At a recent discussion on the pitfalls of investing in foreign markets, a US private equity manager voiced his biggest surprise: the personal liability that the director of a German company faces in Germany if he or she breaches their broad duties and obligations vis-à-vis the company. Indeed, this potential liability does exist and the fact that one is not actively involved in managing the company rarely provides a defence against claims.
What, however, does this have to do with data protection?
In short, the director of a limited liability company needs to observe all statutory, contractual (by way of the articles of association), or other (by way of shareholders’ resolution) obligations in connection with managing the company. One of the obligations is the monitoring of legal developments and changes that affect the company’s business, organisation or legal requirements. Accordingly, the new European General Data Protection Regulation (hereinafter GDRP) is a legal development that any director of a limited liability company needs to keep abreast of, review and implement. This is all the more true, because the fines that can be imposed under the GDRP are severe and can amount to up to EUR 20 million or 4% of the global turnover. A company faced with such a fine may rightfully examine whether the director has fulfilled his or her obligations in readying the company for the coming GDRP.
The good news: the GDRP will only enter into force on 25 May 2018. The bad news: potentially, there is much to be done.
A diligent director will have a clear roadmap for implementing the changes required for compliance with the GDRP, will have created deliverables with his team and − in general − will not be surprised by the content of the GDRP. The Data Protection Agency of Lower Saxony has gone so far as to state: Data protection is an issue for the director.
However, reality often looks quite different: we note that knowledge about the GDRP is often limited to data protection specialists. We have therefore identified the major issues businesses need to examine their current practices and possibly amend these practices by 28 May 2018 − or install new practices.
Why did the EU create the GDRP, at all? The current data protection law within the EU is based on Data Protection Directive 95/46/EC. Obviously, there has been significant technical progress since 1995. Also, the Directive only established a minimum standard, leading to a wide range of data protection laws and no unified standard. To tackle these differences the EU has classified the new data protection rules as a regulation, which requires no transformation by Member States; at the same time, the GDRP contains elements of a directive, as Member States need to adapt a wide range of laws, in order to ensure compliance with the GDRP rules. As an example of the magnitude of the changes that this involves, more than 300 acts need to be amended or have been amended in Germany alone.
How should one go about complying with the impending changes caused by the GDRP?
An initial assessment of data practices should be the first step on the road to compliance with the new data processing regime. The GDRP requests that businesses draw up records of data processing activities (Article 30 GDRP) outlining all data processing operations. This not only relates to customer data, but to all third party data, which is the object of processing. This includes the data of employees, suppliers, consultants and others. Special care is advised when collecting or processing data related to minors, as more stringent protection applies. Likewise, more stringent protection applies to sensitive personal data, such as religion, political persuasion, health or sexual orientation. The data processing directory is not required for enterprises und undertakings with less than 250 employees – this exemption is intended to carve out SMEs. However, this de minimis exception does not apply, if the data processing is not occasional. There is hardly a situation, where processing is only occasional. In all likelihood, at least some processing will occur on a regular basis.
Apart from records of processing activities, the GDRP requires a wide range of informational items to be disclosed to the data subject at the time of collecting data. This includes, inter alia, the duration of the intended data storage, the revocability of consent, and the transfer of data outside the EU. In practice, this will require the modification of data protection declarations, consent forms and information displayed in connection with third party plug-ins.
The GDRP retains the fundamental approach of requiring either statutory permission or consent to process data (the term “process” includes collection and storage). Consent granted by the data subject pursuant to the current legal framework will, in general, remain valid under the GDRP, providing the manner in which the consent has been given is in line with the conditions set out in the GDRP. This requires urgent attention: data processing based on consent may run afoul of the GDRP’s concept of consent! The sooner the current consent mechanism is adapted to bring it into line with the GDRP, the more data can be processed under the new law. Looking back at our initial thought: a director who does not have a clear plan on how to evaluate the current consent mechanism in data processing may breach his duties as a director and not be compliant with the GDRP.
The GDRP also introduces a new concept to mitigate the risk inherent with data processing: a data protection impact assessment. Such an assessment needs to be in writing and identify whether the type of processing used, in particular where new technologies are involved, is likely to result in a high risk to the rights and freedoms of natural persons. Where such a risk is likely, an impact assessment of the envisaged processing operations is required. In effect, the GDRP requires an examination of data processing types, and, if risks are apparent, an assessment of risks and benefits. Commencing certain types of data processing without such an analysis may be a violation of the GDRP and thus also be a breach of the obligations of a director.
The GDRP further introduces the concept of data portability in Article 20 GDRP. This provision gives the data subject the right to demand the transfer of personal data collected by one controller to another controller in a machine-readable format. In essence, a data subject can demand that pictures posted on one social network can be transferred to another, or that their sales history be transferred from one merchant to another. Data therefore needs to be structured in a way that allows such transfers.
The last few months have also shown that data protection breaches may have been covered up or not have been readily disclosed. As a safeguard against this, the GDRP requires the data protection authorities to be notified, even where there is only a suspicion of data breach.
To underscore the importance of adherence to the GDRP, the EU has decided to increase fines dramatically, as mentioned above. Word of mouth has it that the data protection authorities have also increased personnel and are preparing diligently for the monitoring of adherence to the GDRP and enforcement of the new rules. A director is therefore well advised to keep abreast of developments, to install a team that is responsible for managing the process and to drive the necessary change.
We are available to discuss any further steps that may be needed to help your or your client‘s organisation meet the legal requirements of the GDRP.
If you have any questions related to this topic please contact
Prof. Dr Hans-Josef Vogel.