Introduction to the General Data Protection Regulation

1. Introduction

The General Data Protection Regulation (GDPR) is one of the most ambitious legal projects of the European Union in the last years. From 25 May 2018 the GDPR will replace the Data Protection Directive and the data protection laws in 28 Member States will become obsolete to a large extent. Only those companies that start adapting their contracts, business processes and IT solutions pursuant to the GDPR in a timely manner will achieve a prudent level of compliance when the GDPR applies from 25 May 2018.

Not only the high fines of up to EUR 20 million or 4% of the total worldwide annual turnover illustrate that companies must take the GDPR seriously. Data protection has become one of the largest compliance risk areas and therefore necessarily a priority for the management of every company.

The below introduction allows the reader to quickly get an overview of the GDPR or certain parts of the GDPR. For certain details, the introduction refers to specific articles of the GDPR or specific comments of articles of the GDPR in the commentary section of this book.

2. The most important compliance steps to be implemented before the GDPR applies from 25 May 2018

The GDPR will apply from 25 May 2018 (Art. 99 para. 2). To achieve minimum compliance with the GDPR by then, controllers and processors must begin with compliance steps sooner rather than later.

For controllers the most important compliance steps to be implemented by 25 May 2018 can be summarised as follows:

1) implementation of a basic data protection compliance programme (see chapter 11 below) including the appointment of a data protection officer, to the extent reasonable or required in the particular case (see chapter 14 below);

2) preparation of a record of processing activities (see chapter 12 below);

3) review of the legal basis of the respective data processing operation (see chapter 7 below), in particular the new requirements regarding valid consent (see chapter 7.2 below);

4) development of GDPR compliant privacy notices (see chapter 8 below); and

5) review of the legal basis for international data transfers (see chapter 18 below).

For processors the most important compliance steps to be implemented by 25 May 2018 can be summarised as follows:

1) appointment of a data protection officer to the extent required or reasonable in the particular case (see chapter 14 below);

2) preparation of records of processing activities (see chapter 12 below);

3) implementation of appropriate security measures (see chapter 15.1);

4) ensuring that subprocessors are engaged only with prior specific or general written authorisation of the controller (Art. 28 para. 2); and

5) assurance that international data transfers take place only if compliant with the requirements of the GDPR (see chapter 18 below).

The above-mentioned measures will not produce full compliance with the GDPR but they help to focus the personnel and financial resources of a controller or processor on central compliance aspects.

For larger organisations it will also be required to assess generally in advance the regulatory risks resulting from the GDPR to allow for an efficient deployment of resources.

3. Basic terms of the GDPR

The GDPR exclusively applies to personal data (see chapter 4.1 below). Personal data are defined as any information relating to an identified or identifiable natural person, who is referred to as the data subject (Art. 4 No. 1).

A subset of personal data is sensitive data (also 'special categories of personal data'). Sensitive data are defined in Art. 9 para. 1 as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning a natural person's sex life or sexual orientation, data concerning health within the meaning of Art. 4 No. 15, genetic data within the meaning of Art. 4 No. 13 and biometric data (eg, fingerprints or facial images) if processed for the purpose of uniquely identifying a natural person (Art. 9 cmt. 3). Furthermore, social security numbers might be regarded as sensitive data (cf. Art. 4 cmt. 35).

The GPDR applies to controllers and processors (cf. Art. 3 cmt. 4). The GDPR defines the term controller as the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7).

Processor means a natural or legal person which processes personal data on behalf of the controller, that is, that it does not determine the purposes and means of the processing of personal data (Art. 4 No. 8). For example, if a company outsources the operation of its customer database to an IT service provider, the company still acts as a controller, whereas the IT service provider acts as a processor.

Processing is defined broadly as any operation which is performed on personal data such as the collection, recording, structuring, alteration, retrieval, use, disclosure by transmission, erasure or destruction (Art. 4 No. 2).

The term transfer is used quite frequently throughout the GDPR. However, it is not defined. Transfer includes the disclosure vis-à-vis another controller or processor, respectively a subprocessor (see Art. 44 cmt. 1).

The term supervisory authority means the data protection authority respectively established by each Member State.

4. The scope of the GDPR

The following provides an...