Home » Riscreen Compliance Blog » GDPR – Rights and obligations – What’s in store for you – Part 2

GDPR – Rights and obligations – What’s in store for you – Part 2

GDPR DSGVO

A guest article on the GDPR by:

Dr Oliver Hornung, Attorney at Law for IT & Digital Business and Partner of SKW Schwarz Rechtsanwälte

The following topics are covered in this series of contributions

  • Objectives and principles.
  • Rights of data subjects.
  • Obligations for companies.
  • International data transfers abroad.
  • Technical and organisational data protection.
  • Commissioned processing.
  • Obligation to appoint a company data protection officer.
  • New European data protection law also applies to website operators.
  • Supervisory Authorities.
  • Fines and Sanctions.
  • Employee data protection.
  • What do companies have to do?

Rights of data subjects

The GDPR brings with it a number of innovations for data protection law. These affect not only companies, but also the individual data subject. The GDPR fundamentally strengthens the rights of data subjects and in some areas also expands them in comparison to the current legal situation in the BDSG. Above all, the new transparency and information obligations of the companies lead to a significantly stronger protection of the data subject compared to the currently applicable regulations of the BDSG. The rights affected include in detail:

  • Information duties;
  • Information, rectification and restriction of processing;
  • Transparency;
  • Right to be “forgotten”;
  • Right to data portability;
  • right to object;
  • automated generation of individual decisions.

Obligations for companies

In addition to the obligations familiar from the BDSG, the GDPR also establishes new requirements for companies with regard to data protection compliance:

Shared responsibility

What is new is the explicit provision according to which several entities may be jointly responsible for the processing of personal data. In these cases, the GDPR stipulates that a processing operation must specify which entity is responsible for which tasks. Data subjects have the right to contact any controller regardless of the division of tasks.

Register of processing activities

In addition to the controller, the processor must also keep a register of processing activities in the future. The content of the directory essentially corresponds to the requirements of the BDSG for the directory of procedures, however, according to the GDPR, the directory no longer has to be submitted to every enquirer, but only to the supervisory authority upon request. The obligation to maintain such a directory only exists for companies or institutions that employ 250 or more employees, as long as no risks to the rights and freedoms of the data subjects arise from the processing. In contrast, the obligation always exists for the processing of sensitive data.

Data protection impact assessment

Similar to the so-called prior checking by the company data protection officer regulated in the BDSG, the GDPR obliges data controllers to conduct a data protection impact assessment if processing operations are likely to result in a high risk to the personal rights and freedoms of data subjects.

If a data protection impact assessment reveals a high risk and the controller does not take measures to mitigate the risk, the competent supervisory authority must be consulted.

Appointment of representatives by bodies outside the EU

Where a controller or processor does not itself have an establishment in the European Union, it is required to appoint a representative within the European Union to act as a contact point for data subjects and supervisory authorities.

Data security

As a central principle of data protection, the guarantee of data security has also been enshrined in law. Taking into account the state of the art, the implementation costs and the nature, circumstances and purpose of the data processing, but also the varying likelihood and severity of the risk to the personal rights and freedoms of a data subject, controllers and processors must implement appropriate technical and organisational measures.

Among other things, the GDPR refers to pseudonymisation or encryption as well as the ability to ensure confidentiality, integrity, availability and resilience of the systems.

Rules of conduct and certifications

For the first time, the GDPR establishes comprehensive regulations for the introduction of codes of conduct and certifications. Accordingly, associations and federations can draw up specific rules of conduct in connection with data processing for their members and have these approved by the supervisory authorities (so-called Code of Conducts). The aim of these regulations is to create simple, industry-standard specifications for data protection, especially for small and medium-sized enterprises.

The GDPR also fundamentally regulates the requirements for certifications for the first time. These can be awarded by independent certification bodies, which must, however, be accredited by the supervisory authorities.

Part 1 of the series of articles – Objectives and principles

Hint: This text has been translated by an AI (German > English). Slight errors may occure.