The global and independent platform for the SAP community.

GDPR: Curse or Blessing?

The General Data Protection Regulation (GDPR) is intended to standardize the processing of personal data by private companies and public bodies. But what is there to consider?
Peter Jordan, LKC
April 5, 2017
GDPR: Curse or Blessing?
avatar
This text has been automatically translated from German to English.

The primary aim of the General Data Protection Regulation is to standardize the confusing data protection laws of the individual member states.

Another goal should be data protection in Europe due to the growing challenges posed by cloud computing, Big Data, social media and search engines.

In this context, the protection of the individual's fundamental rights is to be at the forefront of modernization.

The scope of application of the GDPR

Companies must appoint a data protection officer if their activities require extensive, systematic and regular monitoring of data subjects.

Processing of, for example, particularly sensitive data (such as health data) pursuant to Article 9 (1) of the GDPR or data on criminal convictions or criminal offenses pursuant to Article 10 (1) of the GDPR also requires a data protection officer.

For companies in Germany, this means that there will probably be no change to the existing conditions under which a data protection officer must be appointed. What is important, however, is the new duty of the data protection officer to monitor compliance with the GDPR.

This also creates a noticeably higher liability risk for companies. So much for the principles of the GDPR - but why does the new set of regulations score so poorly in the reviews?

Opening clauses dilute the goal of standardization

In addition to guidelines for companies and public authorities, the 99 articles of the European GDPR also contain so-called opening clauses. These allow member states to retain existing data protection rules or to enact new ones.

Peter Jordan Management 1704As a result, there may again be very different regulations in all European member states despite the uniform basic regulation. Thus, the European Union is far from a uniform, Europe-wide legal practice, because the GDPR contains more than 70 of these opening clauses - which, however, are only permitted for some topics.

Another major point of criticism is that the new regulation provides only very abstract answers in many cases. This includes, among other things, what is to be understood by the term "resilience" as a protection objective in Art. 32 (1) b) and how "resilience" is to be defined.

How should business, public authorities and the courts behave specifically in data protection matters?

While numerous directives are very precisely defined and formulated, others are only roughly outlined. Thus, in a few cases, there is still a risk that the patchwork quilt in the area of data protection will continue to exist in Europe.

Big Data, Cloud and Co. Not a chance!

But what annoys the experts most is that the new European regulations do not explicitly address the real challenges and risks in information technology.

Big Data - that is, the flood of data and its mastery - search engines, cloud computing and other modern technology applications are not specifically mentioned in the 99 articles.

As in the Federal Data Protection Act (BDSG), the regulations in the GDPR must also be read from individual articles.

What regulations apply?

It is important for employers that Section 32 of the Federal Data Protection Act is likely to continue. This states that personal data of an employee may be collected, processed or used for the purposes of the employment relationship.

The reason for the possible continued existence of the regulation is Article 88(1) of the GDPR. This contains an opening clause described above. Thus, more specific regulations on data protection in the employment context can be created by the national legislator itself.

Furthermore, the possibility of processing personal data on the basis of a collective agreement will also remain. These are then the company agreements and collective agreements.

The good way in HR practice of using the works agreement as an authorization for data processing will therefore be able to continue.

However, the situation may also arise where company agreements have to be redrafted in order to comply with the requirements of the GDPR.

Conclusion

A major step forward that does not quite achieve the goals it has set itself. The GDPR is still a long way from uniformity throughout Europe, but it does indicate the direction in which things should go in the future.

Some abstract formulations in the GDPR do not allow a one hundred percent secure application of the law, but close legal gaps from the past.

509584528, Billion Photos The lack of explicitly mentioned technical innovations in the GDPR is unfortunately a shortcoming that should have been avoided. Overall, the GDPR is a step in the right direction, but only the beginning on a long road.

avatar
Peter Jordan, LKC

Peter Jordan is a partner at LKC.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.