EU data protection GMO: The countdown is on…
On 25 May 2018, the transition period for the applicability of the already valid EU data protection basic regulation (EU-DSGVO) ends and this EU-wide uniform legal norm completely replaces the previous national Federal Data Protection Act from this date.
At the same time, a new Federal Data Protection Act (BDSG new) comes into force, which supplements the priority regulations of the EU – DSGVO. Please do not fail to adapt your data processing processes and the corresponding documentation, contracts and agreements (in particular declarations of consent for data processing and use as well as for order data processing) to the new data protection law in order to meet the more stringent requirements.
Essential requirements of the EU DSGVO and the BDSG-neu are for example
- providing evidence of the data subjects’ consent to the processing of their data
- Data transparency for natural persons through free information rights
- The right to be forgotten and data transferability
- Extensive documentation obligations
- Liability and right to compensation
- Reporting obligations in the event of violations of the protection of personal data
- Obligation to appoint a data protection officer for more than 9 employees
Are you unsure whether you process personal data at all and therefore fall within the scope of application? The provisions of the EU DSGVO are already applicable, for example, if you employ only one employee. The same applies if you offer goods or services in Germany, regardless of where your company is based. This means that after May 25, 2018, you must be able to prove that your company complies with data protection regulations.
If you have not yet made any adjustments to your data protection concepts, e.g. in the area of cybercrime, or do not have any data protection concepts at all, time is short.
Please take this topic absolutely seriously! Infringements are now subject to substantial fines of up to EUR 20 million or 4 times the annual turnover worldwide.
Documentation, verification and deletion obligations are becoming even more specific. In principle, every person responsible, i.e. the legal representative, must create and maintain, or have compiled and maintained, a register for processing activities – i.e. also constantly updated. It is unlikely that you or your company will fall under the narrowly defined exemption for such a directory.
Special caution is also required when dealing with employee data! In particular, health data are personal data that deserve special protection. For example, have you clearly structured your procedure for “handling certificates of incapacity for work” and documented it as a procedure?