de en
Nexia Ebner Stolz

Legal Advice

The EU's General Data Protection Regulation is coming - what will this mean for companies?

The time is ap­proa­ching: the EU Ge­ne­ral Data Pro­tec­tion Re­gu­la­tion ("GDPR") will be im­me­dia­tely ap­plica­ble th­roug­hout the EU as of May 15, 2018, with prio­rity over na­tio­nal law. Ger­many has enac­ted a supp­le­men­tary law for this pur­pose, which spe­ci­fies the re­qui­re­ments of the GDPR and will re­place the cur­rent Fe­deral Data Pro­tec­tion Act (BDSG) as of May 15, 2018.

Un­til then, com­pa­nies still have time to ad­apt to the new re­gu­la­ti­ons. Data pro­tec­tion aut­ho­ri­ties may not im­pose sanc­tions un­til af­ter that date.

The EU's General Data Protection Regulation is coming - what will this mean for companies?© Thinkstock

Objectives and scope of the GDPR

The aim of the GDPR is to create a uni­form le­vel of data pro­tec­tion th­roug­hout the EU. Up to now, each mem­ber state had its own data pro­tec­tion re­gu­la­ti­ons, which were only partly ba­sed on EU law. Howe­ver, di­gi­ta­liza­tion does not stop at na­tio­nal bor­ders, so the va­ry­ing re­qui­re­ments of na­tio­nal laws pose a pro­blem for com­pa­nies ope­ra­ting across bor­ders. The GDPR aims to re­medy this si­tua­tion and, above all, to en­sure uni­form ru­les and con­di­ti­ons of com­pe­ti­tion for data pro­ces­sing. The GDPR ap­plies not only to data-pro­ces­sing firms es­ta­blis­hed in the EU, but also to data-pro­ces­sing firms from out­side the EU that col­lect data on “af­fec­ted per­sons” in the EU.

The GDPR re­gu­la­tes the pro­tec­tion of per­so­nal data. Per­so­nal data is all the data used to iden­tify a na­tu­ral per­son ("af­fec­ted per­son"). The GDPR is ai­med at pu­blic aut­ho­ri­ties and all na­tu­ral and le­gal per­sons ("re­spon­si­ble par­ties" and "con­tract pro­ces­sors") who pro­cess per­so­nal data. Pro­ces­sing me­ans, for ex­am­ple, the col­lec­tion, col­lec­tion, or­ga­niza­tion, sto­rage, mo­di­fi­ca­tion, use, trans­mis­sion and de­le­tion of data - in short, any ope­ra­tion in­vol­ving per­so­nal data. Every com­pany has a great deal of such data (the Re­gu­la­tion men­ti­ons em­ployee and cu­st­omer data, but also suppliers and busi­ness con­ta­cts of­ten con­tain per­so­nal data as well).

New accountability for data-processing companies

The GDPR de­fi­nes nu­me­rous spe­ci­fic ob­li­ga­ti­ons that com­pa­nies must ful­fil. These tasks and re­spon­si­bi­li­ties partly cor­re­spond to the pre­vious re­gu­la­ti­ons of the Ger­man Fe­deral Data Pro­tec­tion Act, but are to a large ex­tent dif­fe­rent or new.

Per­sons re­spon­si­ble, e. g. the com­pa­nies, are now ac­coun­ta­ble for com­pli­ance with these data pro­tec­tion re­gu­la­ti­ons, i. e. they must prove com­pli­ance with them. They must set up and do­cu­ment their pro­ces­ses in such a way that the data pro­tec­tion aut­ho­ri­ties can prove that the data pro­ces­sing of per­so­nal data com­plies with data pro­tec­tion re­qui­re­ments.

Concrete need for action

The need for ad­apta­tion must be de­ter­mi­ned in­di­vi­dually for each com­pany. Howe­ver, com­pa­nies should ad­dress at least the fol­lo­wing is­sues:

  • ad­apt or en­ter into con­tracts for or­der pro­ces­sing (with ser­vice pro­vi­ders),
  • cu­st­omize or create a pro­ces­sing di­rec­tory,
  • per­form pri­vacy im­pact as­sess­ments,
  • ad­apt or set up tech­ni­cal and or­ga­niza­tio­nal mea­su­res,
  • pro­vide or ad­apt in­for­ma­tion for af­fec­ted per­sons,
  • es­ta­blish in­ter­nal pro­ces­ses to ful­fil the rights of the par­ties con­cer­ned,
  • ap­point a data pro­tec­tion of­fi­cer,
  • es­ta­blish in­ter­nal pro­ces­ses for re­por­ting data pro­tec­tion bre­aches,
  • ad­apt or set up data pro­tec­tion ma­nage­ment sys­tems,
  • train em­ployees.
The fol­lo­wing pro­ce­dure is re­com­men­ded as a con­crete ac­tion plan by May 2018:

  1. de­ter­mine the need for pro­tec­tion of the per­so­nal data pro­ces­sed
  2. ana­lyze and eva­luate risks to per­so­nal data
  3. de­fine and im­ple­ment mea­su­res to pro­tect per­so­nal data
  4. do­cu­ment the re­sults.
Points 1 and 2 are ba­sed on the sen­si­ti­vity and scope of per­so­nal data on the one hand, and on the na­ture of the exis­ting IT in­fra­struc­ture on the other. Com­pa­nies should de­ter­mine the pro­ba­bi­lity with which kind of data can be th­rea­te­ned. Fol­lo­wing on from this, in Point 3, mea­su­res to pre­vent da­mage to per­so­nal data should be de­fi­ned and im­ple­men­ted. In Point 4, the mea­su­res ta­ken should be do­cu­men­ted so that GDPR con­for­mity can be de­mons­tra­ted to the su­per­vi­sory aut­ho­ri­ties.

Significantly increased fines

A ma­jor change from the pre­vious le­gal si­tua­tion is that the scope for sanc­tions for bre­aches of data pro­tec­tion law is being ex­ten­ded enor­mously. The data pro­tec­tion aut­ho­ri­ties may or must im­pose "ef­fec­tive, pro­por­tio­nate and dis­sua­sive" fi­nes. The GDPR pro­vi­des for a si­gni­fi­cantly in­crea­sed fine of up to EUR 20 mil­lion or up to 4% of the to­tal world­wide an­nual re­ve­nues of a com­pany or group of com­pa­nies.


Com­pa­nies not only should but must align their data pro­ces­sing pro­ces­ses with the GDPR and the new BDSG. If they fail to do so, not only should they ex­pect high fi­nes from May 25, 2018 on­wards, but there may also be a th­reat of da­mage to the image of the com­pany among the pu­blic, who much more aware of this is­sue than in the past.

back to top