GDPR: Curse or Blessing?

The primary aim of the General Data Protection Regulation is to standardize the confusing data protection laws of the individual member states.

Another goal should be data protection in Europe due to the growing challenges posed by cloud computing, Big Data, social media and search engines.

In this context, the protection of the individual's fundamental rights is to be at the forefront of modernization.

The scope of application of the GDPR

Companies must appoint a data protection officer if their activities require extensive, systematic and regular monitoring of data subjects.

Processing of, for example, particularly sensitive data (such as health data) pursuant to Article 9 (1) of the GDPR or data on criminal convictions or criminal offenses pursuant to Article 10 (1) of the GDPR also requires a data protection officer.

For companies in Germany, this means that there will probably be no change to the existing conditions under which a data protection officer must be appointed. What is important, however, is the new duty of the data protection officer to monitor compliance with the GDPR.

This also creates a noticeably higher liability risk for companies. So much for the principles of the GDPR - but why does the new set of regulations score so poorly in the reviews?

Opening clauses dilute the goal of standardization

In addition to guidelines for companies and public authorities, the 99 articles of the European GDPR also contain so-called opening clauses. These allow member states to retain existing data protection rules or to enact new ones.

As a result, there may again be very different regulations in all European member states despite the uniform basic regulation. Thus, the European Union is far from a uniform, Europe-wide legal practice, because the GDPR contains more than 70 of these opening clauses - which, however, are only permitted for some topics.

Another major point of criticism is that the new regulation provides only very abstract answers in many cases. This includes, among other things, what is to be understood by the term "resilience" as a protection objective in Art. 32 (1) b) and how "resilience" is to be defined.

How should business, public authorities and the courts behave specifically in data protection matters?

While numerous directives are very precisely defined and formulated, others are only roughly outlined. Thus, in a few cases, there is still a risk that the patchwork quilt in the area of data protection will continue to exist in Europe.

Big Data, Cloud and Co. Not a chance!

But what annoys the experts most is that the new European regulations do not explicitly address the real challenges and risks in information technology.

Big Data - that is, the flood of data and its mastery - search engines, cloud computing and other modern technology applications are not specifically mentioned in the 99 articles.

As in the Federal Data Protection Act (BDSG), the regulations in the GDPR must also be read from individual articles.

What regulations apply?

It is important for employers that Section 32 of the Federal Data Protection Act is likely to continue. This states that personal data of an employee may be collected, processed or used for the purposes of the employment relationship.

The reason for the possible continued existence of the regulation is Article 88(1) of the GDPR. This contains an opening clause described above. Thus, more specific regulations on data protection in the employment context can be created by the national legislator itself.

Furthermore, the possibility of processing personal data on the basis of a collective agreement will also remain. These are then the company agreements and collective agreements.

The good way in HR practice of using the works agreement as an authorization for data processing will therefore be able to continue.

However, the situation may also arise where company agreements have to be redrafted in order to comply with the requirements of the GDPR.

Conclusion

A major step forward that does not quite achieve the goals it has set itself. The GDPR is still a long way from uniformity throughout Europe, but it does indicate the direction in which things should go in the future.

Some abstract formulations in the GDPR do not allow a one hundred percent secure application of the law, but close legal gaps from the past.

509584528, Billion Photos The lack of explicitly mentioned technical innovations in the GDPR is unfortunately a shortcoming that should have been avoided. Overall, the GDPR is a step in the right direction, but only the beginning on a long road.