The General Data Protection Regulation (GDPR) applies directly in all EU and EEC member states and is the primary law to govern data protection also in Germany. "Opening clauses" allow member states to regulate specific topics such as employee data protection. Nevertheless, if a national law is in conflict with the GDPR, the European law prevails.
The regulations of the Federal Data Protection Act (BDSG) supplement those of the GDPR regarding comprehensive topics such as the processing of employee data and contain specifications on matters that are already regulated in the GDPR such as data protection rights. In addition, the BDSG regulates the processing of federal public entities.
Each German "Bundesland" provide for at least one data protection authority that is equipped with comprehensive enforcement power. Among others, the competent authority may carry our investigations, request access to personal data and access to premises and order a ban on data processing. Most importantly, data protection authorities may also impose heavy fines on companies for incompliance with the law.
Finance risks may not only result from fines but also from data protection incidents that have come to the public's attention. So-called "data breaches" regularly hit the headlines of popular news channels. Once, the media has become aware of an incident, the reputational damage resolving from it is hard to contain.
If a company processes sensitive data or permanently tasks more than 20 employees with then processing of personal data, a data protection officer has to be appointed and notified to the competent data protection authority. Since the requirements of the GDPR need to be fulfilled independently of the necessity to appoint a data protection officer, many companies voluntarily appoint an officer.
Depending on the company's size, the proper implementation of data protection measures and the timely response to data protection requests may require the establishment of a data protection management organization. In many organizations, so-called data protection managers or data protection ambassadors are tasked with a variety of functions such as the sensitization of employees, the drafting of processing records and the reporting of incidents to the legal or data protection department.
While some companies have already implemented certain data protection means, other ones start from scratch. The respetive implementation level may be determined by means of a status analysis that should be carried out by an independent internal or external entity. The outcome of the analysis should be documented in an audit report that informs about the most critical data protection risks detected.
The further implementation of data protection measures should take place according to a binding action plan. It is of hugh importance to allocate roles and responsibilities in a transparent way to ensure a smooth processing of data protection tasks within all relevant departments. This may be realized by means of guidelines and templates.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
