As of 25 May 2018 the General Data Protection Regulation (“GDPR”) becomes effective and will replace the National Data Protection Acts of all EU member states.
The GDPR brings significant challenges for companies of all sizes. It foresees tighter requirements for the processing of personal data and any infringement of the statutory requirements can be subject to administrative fines up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
To avoid such sanctions, the following measures are – among others – urgently needed:
- The processing of data must be documented by the Controller in order to comply with its obligation of accountability, held in the form of a record of processing.
- The requirements for contracts for data processing are changing with the GDPR. This means that these contracts need to be revised. The same is also true of employment agreements.
- The Controller is obliged to carry out an assessment of the possible impact of the envisaged processing operations (“data protection impact assessment”) if the processing is likely to result in a higher risk to the rights and freedoms of the natural person. Does this apply to you? This may especially be the case where using new processing technologies to conduct an extensive evaluation of personal aspects of the natural person on automated processing and profiling or because of processing a large scale of special categories of data like health data.
- Every company is under the legal obligation not just to be compliant with the requirements of the GDPR and, moreover, must be able to prove this.
- The transfer of data to a recipient which is not based within the EU may be possible – e.g. at group-internal transfers or for the use of cloud-solutions –, however, this requires further legal preconditions.