and on the nature of the exis­ting IT infra­struc­ture on the other. Com­pa­nies should deter­mine the pro­ba­bi­lity with which kind of data can be threa­te­ned. Fol­lo­wing on from this, in Point 3, mea­su­res to pre­vent damage to per­so­nal data should be defi­ned and imp­le­men­ted. In Point 4, the mea­su­res taken should be docu­men­ted so that GDPR con­for­mity can be demon­s­t­ra­ted to the super­vi­sory aut­ho­ri­ties.

Sig­ni­fi­cantly inc­rea­sed fines

A major change from the pre­vious legal situa­tion is that the scope for sanc­ti­ons for bre­a­ches of data pro­tec­tion law is being exten­ded enor­mously. The data pro­tec­tion aut­ho­ri­ties may or must impose "effec­tive, pro­por­tio­nate and dis­sua­sive" fines. The GDPR pro­vi­des for a sig­ni­fi­cantly inc­rea­sed fine of up to EUR 20 mil­lion or up to 4% of the total world­wide annual reve­nues of a com­pany or group of com­pa­nies.


Com­pa­nies not only should but must align their data pro­ces­sing pro­ces­ses with the GDPR and the new BDSG. If they fail to do so, not only should they expect high fines from May 25, 2018 onwards, but there may also be a threat of damage to the image of the com­pany among the pub­lic, who much more aware of this issue than in the past.

back to top