The binding rules in the EU General Data Protection Regulation which are binding since 25 May 2018 (EU GDPR) have substantial financial risks for companies and their management, in addition to some opportunities for the addressees. The reason for the risks involves tighter rules which are intended to give the public authorities more power when enforcing the obligations. The range of fees will increase from the current fine of EUR 300,000, which is rarely imposed, and then increased to EUR 20,000,000 or 4 % of the worldwide company sales. The legislature also wants fines in the future in the field of data protection law which were previously common in antitrust law. As a result of this increase in the range of fines, substantially higher individual fines than was previously the case are expected. In addition to the fines imposed against companies, claims for recourse as well as fines against the management itself are possible.
The legislature has not only increased the fine. The newly introduced principle of accountability substantially changes the position of the companies. If a data subject makes a complaint about a company or if the data protection authorities conduct a routine inspection, the company must prove and above all also document that it has taken precautions to comply with the provisions in data protection law. Fines threaten if this is not done. The management must accordingly use its efforts so that all areas of activity in the company which deal with data are completely covered and examined. This must then be included in the list of processing activities and be documented with work procedures (e.g. concerning providing information, duties to erase, etc.) which secure compliance with the provisions in data protection law.
There are chances, for example, in the requirement that throughout Europe there will be a single supervisory authority having jurisdiction over each affected company. Certainty under the law and certainty for action will increase and be able to be achieved much more effectively. Furthermore, the new legal situation is an involuntary, but in substance favorable occasion to treat and organize data, the protection and security of data with a new quality. This effort is a sensible investment in one of the most important assets of the company, namely, its data.
Companies are now required in the coming months to document and examine their entire data processing in the list of processing activities. Each company must establish priorities, in order to devote the necessary degree of attention specifically to the most important areas. This requires especially an experienced view for processes in which violations of rules on data protection typically occur.
In order to support your implementation, we have compiled the main new aspects and processes in the new EU General Data Protection Regulation in the attached documentation. You can download our information there.
We have dealt with the legislation process forming the basis of the EU GDPR at the level of associations as well as in our capacity as a member of the BITKOM data protection working group and, therefore, we already know very well the intense discussion with data protection authorities and parliamentarians involving the regulatory content and above all the practical interpretation.
Our attorneys are pleased to provide support to you when implementing the new rules in your work processes.