The global and independent platform for the SAP community.
Business Management, MAG 17-04

GDPR: Curse or Blessing?

The General Data Protection Regulation (GDPR) is intended to standardize the processing of personal data by private companies and public bodies. But what is there to consider?
Peter Jordan, LKC
April 5, 2017
Content:
GDPR: Curse or Blessing?
avatar
This text has been automatically translated from German to English.

The primary aim of the General Data Protection Regulation is to standardize the confusing data protection laws of the individual member states.

Another goal should be data protection in Europe due to the growing challenges posed by cloud computing, Big Data, social media and search engines.

In this context, the protection of the individual's fundamental rights is to be at the forefront of modernization.

The scope of application of the GDPR

Companies must appoint a data protection officer if their activities require extensive, systematic and regular monitoring of data subjects.

Processing of, for example, particularly sensitive data (such as health data) pursuant to Article 9 (1) of the GDPR or data on criminal convictions or criminal offenses pursuant to Article 10 (1) of the GDPR also requires a data protection officer.

For companies in Germany, this means that there will probably be no change to the existing conditions under which a data protection officer must be appointed. What is important, however, is the new duty of the data protection officer to monitor compliance with the GDPR.

This also creates a noticeably higher liability risk for companies. So much for the principles of the GDPR - but why does the new set of regulations score so poorly in the reviews?

Opening clauses dilute the goal of standardization

In addition to guidelines for companies and public authorities, the 99 articles of the European GDPR also contain so-called opening clauses. These allow member states to retain existing data protection rules or to enact new ones.

Peter Jordan Management 1704As a result, there may again be very different regulations in all European member states despite the uniform basic regulation. Thus, the European Union is far from a uniform, Europe-wide legal practice, because the GDPR contains more than 70 of these opening clauses - which, however, are only permitted for some topics.

Another major point of criticism is that the new regulation provides only very abstract answers in many cases. This includes, among other things, what is to be understood by the term "resilience" as a protection objective in Art. 32 (1) b) and how "resilience" is to be defined.

How should business, public authorities and the courts behave specifically in data protection matters?

While numerous directives are very precisely defined and formulated, others are only roughly outlined. Thus, in a few cases, there is still a risk that the patchwork quilt in the area of data protection will continue to exist in Europe.

Big Data, Cloud and Co. Not a chance!

But what annoys the experts most is that the new European regulations do not explicitly address the real challenges and risks in information technology.

Big Data - that is, the flood of data and its mastery - search engines, cloud computing and other modern technology applications are not specifically mentioned in the 99 articles.

As in the Federal Data Protection Act (BDSG), the regulations in the GDPR must also be read from individual articles.

What regulations apply?

It is important for employers that Section 32 of the Federal Data Protection Act is likely to continue. This states that personal data of an employee may be collected, processed or used for the purposes of the employment relationship.

The reason for the possible continued existence of the regulation is Article 88(1) of the GDPR. This contains an opening clause described above. Thus, more specific regulations on data protection in the employment context can be created by the national legislator itself.

Furthermore, the possibility of processing personal data on the basis of a collective agreement will also remain. These are then the company agreements and collective agreements.

The good way in HR practice of using the works agreement as an authorization for data processing will therefore be able to continue.

However, the situation may also arise where company agreements have to be redrafted in order to comply with the requirements of the GDPR.

Conclusion

A major step forward that does not quite achieve the goals it has set itself. The GDPR is still a long way from uniformity throughout Europe, but it does indicate the direction in which things should go in the future.

Some abstract formulations in the GDPR do not allow a one hundred percent secure application of the law, but close legal gaps from the past.

509584528, Billion Photos The lack of explicitly mentioned technical innovations in the GDPR is unfortunately a shortcoming that should have been avoided. Overall, the GDPR is a step in the right direction, but only the beginning on a long road.

avatar
Peter Jordan, LKC

Peter Jordan is a partner at LKC.


All articles of the author

Write a comment

Pekka Ala-Pietilä Elected Chairman of the SAP Supervisory Board

Teenage Hana

Without words

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.