A guest article on the GDPR by:
Dr Oliver Hornung, Attorney at Law for IT & Digital Business
and Partner of SKW Schwarz Rechtsanwälte
The following topics are covered in this series of contributions
- Objectives and principles.
- Rights of data subjects.
- Obligations for companies.
- International data transfers abroad.
- Technical and organisational data protection.
- Commissioned processing.
- Obligation to appoint a company data protection officer.
- New European data protection law also applies to website operators.
- Supervisory Authorities.
- Fines and Sanctions.
- Employee data protection.
- What do companies have to do?
Goals and Principles of the European Data Protection Regulation (GDPR)
The objectives of the GDPR are the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and the free flow of personal data. These objectives are to be achieved through the principles of processing of personal data laid down in Article 5 GDPR: Lawfulness, Fairness, Transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and Confidentiality and Accountability.
It is true that many principles known in Germany are retained and further developed. However, the exact implementation of the GDPR often differs from the current situation in the BDSG. The GDPR also contains significant new elements and regulatory content.
For example, the GDPR applies to all controllers and processors in the European Union. However, it also applies to service offers or behavioural observations of data processors outside the European Union. With the so-called market place principle, the GDPR thus contains an almost worldwide scope of application.
The GDPR does not provide a precise answer to the still controversial question of when exactly personal data is protected. The previous uncertainties in the details are therefore not resolved with certainty. What is new is a so-called joint responsibility for personal data by several bodies. Also new is the concept of “profiling” to analyse or predict personal aspects. For the handling of personal data, the prohibition principle remains: the handling of personal data is prohibited, except to the extent that it is lawful under the GDPR. Main lawfulness alternatives are: The consent of the data subject, contractual performance or pre-contractual measures, the implementation of legal obligations, the exercise of legitimate interests insofar as the interests of the data subject do not prevail.
Consent requires a strongly informed, voluntary and unambiguous expression of will on the part of the data subject. A specific form is not prescribed – unlike currently in the BDSG. Consent can be freely revoked at any time with effect for the future. A data controller must be able to prove the existence of consent. The processing of special categories of personal data (such as on ethnic origin, religion, health, biometric characteristics or sex life) is only permitted under special conditions.