Germany: Update on Data Protection Laws
Since 25 May 2018, the GDPR (General Data Protection Regulation) applies in Germany and all other EU member states. It was adapted shortly thereafter for Norway, Iceland and Liechtenstein. Before the GDPR came into force, legal commentators often considered the changes and new obligations for companies as far too wide-ranging. Two years later, however, it has become clear that the GDPR (DSGVO in German) has not had the catastrophic effects that some anticipated. The first practical experiences with the new regulations show that the awareness of the importance of data protection has increased significantly, both among those who process data and those whose data are being processed.
Status of implementation
Despite a preparation period of two years – the GDPR was initially approved in 2016 – the degree of implementation of the GDPR within German companies differed to a great extent. Some companies were very well prepared, others were still at the beginning of the adjustment process. Companies that only dealt with the implementation at a later point in time, often first adapted everything that was apparent to the outside world: the information letters according to Sec. 13 and 14 GDPR, data protection declarations on homepages; reports from data protection officers. The record of processing activities (Sec. 30 GDPR) has often been drawn up later on or is even still pending.
Obstacle or opportunity?
Many still see European data protection rules more as an obstacle than an opportunity. Due to the high effort that data protection compliance requires, this view might be true at first glance. However, the increased awareness of the importance of data protection is more often leading to data protection being a marketing argument for web based services. In this respect, data protection also presents opportunities.
Fines
One of the main changes through the GDPR was the increase in fines. Fines can amount to up to EUR 20,000,000.00 or even up to 4% of worldwide revenue. These numbers have raised many fears. In fact, fines of up to EUR 100,000,000.00 were previously imposed under the GDPR. However, such fines are not the rule. However, the number of fine-related proceedings has increased and this is likely to continue. So far, there are no harmonised fines for the whole of Europe. The German supervisory authorities have agreed on a standard procedure for determining fines in order to ensure the uniform application of the law in Germany. Nevertheless, a European solution would be desirable.
Damages for pain and suffering
The GDPR also provides for a right to compensation against the responsible person, in terms of data protection, for any person who has suffered damage as a result of a violation of the GDPR (Sec. 82 GDPR). This applies to both material and immaterial damages (damages for pain and suffering). These claims have existed before, but compensation based on the violation of data protection regulations has only rarely been awarded. The concern that any violation of data protection regulations could now be used to claim compensation under the GDPR has not proved true in practice. The first court rulings show that courts consider a certain degree of significance of the violation as a prerequisite for a compensation claim.
Notification obligations
In the event of a data leakage, e. g. if personal data is transferred to third parties, unintentionally, the GDPR provides for the obligation to notify the supervisory authority and the persons affected. The number of these notifications has increased considerably. It is important that companies not only take measures to prevent data leakages, but are also familiar with the procedure to be followed in the event of such leakage. The deadline to report to the supervisory authority is extremely short (max. 72 hours). Employers must raise awareness amongst their employees for the need to identify and report data leakages immediately. Furthermore, responsibilities should be clearly defined in order to take action within the deadline and report the incident, if necessary.
Works agreements
The adaption of works agreements to the new legal situation has still not been completed in many companies. Following the introduction of the GDPR, many employers have only concluded general works agreements as a first step, aimed at setting the framework for all IT works agreements. Adapting the often high number of IT works agreements is then the second step. Depending on the number of existing IT related works agreements in the company, and on the complexity of the IT infrastructure and processes, negotiations with the works council in order to adapt all works agreements often take years.
Right to information
The GDPR gives every person a comprehensive right to information towards the responsible person in terms of data protection. Upon request, the responsible person must provide information on all data recorded relating to a person within one month. This right is being used more and more frequently. A request for information often causes difficulties even for well-prepared companies. As such, requests can usually not be processed automatically, so it is important for companies to be prepared for those enquiries.
Prospects
The GDPR has proven to work in practice. The European Commission had to report to the Parliament on the evaluation and review of the GDPR recently. It remains to be seen whether the GDPR will be amended. There will probably be no fundamental changes in the near future, however, some adjustments to regulations that have shown not to work well in practice, would be feasible. Nevertheless, data protection compliance is becoming increasingly essential, not only because of the potentially high fines for violations, but also because of the complex nature of the GDPR. Good data protection compliance has become worthwhile, as fines, claims of compensation and loss of reputation weigh heavily.
Finally, we would like to share a recent statement from the German State Data Protection Commissioner of North Rhine-Westphalia, to illustrate the practical impact of the GDPR in everyday business. The Commissioner pointed out that requesting employees to report sick via WhatsApp (or a different messenger service), as many employers do, is not compliant with data protection law. It is generally not recommended to use WhatsApp for business communications, as the generated data does not have a sufficient level of protection. In particular, sickness reports are health sensitive data, which should only be transmitted via secure communication channels that exclude access by third parties. Accordingly, employers who use WhatsApp to transmit employee data run a high risk of violating data protection laws.