A complete practical compliance checklist for German businesses
The European Union’s General Data Protection Regulations (GDPR — sometimes referred to as DSGVO in Germany), which will come into effect on May 25, 2018, has been put in place to deal with privacy concerns about the massive volumes of personal data that are being collected, processed, and retained across many use cases, including cloud-native apps and services. The GDPR aims to:
- Minimize the personal data collected by data controllers.
- Ensure that the data is protected by design during processing and storage — whether by the data controllers themselves or by their designated data processors.
- Give data subjects more visibility into and control over their personal data.
The GDPR applies to all organizations that collect personal data on EU residents and the penalties for non-compliance are unprecedented and severe. Business activities can be disrupted while a suspected non-compliance is being investigated, with the relevant Supervisory Authority having the right to prevent an organization from collecting or processing data until the case is resolved. If it is ascertained that the organization failed to prepare for or properly administer GDPR regulations, the fine is up to €10 million or 2% of worldwide annual turnover, whichever is higher. For actual breaches or major compliance failures, the fine can be double, i.e., up to €20 million or 4% of annual turnover.
As companies scramble to get ready for GDPR, those responsible for data protection must not only understand the GDPR requirements, but also the supplemental rules enacted by the EU member state in which they conduct their business. The areas in which the GDPR permits EU member states to align GDPR regulations with national law are: employee privacy, secondary data uses, data protection officers, privacy class action litigation, health and medical data, algorithmic decision-making, research & statistical processing, and evidentiary privileges.
In this white paper, we provide essential background information and guidelines for companies whose main or only place of business is in Germany, so that they can become and stay GDPR-compliant.
The Key Principles that Underlie the GDPR
The GDPR is a comprehensive collection of regulations — with 11 chapters, 99 articles, and 173 recitals that aim to strengthen and harmonize across the EU how personal data is protected during collection, processing and storage. Understanding the following fundamental principles will give you a good grasp of what the GDPR means for your organization:
- Data privacy by design and by default: Organizations must implement state-of-the-art technologies and policies that embed protection of privacy into all processes that collect, process and retain personal data. All the default options have to be the ones that provide the highest data privacy level. User consent to collect personal data must be, at a minimum, unambiguous and, in the case of more sensitive types of data, explicit.
- Data minimization: Although data minimization is related to data privacy by design, it is also an important principle in its own right. The GDPR expects organizations to restrict data collection to the minimum necessary to achieve well-defined business objectives.
- The rights of data subjects: The GDPR requires organizations to be transparent with individuals about what personal data is being collected about them, how, and why. The individual then has the right to object to or restrict these processes, to correct personal data, or to be erased/forgotten.
- Different levels of personal data: The GDPR differentiates between levels of data sensitivity, with requirements adapted accordingly. A good example is the consent requirement which, as already noted above, differs depending on the sensitivity of the data being collected. The most sensitive data is that which could damage an individual’s rights or reputation if breached, such as data related to health/medical, biometrics, and criminal history.
- Data breach notifications: The data controller is required to report data breaches that could endanger individual rights within 72 hours to both the relevant Data Protection Authority and, in some cases, to the data subjects affected.
The GDPR in Germany
In July 2017, Germany was the first EU member state to pass a Data Protection Adaptation and Implementation Act (Bundesdatenschutzgesetz BDSG-New), which will come into effect on the 24th of May and enforceable the same day as the GDPR. In this section, we describe some of the key areas in which the BDSG-New diverges from or clarifies the common GDPR regulations.
BDSG-New permits the collection and usage of employee data if the data is necessary for establishing, maintaining or terminating the employment relationship. It stipulates that employee consent to collect and retain personal data must be in writing. It also encourages organizations to strike a practical balance between the interests of the employer and the privacy rights of the employee.
Appointment of Data Protection Officer (DPO)
The GDPR requires companies to appoint a DPO only if their core activities involve large-scale processing of sensitive data. In the BDSG-New, Germany upholds its long tradition of requiring companies to self-supervise by appointing a DPO if: at least 10 employees regularly process personal data; their business involves transferring data anonymously or market/opinion research; or the GDPR has required them to conduct a Data Protection Impact Assessment (DPIA). The BDSG-New continues to protect the employment and status of DPOs.
Special Categories of Data
The BDSG-New clarifies the purposes for which sensitive data (health, biometric, genetic, for example) can be collected and used, including: preventive medicine, assessment of employee working capacity, and medical diagnosis. However, in accordance with the common GDPR regulations, the most robust safeguards must be put into place in order to protect this data, such as encryption, pseudonymization, and the appointment of a Data Protection Officer (DPO).
Data Processing for Research & Statistical Purposes
Sensitive data can be processed without consent if it is necessary for scientific or historical research and for statistical purposes. If challenged, the data controller will have to show that its interest in processing that data significantly outweighs the data subject’s interest. Care must be taken that the personal data be anonymized.
Alteration of Original Purpose of Collecting Data
This is permitted only when necessary for national defence or public safety, for prosecuting criminal offences, and for asserting, exercising or defending civil claims. If challenged, the data controller will have to demonstrate why the data subject’s interest does not prevail over these other interests.
Restrictions on Some Individual Rights
Earlier drafts of the BDSG-New drew a lot of criticism from privacy advocates for overly restricting the individual rights accorded by the GDPR.
The final version contains only modest limitations such as:
- No need to notify a data subject of a breach if the notification would reveal confidential data.
- Restricted right to access data if it is stored only to comply with regulatory retention requirements
- The right to erasure is restricted if erasure is impossible or inordinately expensive or if the data subject has only a minor interest for erasure.
For more detailed information on individual right restrictions in the BDSG-New, click here.
Data Protection Authorities (DPAs)
Germany has 17 different DPAs, one of which is federal, with jurisdiction over telecom and postal-service companies, and the other 16 maintained by the German states, with supervisory authority over private companies doing business in their jurisdiction. The BDSG-New implements a “One Stop Shop” mechanism for companies that have offices in more than one German state, with the Lead DPA being the one in the state where the company has its main establishment.
The BDSG-New also restricts the investigative powers of DPAs in the face of secrecy obligations of professions such as physicians, lawyers, and psychologists.
The GDPR takes a tough stance on automated decision-making algorithms that can significantly affect data subjects, requiring prior opt-in consent and a human appeal mechanism. In response to pressure from various sectors that rely on automated processes, the BDSG-New has created certain exemptions from these requirements:
- In the insurance sector, decision-making algorithms can be used without consent or appeal mechanism if the data subject receives everything he/she is asking for.
- In the health insurance sector, no prior consent is necessary for automated decisions based on binding fees for medical services. But the data subject must be informed of his/her right to appeal if the claim is not fully accepted.
- In order to uphold the integrity of the German credit system, the BDSG-New preserves Germany’s current data protection rules related to credit rankings and checks. However it does restrict how companies can use credit scores in automated decisions.
Right of DPAs to Challenge European Commission Decisions
The BDSG-New establishes the right of German DPAs to challenge the validity of privacy decisions of the European Commission. The DPA challenge is reviewed by Germany’s Supreme Administrative Court (SAC) which, if it shares the DPA’s doubts, must refer the case to the European Court of Justice for review. If the SAC believes the Commission decision was lawful, it will dismiss the DPA’s challenge and issue a final decision.
Sanctions and Fines
The BDSG-New acknowledges that the GDPR, through the member state DPAs, now comprehensively regulates the sanctions and fines for personal data privacy violations, which are substantial as described in the introduction to this white paper. The only exception is that German DPAs can levy a €50,000 fine for violating consumer credit disclosure obligations.
Your GDPR Assessment Checklist
Organizations are required to conduct a Data Privacy Impact Assessment (DPIA) if their data processing poses a high risk to the rights of data subjects, such as profiling operations, large-scale processing of special categories of data, or when using a new data processing technology. The DPIA, which must be conducted by the organization’s DPO (described above), is meant to identify privacy risks and suggest solutions to be implemented to mitigate those risks. The results and action items are recorded in a formal report signed by the DPO. If a high risk has been identified, the report must be submitted to the DPA for consultation.
However, even if you are not required to appoint a DPO and/or do a formal DPIA, we recommend that you define who in your organization will have GDPR oversight, and get the entire organization involved in doing an assessment that will highlight areas that need improvement.
The assessment checklist would look something like this:
|Task||Questions to Ask||Action Items|
|?||Purpose Specification||Are we clear about why we collect and keep personal information?||
|?||Data Collection||Are data subjects (customers, employees, etc.) aware of personal data being collected, and why?||Make sure your consent procedures are appropriate for the different types of data you collect|
|?||Data Use and Disclosure||Is data protected during processing? Is access restricted according to roles and responsibilities?||
|Is the personal data effectively secured both in-transit and at-rest?||
|?||Data Governance||What measures are in place to keep data accurate, up-to-date?||
|?||Data Transparency||Can you respond to data subject requests within the required timeframe?||This may be one of the most challenging GDPR requirements to meet.
This type of assessment should be carried out on a regular basis to ensure continued compliance that will keep your company out of trouble.
A Final Note
Germany has always placed a high value on personal data privacy and the GDPR should not be disruptive for German companies. However, given the financial and other sanctions that companies will be liable for in the case of non-compliance, it is incumbent on every German company that processes personal data on German and other EU subjects to fully understand where it may be at risk regarding the GDPR and the supplementary German enactment, the BDSG-New.
AllCloud is a global professional services company specializing in cloud enablement, from cloud infrastructure to CRM/ERP cloud applications. The company is an AWS Premier Consulting Partner, Salesforce Platinum Partner and also holds partnerships with Google Cloud Platform and Oracle-NetSuite. Established in 2008, AllCloud is an industry leader in migrating and deploying companies of all sizes – startups, enterprise, and public sector – to the cloud.
With a portfolio of thousands of successful cloud deployments, AllCloud’s areas of expertise include cloud architecture, cloud security, DevOps automation, managed services, CRM and ERP customization and integration, 24/7 support and much more. AllCloud is headquartered in Israel with offices in New York, Munich, Berlin, and London and delivery centres in Israel, Romania and Germany.
For assistance with the GDPR checklist or help with getting your business GDPR ready, contact us via email at firstname.lastname@example.org, or by telephone using:
- Munich, Dr. Robert Klimke, +49.172.295.295.1
- Berlin, Yael Kahn, +49.176.418.445.49