The EU General Data Pro­tec­tion Reg­u­la­tion (GDPR)

The EU’s General Data Pro­tec­tion Reg­u­la­tion (GDPR) is intended to regulate the handling of personal data and provide a uniform legal framework for data pro­tec­tion. The GDPR applies to all 27 EU member states. However, almost four years after the latest amendment came into force, it is still not possible to speak of a data pro­tec­tion reform that applies through­out Europe. Experts and consumer advocates have crit­i­cized the inertia of European and national leg­is­la­tors, while companies are annoyed by the burden of ad­di­tion­al bu­reau­cra­cy and the opaque legal situation. In the following, we offer a summary of the current legal situation and present a GDPR checklist for measures US-based companies should take for their websites to be compliant with European data pro­tec­tion laws.

When it comes to European bu­reau­cra­cy, laws can take a long time – even after they have of­fi­cial­ly come into play. After long debates in par­lia­ment in Brussels, the 28 member states will often be granted generous tran­si­tion­al periods to in­cor­po­rate new EU laws into their national leg­is­la­tion. A lot of time can pass before the pressure of im­ple­men­ta­tion reaches in­di­vid­ual companies.

But in addition to di­rec­tives there is a second type of EU law: reg­u­la­tions. They offer almost no wiggle room when it comes to content and time. They are im­me­di­ate­ly and uniformly legally binding for all member states – this includes the business practice of every SME. This is also the case with the GDPR: it’s not a directive, but a reg­u­la­tion.

In May 2016, the GDPR came into force with a tran­si­tion­al period of two years – and since 25 May 2018, it has been the official data pro­tec­tion law in all EU states, over­rid­ing national leg­is­la­tion. This means no more tran­si­tion periods, or “buffer” times. All companies and public entities working with personal data must comply with the EU data pro­tec­tion rules and implement ap­pro­pri­ate measures in their busi­ness­es.

But even today, not all companies seem to be aware of these changes. In September 2020, a Bitkom survey on the GDPR showed that only 20% of 504 surveyed companies with 20 or more employees were fully GDPR-compliant. However, the pro­por­tion of companies that have not yet initiated any measures has now fallen sharply (10%).

Two of the biggest hurdles are legal un­cer­tain­ty and not knowing how much effort it takes to implement the GDPR. Many busi­ness­es and companies think that needing to obtain a concrete agreement before ex­chang­ing personal data is un­nec­es­sar­i­ly com­pli­cat­ed, and the need to be able to prove this agreement makes it even more so. Moreover, 82 percent of companies that have not yet fully im­ple­ment­ed the GDPR say their pri­or­i­ties changed in light of the coro­n­avirus pandemic. The bottom line is that three years after the im­ple­men­ta­tion of the GDPR, many companies are still unsure of how to integrate the new reg­u­la­tions into their own IT network.For many en­tre­pre­neurs the com­pli­cat­ed legal situation results in heavy fines. Up to €20 million ($23 million, which is 4% of worldwide sales in the last financial year) is the potential fee which may be charged as a punitive measure. And don’t be fooled by the fact that this is “just” an EU law. It can affect your US-based business too – if you collect personal data or in­for­ma­tion from anyone residing or browsing in an EU country, your company needs to comply with the reg­u­la­tions of the GDPR. Renowned companies like Google have already received fines because they missed out on im­ple­ment­ing the changes. British Airways ($230 million) and Marriott ($124 million) have been among the companies that were issued some of the largest fines for violating the GDPR so far. British Airways received a penalty following a data breach whilst Marriott was fined for failing to carry out due diligence after an ac­qui­si­tion.

EU reg­u­la­tions take prece­dence over national laws and take prece­dence in the event of con­tra­dic­tions. However, the GDPR contains some opening clauses that allow states to weaken or strength­en certain data pro­tec­tion rules.

The primary objective of the GDPR is the har­mo­niza­tion of European data pro­tec­tion. Whereas the 1995 Data Pro­tec­tion Directive was im­ple­ment­ed dif­fer­ent­ly in each EU country, the reg­u­la­tion offers less scope for action on an in­di­vid­ual, national level.

A second primary aspect addressed by the GDPR relates to the serious tech­no­log­i­cal changes which have occurred over the past 25 years – as well as of course the technical de­vel­op­ments still to come. That’s because many of the chal­lenges of data pro­tec­tion still lie ahead for us. For example, the col­lec­tion of biometric data from employees is mandatory for certain work with in­tel­li­gent machines. If a company is sensitive to such data, this is not in itself a problem. However, if this in­for­ma­tion is first with the employer, there is also the temp­ta­tion to use it for other purposes – such as per­for­mance mon­i­tor­ing. The EU GDPR is set up to react to de­vel­op­ments of this kind.

Any summary of the General Data Pro­tec­tion Reg­u­la­tion must first address the changes related to personal data. This is where the most sig­nif­i­cant changes are taking place because of the EU GDPR.

For example, the ac­count­abil­i­ty of companies has been extended. There are now more com­pre­hen­sive oblig­a­tions per­tain­ing to the doc­u­men­ta­tion of data and proving what data a company collects. These oblig­a­tions also cover the purpose for which it uses the data and how it is processed. Above all, the GDPR means more work when it comes to doc­u­men­ta­tion. Companies who already value data pro­tec­tion and have kept a register of data pro­cess­ing pro­ce­dures find im­ple­men­ta­tion of the reg­u­la­tion easier.

The most important prin­ci­ples are as follows:

1. Ban failing au­tho­riza­tion: This means that any pro­cess­ing of personal data is pro­hib­it­ed unless specif­i­cal­ly permitted. This has been the case so far and is therefore not un­con­tro­ver­sial. At the end of the day, not all data is of equal im­por­tance. However, according to the GDPR, the pro­hi­bi­tion principle applies in­dis­crim­i­nate­ly to all personal data.
2. Ap­pro­pri­a­tion: Companies may only collect and process data for specific purposes. To this end, the purposes must be clearly outlined at the beginning of the survey and the future use of the data must be doc­u­ment­ed. For example, data that a company has collected relating to the ful­fill­ment of a contract and rightly stores may not be used for ad­ver­tis­ing purposes. This is another, separate, purpose which requires special jus­ti­fi­ca­tion. Sub­se­quent changes of purpose are only per­mis­si­ble under certain cir­cum­stances.
3. Data min­i­miza­tion: The principle of data min­i­miza­tion requires companies to collect as little data as possible. The general rule is: as little as possible, as much as is necessary. You are not permitted to collect more than is necessary for the purpose of the survey in question. Thus, this principle prohibits any “blind” data col­lec­tion for un­spec­i­fied future purposes.
4. Trans­paren­cy: Data pro­cess­ing should always be com­pre­hen­si­ble to those affected. On the one hand this requires un­der­stand­able data pro­tec­tion de­c­la­ra­tions, and on the other hand users enjoy extensive rights with the in­no­va­tions of the GDPR. As in the past, companies are required to provide in­for­ma­tion on what data they have and how they use it.
5. Con­fi­den­tial­i­ty: Companies need to ensure that they tech­ni­cal­ly and or­ga­ni­za­tion­al­ly protect the personal data of their customers – be it against unau­tho­rized pro­cess­ing, al­ter­ation, theft, and/or de­struc­tion of data. This ex­plic­it­ly stated oblig­a­tion to take technical pro­tec­tive measures is new. Nev­er­the­less, these measures are not exactly and precisely outlined in the General Data Pro­tec­tion Reg­u­la­tion and therefore are open for in­ter­pre­ta­tion. In the case of data theft, it will depend on whether the technical and or­ga­ni­za­tion­al pro­tec­tive measures were ap­pro­pri­ate to the risk as well as the type of data being stored.

All in all, the GDPR is a good basis for every consumer and all those affected by data pro­cess­ing. This is because they are protected by the GDPR. In addition, GDPR reg­u­la­tions also affect the rights of employees.

These rules are relevant for all companies with employees. This then means that numerous companies are doubly affected, as it concerns the privacy of employees (em­ploy­ment data pro­tec­tion), as well as those of customers, suppliers, and website visitors.

Of course, the GDPR is of relevance for those employed as data pro­tec­tion officers. The reg­u­la­tions con­sid­er­ably increase the number of these through­out the continent. All public au­thor­i­ties and all companies, whose core activity relates to the handling of personal data, have to appoint a company-wide data pro­tec­tion officer. Even if a business’ core activity is not related to data pro­cess­ing, if it is the case that at least twenty people are con­stant­ly engaged in the automated pro­cess­ing of personal data on the premises, then a data pro­tec­tion officer must be appointed. This is most likely the case for many medium-sized companies. Companies affected by this scheme must have taken the ap­pro­pri­ate measures already.

Even for data pro­tec­tion officers who are already employed by a company, the GDPR rep­re­sent­ed a major change. This is because their role in the company has fun­da­men­tal­ly changed. If the data pro­tec­tion officer has been working towards data pro­tec­tion con­for­mi­ty pre­vi­ous­ly, they are re­spon­si­ble for mon­i­tor­ing the im­ple­ment­ed measures. In other words, the scope of duties has expanded sig­nif­i­cant­ly, which of course sub­se­quent­ly increased their potential for liability.

Overall, the reg­u­la­tions increased the workload for data pro­tec­tion officers. They had to fa­mil­iar­ize them­selves with the new legal situation. However, the laws also had positive aspects for them. Their expertise is in great demand and, as well as this, their position in the company is enhanced due to the in­creas­ing number of tasks. Article 39 of the GDPR actually refers to the tasks of a data pro­tec­tion officer. Some of these include informing and advising in relation to the GDPR as well as other data laws, mon­i­tor­ing GDPR com­pli­ance, advising on the impact of the reg­u­la­tions, and being available for any enquiries.

The following is a summary of the General Data Pro­tec­tion Reg­u­la­tions, focusing par­tic­u­lar­ly on the core tasks and effects for website operators and companies.

Even if there is no fun­da­men­tal upheaval of data pro­tec­tion, the EU GDPR brought many changes into focus. It is im­per­a­tive that companies take these al­ter­ations into account and, as early as the con­cep­tu­al design phase, integrate them into their workflows that involve people (Privacy by Design principle). Otherwise, they end up being in violation of European law. Below you will find some of the most important reg­u­la­tions that companies, es­pe­cial­ly those in the area of online commerce, need to comply with.

• Privacy Impact As­sess­ment (PIA): Companies are obliged to carry out risk as­sess­ments. They are also required to specify what safe­guards are in place for min­i­miz­ing risks. This rule becomes par­tic­u­lar­ly relevant when a company is working with cloud computing. Cloud computing is something which often involves handling large amounts of personal data. Companies who store data relating to in­di­vid­u­als’ health are likely to be hit even harder, as they are con­sid­ered to be par­tic­u­lar­ly sensitive and dis­sem­i­na­tion of the data can be extremely damaging for those involved.
• Employee data: Something which is always tested is the way in which a company processes its employees’ data. Therefore, the reg­u­la­tions in the GDPR relevant to this aspect also concern human resources, something which must be included in the changes.
• Data pro­tec­tion officers: For many companies, a data pro­tec­tion officer has become mandatory. These in­di­vid­u­als monitor the in­di­vid­u­al­ly-developed data pro­tec­tion strategy and GDPR con­for­mi­ty. This does not only apply to companies who work with personal data on a large scale. However, every company that has more than 20 people regularly dealing with personal data must appoint a data pro­tec­tion officer.
• Reporting re­quire­ments: The EU GDPR guide­lines on how to deal with break­downs are con­sid­er­ably stricter than previous reg­u­la­tions. Security incidents need to be reported within 72 hours of becoming aware of them. If in doubt you should always report these to the affected persons as well as the relevant au­thor­i­ties.
• Re­spon­si­bil­i­ty and fines: It is much easier for companies to be held re­spon­si­ble for vi­o­la­tions relating to data they have collected. Pun­ish­ments for this can include heavy fines.

• Mandatory doc­u­men­ta­tion: A major focus of the GDPR is on the ac­count­abil­i­ty of companies. Unlike in the past, companies are now obliged to document their data pro­tec­tion com­pli­ance by means of in-house doc­u­men­ta­tion. They need to be able to always inform the au­thor­i­ties about the relevant data that is being stored, for which purpose it is stored, how the data is being stored, as well as when it is deleted by the company. If required, the company should be able to provide a list of all this relevant in­for­ma­tion.
• Privacy by Design: The Privacy by Design principle means that companies have to take data pro­tec­tion into account as early as during the technical struc­tur­ing of their business processes. It is not permitted to implement data pro­tec­tion measures ret­ro­spec­tive­ly (i.e., see them being of secondary im­por­tance) but instead are required to integrate them into the work process during the de­vel­op­ment phase. Both products and processes should therefore be designed in such a way that they require as little personal data as possible.
• Privacy by Default: This par­tic­u­lar provision of the GDPR stip­u­lates that, in principle, the data pro­tec­tion variant that is most friendly must be im­ple­ment­ed in advance. This saves consumers from having to struggle through complex technical settings when trying to impose re­stric­tions on data pro­cess­ing.
• Per­mis­sion (agreement, works agreement): In­di­vid­u­als still have to ex­plic­it­ly agree to the use of their personal data. In addition, the consent of the employee or consumer is only valid for the stated purpose. And the de­c­la­ra­tion of consent must be for­mu­lat­ed in a way that is com­pre­hen­si­ble and should also be easily revocable. Revoking the agreement needs to be as easy for the customer as the original consent. Under the EU GDPR, the re­quire­ments for effective consent have increased. A gross imbalance between the parties involved can lead to both the voluntary nature of the contract being void, as well as bring about the con­clu­sion of the contract.
• Deleting data: Personal data may only be stored for as long as it is necessary for its intended purpose. If the au­tho­riza­tion expires (e.g., if the consent is revoked or the contract is fulfilled), then the data must be deleted.
• Right of access and can­cel­la­tion: EU citizens have the right, on request, to know which of their data is held by a company and how it is being used. In addition, consumers can also request companies to delete their data. Being able to delete personal data with Google upon request is part of the law.

The General Data Pro­tec­tion Reg­u­la­tion does not contain explicit rules for online commerce or website operators. However, Germany’s Telecom­mu­ni­ca­tions Telemedia Data Pro­tec­tion Act (TTDPA) which came into force in Germany on December 1, 2021, does. Websites or service providers who operate in Germany must now comply with ad­di­tion­al rules and reg­u­la­tions regarding cookie tracking and the storage of personal data.

Back­ground: The GDPR was and is a tran­si­tion­al solution, because orig­i­nal­ly another new data pro­tec­tion reg­u­la­tion was to come into force together with the GDPR – the EU ePrivacy Reg­u­la­tion. However, it is not yet possible to predict when the ad­di­tion­al reg­u­la­tion will come into force, because the EU member states have not been able to find consensus. But German lawmakers have now reached a small milestone with the new TTDPA, trans­pos­ing the EU reg­u­la­tion also known as the “Cookie Directive” into national law. The TTDPA merges the reg­u­la­tions of the GDPR with the Telecom­mu­ni­ca­tions Act (TKG) and the Telemedia Act (TMG) into a new parent law. The TTDPA could affect US website operators who provide their services in Germany.

Website operators and online retailers should keep an eye on the pending ePrivacy Reg­u­la­tion. In contrast to the GDRP, which regulates data pro­tec­tion prin­ci­ples, the ePrivacy Reg­u­la­tion will relate to a very specific area: the pro­tec­tion of privacy in everyday digital life. This means that ad­di­tion­al reg­u­la­tions await website operators.

But what changed in May 2018? Here are the most important changes in the EU’s GDPR for website operators:

1. Oblig­a­tion to possess com­pre­hen­sive mandatory doc­u­men­ta­tion of the GDPR
2. Complex consent forms
3. The prin­ci­ples of Privacy by Design and Privacy by Default
4. Extensive in­for­ma­tion rights and the right to be deleted
5. The right to data porta­bil­i­ty
6. More sub­stan­tial in­for­ma­tion re­quire­ments (e.g., a website’s data pro­tec­tion de­c­la­ra­tion)
7. No linking of consents
8. Very high fines

Several points have already been explained in previous sections. The two themes of a data pro­tec­tion de­c­la­ra­tion and coupling of consent forms are described below. These mainly concern website operators.

For website operators, the most important feature of the GDPR is the privacy policy. Art. 13 Par. 2 of the GDPR contains a detailed catalogue of in­for­ma­tion which must be contained within a data pro­tec­tion de­c­la­ra­tion. The overall form of the data pro­tec­tion de­c­la­ra­tion is also more clearly regulated in the GDPR. It must be written in com­pre­hen­si­ble language and un­der­stand­able when it comes to the content. The General Data Pro­tec­tion Reg­u­la­tion attaches great im­por­tance to trans­paren­cy.

On the other hand, experts see the pro­hi­bi­tion of linking consent forms as the greatest re­stric­tion imposed on the network industry by the GDPR. It means that a web page operator may not subject its potential customers to the future release of data, which is not necessary for the current service. For example, if you are required to sign up for an online newslet­ter to conclude a contract, this is now a violation of EU law. The most important thing is that there is nothing forced, and such measures are always voluntary. Up until now, many linked consents are unlikely to have been voluntary. Therefore, any consent obtained in this way is invalid.

Finally, it is im­per­a­tive that you observe the changes to doc­u­men­ta­tion re­quire­ments, consent bases, storage, in­for­ma­tion rights, and the right to deletion. It should also be re­mem­bered that ad­di­tion­al reg­u­la­tions may also affect website operators and companies.

Even if you met the deadline for the European General Data Pro­tec­tion Reg­u­la­tion, it is important that you are aware that the measures required vary from company to company. This means you can check what you have done and update as necessary. There are several pre­cau­tions that every company should consider. These pre­cau­tions have been sum­ma­rized here in a GDPR checklist for you.

• Establish doc­u­men­ta­tion processes for handling personal data.
• Set up a list of pro­cess­ing op­er­a­tions.
• Establish com­mu­ni­ca­tion methods for any customer inquiries on data pro­tec­tion.
• Check whether you need to appoint a data pro­tec­tion officer.
• Adapt your website’s privacy policy to the reg­u­la­tions.
• Consult with the head of your technical de­part­ment and the data pro­tec­tion officer to determine whether the current technical measures for data pro­tec­tion are suf­fi­cient. Under certain cir­cum­stances, further measures may have to be un­der­tak­en or existing measures may need to be better in­te­grat­ed into the IT in­fra­struc­ture.
• All personal data collected which violates the coupling of consent rules must be collected dif­fer­ent­ly and seen as vol­un­tar­i­ly provided data.
• If you have com­mis­sioned external service providers to oversee handling your company’s personal data, you should clarify with them whether the agree­ments made cor­re­spond to the data pro­tec­tion reform. If necessary, you can adjust the agree­ments to the spec­i­fi­ca­tions. Check how you obtain the consent of your customers in your online shop and adapt the procedure to the GDPR.
• Stay up to date when it comes to ePrivacy reg­u­la­tion. This leg­is­lates how online retailers deal with analysis and tracking tools in the future.
• If you are at all unsure about anything, make use of relevant pro­fes­sion­al advice.

As is to be expected with such an extensive and wide-ranging change to an already huge and complex issue, the reaction to the GDPR was mixed. Some welcomed its in­tro­duc­tion, praising its com­pre­hen­sive­ness and trans­paren­cy. Others have crit­i­cized it, noting the very high fines and strict­ness of some of the leg­is­la­tion. Below we have high­light­ed a few quotes from experts in the industry who had something to say about the European General Data Pro­tec­tion Reg­u­la­tion.

The possible con­se­quences of the GDPR have been the subject of heated debate for years. Since May 25 2018, some of the positive as well as some of the negative pre­dic­tions seem to have come true. Here you will find a brief overview of all past de­vel­op­ments in con­nec­tion with the GDPR that affect companies and/or consumers:

Both the German digital as­so­ci­a­tion Bitkom, as well as the forsa Institute for Social Research and Sta­tis­ti­cal Analysis, which conducts market, opinion and social research, in­de­pen­dent­ly concluded that almost three quarters of German busi­ness­es alone were not prepared to implement the GDPR – this picture is unlikely to change across Europe, or globally. Small and medium-sized en­ter­pris­es in par­tic­u­lar currently have a lot of catching up to do. This could the­o­ret­i­cal­ly be reflected in their economic per­for­mance, but precise sta­tis­ti­cal findings are not yet available at this time.

The GDPR has created confusion across the globe. Instead of adapting their own data pro­tec­tion guide­lines to the European reg­u­la­tions, many companies and news sites simply block users with European IP addresses, reduce the in­for­ma­tion offered, or only activate it for an ad­di­tion­al charge. In addition, many small websites have been taken off the internet for fear of fines and have not been online since. These de­vel­op­ments play a direct role in the “data flight” scenario feared by many critics of the GDPR.

At the same time, the change that came with the GDPR has triggered an in­ter­na­tion­al discourse about data pro­tec­tion, which – as data pro­tec­tion activists agree – was long overdue to this extent. Large internet companies such as Google and Facebook are now more fre­quent­ly the focus of media attention and are also being crit­i­cal­ly observed by their users.

Many US companies and news sites such as the New York Daily and Chicago Tribune are cutting ties with users with European IP addresses. However, according to the error messages that appear on many of the websites during the visit, it is currently being examined whether the services can continue to be made available to European in­ter­est­ed parties.

The GDPR continues to cause confusion in many places. Although the concrete changes in the legal text are only minor, the fear of the con­se­quences of dis­re­gard­ing the legal situation has increased. SMEs express their fear of warnings, with small bloggers and forum operators taking their web projects off the net. However, it was found that many of these sites have only tem­porar­i­ly dis­ap­peared – pub­lish­ers want to check their own data pro­tec­tion efforts in relation to the GDPR before going online again. In any case, the dreaded “wave of warnings” seems – at least for the time being – to be absent. This means that no wide­spread abuse of the GDPR for targeted warning fraud has yet been recorded.

The great “warning wave”, which many economic players feared for a long time, continues to prove to be a phantom. More and more emails with reminders have entered the mailboxes of many companies. These are often fraud­u­lent and can contain dangerous malware in the at­tach­ment and should therefore quickly be clas­si­fied as spam and deleted.

For-and-against arguments on the GDPR continue to balance each other out. Some voices speak of un­nec­es­sary scare­mon­ger­ing and call the many website closures over­cau­tious, other people expect that this may just be the beginning of a new age of data pro­tec­tion. There are many different im­pli­ca­tions to the reg­u­la­tion, spanning from a pro­fes­sion­al level to a personal one. Re­gard­less of opinion, however, seeing as the GDPR is now in action, it is essential that you wise up and ensure your website or other online presence conforms to the reg­u­la­tions.

Click here for important legal dis­claimers.