General Data Protection Regulation

from Wikipedia, the free encyclopedia
European Union flag

Regulation (EU) 2016/679

Title: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and repealing Directive 95/46 / EC
Short title: General Data Protection Regulation
Designation:
(not official) 		GDPR, GDPR
Scope: EEA
Legal matter: Data protection law
Basis: TFEU , in particular Art. 16
Procedure overview: European Commission
European Parliament
IPEX Wiki
To be used from: May 25, 2018
Reference: OJ L 119 of May 4, 2016, pp. 1-88
Full text Consolidated version (not official)
basic version
Regulation has entered into force and is applicable.
Please note the information on the current version of legal acts of the European Union !

The Data Protection Regulation ( DSGVO or DSGVO , French Règlement général sur la protection des données RGPD, English General Data Protection Regulation GDPR) is a European Union regulation , with the rules for processing of personal data by most data processors, both private how public, EU-wide are unified. This is intended on the one hand to ensure the protection of personal data within the European Union , and on the other hand to guarantee the free movement of data within the European internal market .

The regulation replaces the 1995 directive 95/46 / EC on the protection of natural persons with regard to the processing of personal data and on the free movement of data .

Together with the so-called JI Directive for data protection in the police and judiciary, the GDPR has formed the common data protection framework in the European Union since May 25, 2018.

Immediate validity; national special regulations

In contrast to Directive 95/46 / EC, which had to be transposed into national law by the EU member states, the General Data Protection Regulation has been in force in all EU member states since May 25, 2018. However, through legislation, the Member States bring the right to the protection of personal data under this regulation into line with the right to freedom of expression and information ( Articles 85 and 86 of the Regulation). The General Data Protection Regulation has been relevant for this and other legal provisions since it came into force on May 24, 2016. Otherwise, the member states are generally not allowed to weaken or strengthen the data protection stipulated by the regulation through national regulations. However, the regulation contains various opening clauses that enable the individual member states to regulate certain aspects of data protection even at national level. This is why the General Data Protection Regulation is also referred to as a “hybrid” between directive and regulation.

There is therefore a need for regulation both with regard to the opening clauses of the General Data Protection Regulation and because of the need to clean up national data protection law. These goals are to be achieved in Germany at the federal level with the new version of the Federal Data Protection Act and the amendment of other laws. The law of June 30, 2017 repeals national data protection law or transfers the provisions of the previous Federal Data Protection Act, which were ineffective when the General Data Protection Regulation came into force, to other areas of law, it adapts regulations and in some cases creates new provisions for data protection. During the discussion about the various ministerial drafts from the Federal Ministry of the Interior, which was in charge of the legislative process, data protectionists criticized the insufficient consideration of the experiences of recent years. Lawyers question the compatibility of the amended Federal Data Protection Act with European law.

content

The General Data Protection Regulation is part of the EU data protection reform that the European Commission presented on January 25, 2012.

Structure of the GDPR

The GDPR consists of 99 articles in eleven chapters:

  • Chapter 1 (Articles 1 to 4): General provisions (subject matter and objectives, material and spatial scope, definitions)
  • Chapter 2 (Articles 5 to 11): Principles and Legality (Principles and Legality of Processing of Personal Data, Conditions of Consent, Processing of Special Categories of Personal Data)
  • Chapter 3 (Articles 12 to 23): Rights of the data subject (transparency and modalities, information obligation and right to information on personal data, correction and deletion - the "right to be forgotten" - right of objection and automated decision-making in individual cases including profiling)
  • Chapter 4 (Articles 24 to 43): Controller and Processor (General Obligations, Personal Data Security, Data Protection Impact Assessment and Prior Consultation, Data Protection Officer, Code of Conduct and Certification)
  • Chapter 5 (Articles 44 to 50): Transfers of personal data to third countries or to international organizations
  • Chapter 6 (Articles 51 to 59): Independent Supervisory Authorities
  • Chapter 7 (Articles 60 to 76): Cooperation and Consistency, European Data Protection Board
  • Chapter 8 (Articles 77 to 84): Remedies , Liability and Sanctions
  • Chapter 9 (Articles 85 to 91): Provisions for special processing situations (including processing and freedom of expression and information, data processing in the workplace, public access to official documents, processing for archival purposes in the public interest, for scientific or historical research purposes and for statistical purposes Purposes, existing data protection regulations of churches and religious associations or communities)
  • Chapter 10 (Articles 92 to 93): Delegated and implementing acts
  • Chapter 11 (Articles 94 to 99): Final provisions (including repeal of Directive 95/46 / EC and entry into force of the GDPR)

In front of the 99 articles, 173 recitals (Recital) are cited, which are used to interpret the articles.

Areas of the new regulation

Many areas of data protection are not re-regulated by the GDPR . In particular, the term "personal data" in Art. 4 remains broad:

“Personal data” [are] all information relating to an identified or identifiable natural person (hereinafter “data subject”); A natural person is regarded as identifiable who, directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified; ...

Furthermore, it also applies that the processing of personal data is only permitted on the basis of a permit. These are listed in Art. 6 :

  • The person concerned has given their consent;
  • the processing is necessary for the performance of a contract or to carry out pre-contractual measures;
  • the processing is necessary to fulfill a legal obligation;
  • the processing is necessary to protect vital interests;
  • the processing is necessary for the performance of a task that is in the public interest;
  • processing is necessary to safeguard the legitimate interests of the person responsible or a third party.

In the latter case, it is necessary to weigh up the interests of the data subject.

In summary:

"The GDPR does not fundamentally change the conception or, to a large extent, the detailed regulations of the applicable data protection law. Rather, provisions of the EU data protection guideline 95/46, which form the basis of the Federal Data Protection Act, are often adopted. On the other hand, there are also numerous new data protection requirements, the fulfillment of which requires correct attention, if only with regard to the immensely increased range of fines. "

The GDPR provides new regulations or basic clarifications on the following topics:

Principles of processing personal data

The GDPR explicitly lists the following six principles for the processing of personal data in Art. 5 :

  • Legality, Good Faith Processing, Transparency
  • Earmarking (processing only for specified, clear and legitimate purposes)
  • Data minimization ("appropriate and substantial for the purpose and limited to the [...] necessary extent")
  • Correctness ("all reasonable measures must be taken so that [incorrect] personal data are deleted or corrected immediately")
  • Storage limitation (data must "be stored in a form that allows the identification of the data subjects only for as long as [...] is necessary")
  • Integrity and confidentiality ("adequate security of personal data [...], including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage")

The person responsible must demonstrate compliance with all of these principles. Failure to comply with these principles and accountability can result in a reasonable fine of up to EUR 20 million or, in the case of a company, up to 4% of its total annual turnover worldwide ( Art. 83 (5) lit. a).

These principles represent the program of the regulation. The regulation was almost literally part of the data protection directive (Art. 6 Directive 95/46 / EC) and was to be implemented in national legislation by 1998 . They are more than symbolic repetitions of Art. 16 TFEU , Art. 8 GRCh or “transmission belts ” between these provisions and the regulation - this is demonstrated in particular by the high level of fines for non-compliance with the provision.

Legality, Good Faith Processing, Transparency

The triad of legality, processing in good faith and transparency are mutually dependent.

The principle of legality can be interpreted broadly and narrowly . A narrow interpretation relates to the permissibility of the processing (question about the "whether?"), Another interpretation asks the question of "how?" The prevailing opinion interprets the provision narrowly, but states that Recital 40 is not clear in this regard.

It should be noted that the principle of processing in good faith , in particular, needs to be defined more broadly than is customary in German case law. The other language versions speak, for example, of "fairness" (English, not of "good faith"), " loyauté ”(French, decency, not“ bonne foi ”),“ correttezza ”(Italian, correctness, not“ buona fede ”) and“ behoorlijkheid ”(Dutch, appropriateness, not“ goede trouw ”).

Transparency represents the implementation of the two aforementioned principles: On the one hand, it must be retrospectively understandable to follow the data processing step by step. The Federal Constitutional Court had already determined this in 1983 in the census judgment. The idea of ​​transparency in the regulation goes beyond this pure retrospective. Rather, it must be possible, with foresight, not only to overlook and understand the processing process, but also the context and thus, for example, the reason for the processing and the time and reason for the transfer to third parties. (Recital 39)

Earmarking

Earmarked data and the concept of its compliant use contribute to transparency, legal certainty and predictability, the principles aim to protect those concerned by setting restrictions on the use of their data by those responsible and by strengthening the adequacy of the processing. Like the other principles of the regulation, the principle is based on higher-ranking law. Art. 8 ECHR aims at the protection of private life and requires a justification for any invasion of privacy. Accordingly, the ECHR developed the “test for measuring expectations of privacy”. The court gradually expanded this protection and test, including the protection of personal data, from cases of collection and archiving of personal data by intelligence agencies to the most recent cases where the court had provided these guarantees to the working environment and public spaces before the regulation entered into force derived from the ECHR and applied it. The principle of purpose limitation is correspondingly far-reaching.

In order for the purpose limitation to be realized at all, the purpose must be specified, clear and legitimate ( Art. 5 Para. 1 lit. b). Accordingly, the purpose must already be determined at the time of the survey (Recital 39), general information such as "commercial processing" or "banking transactions" are not sufficient in the prevailing opinion. Rather, the purpose must "be expressed so clearly that doubts as to whether and in what sense the person responsible for the processing has determined the purpose are excluded".

Uninhibited exchange of personal data in the EU

The exchange of personal data in the EU must not (no longer) be rejected with the argument that data protection is handled differently within the EU. Art. 1 para. 3 formulates:

"For reasons of the protection of natural persons, the free movement of personal data in the Union must neither be restricted nor prohibited when processing personal data."

scope

The GDPR does not differentiate (in contrast to the German Federal Data Protection Act old version) between the processing of personal data by public and non-public bodies - the same law applies to all processors. Nevertheless, according to Art. 2 , certain types of processing of personal data are not covered by the regulation. Recitals 16 and 18 explain this in more detail:

"(16) This Regulation does not apply to issues relating to the protection of fundamental rights and freedoms and the free movement of personal data in connection with activities which do not fall within the scope of Union law, such as activities relating to national security."
"(18) This regulation does not apply to the processing of personal data that is carried out by a natural person for the exercise of exclusively personal or family activities and thus without reference to a professional or economic activity. Personal or family activities could also include correspondence or address directories or the use of social networks and online activities as part of such activities. However, this regulation applies to the controllers or processors who provide the tools for processing personal data for such personal or family activities. "

Market place principle

European data protection law also applies to non-European companies insofar as they offer their goods or services in the European market. This means that the GDPR does not only apply if the data processing takes place in the territory of the Union or by a provider based in the territory of the Union, but also, according to Art. 3 of the regulation, if the data processing is related to an offer that is relevant Persons in the Union territory. The exact determination of when such an alignment occurs has not yet been clearly clarified in data protection law.

Consent Requirements

In principle, the requirements for effective consent to the German Federal Data Protection Act a. F. reduced: The written form is no longer the rule, even a tacit declaration of consent is permissible according to recital (32) if it is clear. Since, on the other hand, this has to be proven by the processor, the written form will remain common. It is still required for special personal data. In practice, for example, consent banners are used.

Limitation of the data processed

In the German Federal Data Protection Act a. F. uncommitted data economy is by the principle of (purpose-related) data minimization replaced.

transparency

Recital 39 emphasizes the principle of transparency in all data processing for data subjects. Several articles call for appropriate action:

  • According to Art. 15 every person has the right to information about all data concerning them.
  • According to Art. 12, the information about this is to be provided in “precise, transparent, understandable and easily accessible form in clear and simple language”.
  • According to Art. 13 and 14 , each data subject must be given extensive information in a data protection declaration, including the purpose, recipient and person responsible for data processing, duration of data storage, rights to correction, blocking and deletion and use of the data for profiling purposes . If the purpose changes, the person concerned must be actively informed.
  • According to Art. 16 , the person concerned has the right to correct incorrect data and, according to Art. 18, a right to restrict ("block") data processing if the correctness or basis of the data processing is disputed.
  • According to Art. 30 , each person responsible and, if necessary, his representative must keep a list of processing activities that are subject to their responsibility.

The effectiveness of all these rights, however, depends on the unspoken prerequisite that data subjects themselves are obliged to actively take care of who and how their data is processed and to claim their rights. This is not considered realistic by critics.

In addition, according to Recital 13, the GDPR should also bring about transparency and legal certainty for processing companies, "including micro-enterprises as well as small and medium-sized enterprises".

Right to be forgotten

The right to be forgotten, which is expressly mentioned in the heading of Art. 17 , is one of the central rights of the GDPR. On the one hand, it includes that a data subject has the right to request the deletion of all data relating to him / her if the reasons for data storage no longer apply. On the other hand, the processor must also actively delete the data if there is no longer any reason for storage and processing.

Right to data portability

As a rather market-steering regulation, Art. 20 requires that a data subject has the right to receive the data that concern him and that he himself has given to the controller in a “structured, common and machine-readable format”, also and in particular for the purpose of transmitting them to others “without hindrance from the person responsible”.

Sanctions

Far higher fines than before are now possible for the effective enforcement of data protection law. In addition, the data protection supervisory authorities can in future issue enforceable orders and fines not only against private data processors, but also against authorities, if this is provided for in national law.

The amount of the fines for administrative offenses is now set in certain cases according to Art. 83 (5) at up to 20 million euros or up to four percent of the worldwide annual turnover (in comparison, the German Federal Data Protection Act old version previously saw a fine of up to to 300,000 euros).

The Member States can also provide for further sanctions. For example, according to recital 149, a provision can be made to collect profits due to the violation of the GDPR.

Privacy by design, privacy by default

According to the principles of data protection through technology design ("privacy by design", "data protection by design") and through data protection-friendly default settings ("privacy by default", "data protection by default"), the person concerned must be able to trust that the basic data protection requirements are met are retained from the first use, even if the default settings are not initially changed. The concepts are one of the core elements of the regulation.

The principle of " privacy by design " takes account of the fact that data protection cannot be guaranteed simply by complying with regulations; The principles of data protection must be integrated into the conceptual design of processing operations before the technical planning begins. Therefore, there are three fields of action for "data protection through technology design":

  1. Technique of processing operations, e.g. B. through the software design: What is technically prevented or can be prevented or is technically not possible no longer has to be prohibited and monitored,
  2. Business processes, e.g. B. through " separation of functions ": If data is only processed to identify trends and relationships and not apply any information obtained directly to the persons concerned. Rather, these should be anonymized as early as possible through technical and organizational measures.
  3. Design of data protection-friendly architecture, both physically (e.g. by avoiding personal data on the back of files) and electronically.

The “ privacy by default ” principle is a specialization of the “privacy by design” principle. In particular, it is based on the “ privacy paradox ”, according to which users declare that they are concerned about their data and privacy, but act as if they were not. The reasons for this are the subject of research; laziness , ignorance or an intuitive, irrational weighing of advantages and disadvantages are assumed . The aim is for those responsible to provide systems whose default settings are as data protection-friendly as possible. However, users of a system should explicitly not be protected from voluntarily and informed settings that are more unfriendly to data protection, rather data subjects should be enabled to monitor the processing of personal data (Recital 78).

The implementation of the principles is carried out by means of "suitable technical and organizational measures " ( Art. 25 Paragraph 1). Technical measures are to be understood as all protection attempts that can be physically implemented in the broadest sense or that are implemented in software and hardware, while organizational measures are protection attempts that are implemented through instructions, procedures and procedures. This can include, for example, the physical deletion of data, cryptographic encryption or internal IT and data protection regulations.

Obligation to appoint company and official data protection officers, representatives in the European Union

The GDPR now provides for the appointment of data protection officers across Europe , at least for all public bodies and private companies where particularly high-risk data processing takes place. This achieves a minimum standard for setting up these bodies.

This article or paragraph presents the situation in Germany . Help us to describe the situation in other countries.

Small business owners and small businesses do not need to provide a data protection officer, unless one of the following points applies.

  • At least 20 people are regularly involved in the automated processing of personal data ( Section 38 (1) sentence 1 of the Federal Data Protection Act).
  • The person responsible is a public body or authority ( Art. 37 Para. 1 lit. a GDPR).
  • The core activity includes the extensive processing of special categories of data or criminal convictions ( Art. 37 Para. 1 lit. c GDPR).
  • A data protection impact assessment must be carried out ( Section 38 (1) sentence 2 of the Federal Data Protection Act).
  • The core activity is the extensive or systematic monitoring of data subjects ( Art. 37 Para. 1 lit. c GDPR).

The term “extensive processing” and the requirements for a data protection impact assessment are described in recital 91 in more detail, so that certain liberal professions such as lawyers and doctors, but also pharmacists (as “members of a health professions”) do not usually have a data protection officer have to.

Responsible persons not resident in the European Union to whom the General Data Protection Regulation applies must also appoint a representative in the European Union .

Opening clauses

The GDPR provides for an extension or detailed definition of data protection law in many places through national law. This is done using so-called "opening clauses", of which the GDPR contains 50 to 60, depending on the counting method. Some require a legal act by the Member States, but the majority allow leeway to be exploited through national regulations. The room for maneuver is generally limited insofar as the harmonization of data protection through the GDPR must not be undermined.

An example of an opening clause can be found in the data protection of employees: Article 88 (1) provides for an opening clause, according to which the member states can provide "more specific provisions to guarantee the rights and freedoms with regard to the processing of personal employee data in the employment context". It is controversial whether this formulation allows a deviation from the level of protection of the general regulations.

Further opening clauses can be found u. a.

  • in Art. 9 Para. 2 and Para. 4 laying down special conditions for the processing of special types of personal data, such as health data or data on sexual preferences;
  • in Art. 10 on permission to process data on criminal convictions and offenses;
  • in Art. 28 for the legal basis of order data processing;
  • in Art. 37 on the appointment of data protection officers, deviating from the requirements set out in Art. 37 ;
  • in Art. 85 to balance the tension between data protection and freedom of expression ( media privilege );
  • in Art. 87 for the regulation of the processing of national identification numbers or other identifiers of general importance;
  • in Art. 89 for the regulation of exceptions to the rights of data subjects in the case of processing for scientific, historical, statistical or archival purposes;

Debate about the GDPR

There had been extensive debates in the legislative process since the European Commission proposed the draft legislation. The European Parliament, in particular, took up many of the criticisms expressed through numerous public hearings and incorporated them into the compromise negotiated by Jan Philipp Albrecht as rapporteur. A wide variety of standpoints were also incorporated in the Council of Ministers. During the trialogue negotiations on December 15, 2015, a final text of the regulation was drawn up from both templates, which was ultimately adopted almost unanimously by the plenum of the European Parliament and the interior and justice ministers of the EU member states and formally entered into force on May 24, 2016 . The points of criticism raised by various sides of the debate during the more than four years of negotiations are summarized below:

Debate about drafts

In the meantime, drafts stipulated that an internal data protection officer and internal documentation obligations are only mandatory for companies with more than 250 employees. According to critics, this would have weakened data protection in Germany and Austria. The final version provides for the obligatory appointment of the internal data protection officer at authorities and those responsible whose core activity is the implementation of processing operations or the extensive processing of sensitive data ( Art. 37 (1)). However, the member states are authorized to enact stricter regulations ( Art. 37 Para. 4). The internal documentation requirements do not apply to companies with fewer than 250 employees, provided that the data processing does not involve any risk for those concerned, only takes place occasionally and does not include the processing of sensitive data ( Art. 30 Para. 5).

The professional association of data protection officers in Germany (BvD) expects that the abolition of the internal data protection officer will lead to cost increases due to growing bureaucracy. Companies would have to set up an internal office for communication with the authorities and expect delays in the introduction of new software because the state offices for data protection are not well staffed. In April 2015, 66 independent consumer and data protection organizations asked Jean-Claude Juncker to receive the “ gold standard of European data protection”.

The BvD also criticized the lack of clear rules for data transfer from the EU to third countries (e.g. USA) and demanded that company data protection officers be appointed throughout the EU .

On the other hand, the transfer of consumer data to competitors (data portability) will not only affect providers like Facebook, but also apply to smaller companies.

On March 30, 2012, the German Federal Council raised subsidiarity against the proposed regulation. The Länderkammer was of the opinion that the proposal was not in line with the subsidiarity principle and therefore violated Article 5 (3) TEU . According to this provision, the European Union may only act in areas that do not fall within its exclusive competence if and to the extent that the objectives of the measures under consideration cannot be sufficiently achieved by the Member States, but because of their scope or effects Better to implement at EU level.

The often vague and unclear formulation of the draft has been criticized from many quarters. According to this, many elementary regulations should not even be included in the basic regulation, but should only be enforced through separate legal acts of the EU Commission.

In the negotiation resolution of the European Parliament , the points of criticism were largely dispelled. However, after the originally accepted data protection aspects of the regulation were largely softened by the responsible EU working group after a press report from March 2015, there was renewed criticism. In a position paper of the industry working group, for example, the collection of personal data without a specified purpose is permitted, as is the disclosure of this data to third parties.

Criticism of the final regulation text

Even after the General Data Protection Regulation has been passed, fundamental criticism has been leveled, in particular from jurisprudence:

The head of the Institute for Information, Telecommunications and Media Law at the University of Münster, Thomas Hoeren , described the General Data Protection Regulation as “one of the worst laws of the 21st century”.

The head of the department of public law with a focus on technology law at the University of Kassel, Alexander Roßnagel , said that the General Data Protection Regulation ignores "all modern challenges for data protection such as social networks , big data (flood of data and their control), search engines , cloud computing , Ubiquitous computing (penetration of everyday life and things by computers) and other technical applications ”. In a study, the German legislator is asked to resolve the confusing mixture of new European regulations and German law that continues to apply.

The German Lawyers' Association (DAV) also sees a need for changes in the GDPR, as the national legislature to protect the professional rights and obligations of lawyers (e.g. independence from state influences, legal secrecy , absolute duty of loyalty of the lawyer to his client) in the Regulation enabled opening clauses must be used in order to be able to continue to guarantee all of this. The DAV drew the conclusion of a "thinning out of German data protection law".

The DAV's request to the national legislature goes in three directions:

  • No access rights of the data protection supervisory authorities without the express prior consent of the bar association.
  • General and comprehensive permission clause for legal data processing of personal data in the context of mandates.
  • Restriction of the duty to provide information and rights to information.

Lobbying

Around the negotiations of the General Data Protection Regulation, MEPs criticized massive lobbying on the part of the US government and US IT companies. Technology companies from the USA fear the negative impact of the regulation on their branches in Europe and exerted corresponding pressure on the administration of US President Obama . In a speech in Brussels on December 4, 2012, the American EU ambassador William E. Kennard demanded that the central requirements of the regulation must be deleted: the deletion of all data of a person from the company databases upon request and the express declaration of consent of a person, before their data can even be collected.

American companies fear a California effect from EU legislation. Similar to the way stricter environmental laws in California gradually raise the minimum standard in the USA, it is expected that the higher standards in the EU would raise the level of data protection for all globally operating companies. While so far only financial and health data are subject to a certain level of data protection in the USA, the collection and merging of all other collected data and their unlimited storage is permitted by private companies. American civil rights organizations, on the other hand, hoped for an increase in data protection standards in the USA and therefore supported the plans in the EU.

The LobbyPlag.eu platform shows that many amendments from members of the EU Parliament are word for word from lobby papers from companies such as Amazon , eBay , the lobby group " Digitaleurope " with members Apple , Microsoft , Cisco , Intel , IBM , Oracle , Texas Instruments and Dell or adopted by the US Chamber of Commerce . Among others, the MPs Malcolm Harbor ( ECR ), Andreas Schwab ( CDU / EPP ), Klaus-Heiner Lehne (EPP) and Marielle Gallo (EPP) supported the amendments . On the other hand, the platform also points out verbatim adoptions from the documents of data protection organizations such as Bits of Freedom and EDRi by MPs such as Amelia Andersdotter ( PPEU / Piraten ) or Eva Lichtenberger ( EFA / Die Grünen ).

In the end, over 3,100 amendments to the EU Commission's draft were submitted to the responsible LIBE committee of the EU Parliament. In general, most of the Social Democratic and Green MPs were in favor of strengthening or clarifying the draft, while most of the conservative and liberal MPs were in favor of easing the IT economy.

LobbyPlag drew up a list of those MPs who, based on the number of amendments they tabled, were most emphatically in favor of less or more data protection. Until the beginning of June 2013, Axel Voss (EPP / CDU) was most involved in softening data protection , while Jan Philipp Albrecht (EFA / The Greens) was seen as the first priority when it came to strengthening data protection . Both had tabled a total of 147 amendments each in favor of weakening or strengthening data protection.

Under pressure from parts of the German economy, which feared being disadvantaged by the basic regulation in global competition, representatives of the German Ministry of the Interior also argued that the right to informational self-determination would run counter to harmonized competition.

Procedure

After lengthy negotiations, a draft by the Irish presidency failed in the EU Council of Ministers in June 2013 . The representatives of Germany, Great Britain and France, among others, raised numerous concerns. The envisaged positioning before the summer break could not be achieved by either the Council or Parliament . On October 21, 2013, the European Parliament in the Committee on Home Affairs and Justice adopted the negotiating position drawn up by the Green MEP Jan Philipp Albrecht as EP rapporteur with an overwhelming majority and confirmed it on March 12, 2014 by the plenary.

After crucial parts of the regulation had been changed in camera in favor of weaker data protection in the Council, the justice ministers of the member states were supposed to reach an agreement on the second chapter of the regulation on March 12 and 13, 2015, before the other chapters were negotiated. It was only in June 2015 that the EU justice ministers agreed on a draft of the General Data Protection Regulation.

The voting negotiations between the Council, the European Parliament and the European Commission (so-called trialogue ) began on June 24th . An informal agreement reached between Parliament and Council on December 15, 2015, was adopted by a large majority on December 17 by the Parliament's Committee on Home Affairs and Legal Affairs. On April 8, 2016, the EU Council of Ministers approved the present version and the EU Parliament also adopted the regulations on April 14.

It was published in the Official Journal of the European Union on May 4, 2016, which is why it came into force on May 24, 2016 in accordance with Article 99 (1) GDPR and is applicable from May 25, 2018 in accordance with Article 99 (2). A corrigendum (i.e. a resolution to correct errors in content) was issued - limited to some language versions of the GDPR (DE, ET, IT, HU) - on October 27, 2016.

Fear of being weakened by the TiSA agreement

According to Greenpeace, documents from the secret negotiations on the Trade in Services Agreement (TiSA), which were leaked to Greenpeace in November 2016 , prove that lobbyists are trying to weaken data protection in addition to net neutrality and banking regulation and to render the General Data Protection Regulation ineffective . Companies should be able to transfer customer and user data outside of Europe and process it there without being earmarked for a specific purpose.

Implementation in the Member States

Information in accordance with GDPR on a surveillance camera in public space in Hamburg

Germany

With the EU Data Protection Adaptation and Implementation Act of June 30, 2017, the Federal Data Protection Act was revised , among other things . With the Second Data Protection Adjustment and Implementation Act EU - 2nd DSAnpUG-EU, further far-reaching adjustments were passed, among other things the number from which a data protection officer has to be appointed has been increased from 10 to 20 people who are constantly involved in the processing of personal data Data need to be concerned.

The responsible authorities are the Federal Commissioner for Data Protection and Freedom of Information , the 16 State Commissioners for Data Protection and the Bavarian State Office for Data Protection Supervision .

Austria

With the Data Protection Amendment Act 2018, Austria changed the federal law for the protection of natural persons when processing personal data (Data Protection Act, DSG) and adapted it to the GDPR. In April 2018, the National Council decided to amend the amendment. Accordingly, the authority should apply the catalog of penalties of the GDPR “in such a way that proportionality is preserved”. The competent authority in Austria is the data protection authority based in Vienna. Andrea Jelinek is the head of the authority .

Implementation and worldwide consequences

The implementation of the extensive changes by the General Data Protection Regulation is still ongoing, although the GDPR has been in force since May 25, 2018. The EU Commission is also planning to evaluate the GDPR for 2020 ( Art. 97 (1) GDPR).

Some large US media publishers such as the Chicago Tribune or the Los Angeles Times , it became known, have partially blocked their websites for many European users. The fear of being sanctioned for possible data protection violations was apparently too great.

In Austria, the real estate management of the City of Vienna, City of Vienna - Wiener Wohnen , has announced that it will remove around 200,000 name tags on bells, as it fears that it will violate the GDPR. This announcement was withdrawn in November 2018.

In Germany, 41 cases of fines had been issued due to data protection violations by the end of 2018, 33 of them in North Rhine-Westphalia alone. The fines are low, in North Rhine-Westphalia it was a total of 15,000 euros, in Baden-Württemberg, however, a single fine of 80,000 euros. In addition to the fine proceedings, several higher regional courts in Germany have now also affirmed claims under competition law in the event of violations of the GDPR (OLG Hamburg; KG Berlin; OLG Naumburg; OLG Stuttgart)

In January 2019, following complaints from the non-governmental organizations La Quadrature du Net from France and NOYB from Austria, the French data protection authority CNIL imposed a fine of 50 million euros on Google LLC for a lack of transparency in the information on the use of the data collected and the storage period and because that of Google obtained consent to display personalized advertising is invalid.

Critics lament the delays or lack of or avoidance of prosecution by the one-stop-shop system, which requires many important investigations to be carried out by the authorities in Ireland or Luxembourg, as most of the major US technology companies are based in these countries. As part of the "digital sovereignty" propagated by the von der Leyen Commission , European data protection officers intend to improve the law enforcement mechanism.

literature

Comments

literature

  • Federal Commissioner for Data Protection and Freedom of Information (Ed.): DSGVO - BDSG. Texts and explanations (=  BfDI-Info . No. 1 ). Bonn 2019 (299 pp., Bund.de [PDF; 3.8 MB ; accessed on March 12, 2019]).
  • Jürgen Kühling, Manuel Klar, Florian Sackmann: Data protection law ,. 4th edition. Heidelberg 2018, ISBN 978-3-8114-4571-0 .
  • Jürgen Kühling, Mario Martini and others: The General Data Protection Regulation and national law - first considerations on the need for national regulation. Münster 2016, ISBN 978-3-95645-890-3 .
  • Jan Philipp Albrecht, Florian Jotzo: The EU's new data protection law. Baden-Baden 2016, ISBN 978-3-8487-2804-6 .
  • Alexander Roßnagel: European General Data Protection Regulation - priority of Union law - applicability of national law. Baden-Baden 2016, ISBN 978-3-8487-3074-2 .
  • Stefan Schulz: Copy deadline: the time after the newspaper. Hanser, Munich 2016, ISBN 978-3-446-25070-3 (also on the coming into being of the regulation and the media coverage).
  • Gerald Spyra: The General Data Protection Regulation. Requirements and information - what is true today, what is true tomorrow? TÜV Media, 2016, ISBN 978-3-7406-0106-5 .
  • Gerald Spyra: General Data Protection Regulation and BDSG. Overview, context and explanations for practice. TÜV Media, 2017, ISBN 978-3-7406-0253-6 .
  • Niko Härting: General Data Protection Regulation. The new data protection law in operational practice. 2016, ISBN 978-3-504-42059-8 .
  • Kevin Marschall: Extended information requirements in the GDPR. Changes for the company. In: Data Protection Advisor (DSB). No. 11, 2016, pp. 230–232.
  • Kevin Marschall: Data breaches - “new” reporting obligation under the European GDPR? In: Data protection and data security (DuD). No. 3, 2015, pp. 183-189.
  • Maxi Nebel, Alexander Roßnagel, Philipp Richter: What remains of European data protection law? - Considerations on the Council draft of the GDPR. In: Journal for Data Protection (ZD). No. 10, 2015, pp. 455-460.
  • Kevin Marschall, Pinkas Müller: The data protection officer in the company between BDSG and GDPR. Order, role, tasks and requirements in the focus of European changes. In: Journal for Data Protection (ZD). No. 9, 2016, pp. 415-420.
  • Jürgen Kühling, Mario Martini: The General Data Protection Regulation. Revolution or evolution in data protection law in European and national data protection law? In: European Journal of Business Law. 2016, pp. 448–454.
  • Peter Schantz: The General Data Protection Regulation. Start of a new era in data protection law. In: New legal weekly. 2016, pp. 1841–1847.
  • Thomas Kranig , Andreas Sachs, Markus Gierschmann: Data protection compliance according to the GDPR . Action aid for those responsible including review questions for supervisory authorities. Bundesanzeiger Verlag, Cologne 2017, ISBN 978-3-8462-0760-4 .
  • Stefan Loubichi: EU General Data Protection Regulation. What (te) must be observed by May 25, 2018. In: atw International Journal of Nuclear Power. No. 5, 2018, pp. 289–294, ISSN  1431-5254 ( PDF , included in the library of the German Bundestag, vol. 57, no. 6 June 2018).

documentation

Web links

See also

Individual evidence

  1. Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences as well as for free Data traffic and repealing Council Framework Decision 2008/977 / JHA . In: OJ. L 119/89 of May 4, 2016.
  2. Implementation of the JI Directive in Germany Website of the Federal Data Protection Commissioner , accessed on June 10, 2018.
  3. Jürgen Kühling, Mario Martini et al .: The General Data Protection Regulation and national law - First considerations on the need for domestic regulation , Münster 2016, p. 1.
  4. a b c Process flow in DIP and text of the Data Protection Adaptation and Implementation Act EU - DSAnpUG-EU ( BGBl. 2017 I p. 2097 )
  5. Federal Commissioner for Data Protection and Freedom of Information (BfDI): Opinion on the draft of a Data Protection Adaptation and Implementation Act EU - DSAnpUG-EU. (PDF) netzpolitik.org, August 31, 2016, accessed February 1, 2017 .
  6. Federal Ministry of the Interior: Statement on the draft of a law to adapt data protection law to Regulation (EU) 2016/679 (General Data Protection Regulation) and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU - DSAnpUG -EU). (PDF) netzpolitik.org, August 31, 2016, accessed February 1, 2017 .
  7. Commission proposes comprehensive reform of data protection law to give users more control over their data and reduce costs for companies. In: europa.eu. European Commission, January 25, 2012, accessed on January 2, 2019 (German, English, French, Danish, Spanish, Dutch, Italian, Swedish, Portuguese, Finnish, Greek, Czech, Estonian, Hungarian, Lithuanian, Latvian, Maltese, Polish , Slovak, Slovenian, Bulgarian, Romanian).
  8. Falk Lüke: Reding presents EU data protection reform. In: heise online . Heise Medien GmbH & Co. KG, January 25, 2012, accessed on January 2, 2019 .
  9. What do I need to know about the EU General Data Protection Regulation? (PDF; 234 kB) Bitkom , 2016, p. 5 , accessed on December 2, 2017 .
  10. Scientific Services of the German Bundestag - Department: PE 6: Department Europe: Provisions of Regulation (EU) No. 995/2010 - principles of interpretation of the ECJ . Ed .: German Bundestag. PE 6 - 3000 - 83/16, June 15, 2016, p. 4 , section 2.1. Recitals and provisions of a legal act (sentence 2) ( bundestag.de [PDF; accessed on January 2, 2019]): "The ECJ has consistently held the view that" [...] the recitals of a Community legal act are not legally binding and neither may be used to deviate from the provisions of the act concerned, nor to interpret those provisions in a way that is manifestly contrary to their wording. ""
  11. Peter Gola, Andreas Jaspers et al: General Data Protection Regulation at a glance. DATAKONTEXT: Munich 2016, ISBN 978-3-89577-774-5 , p. 22.
  12. Information Commissioner's Office: The principles. In: Guide to the General Data Protection Regulation. Retrieved on June 26, 2018 (English): “The principles lie at the heart of the GDPR. They are set out right at the start of the legislation, and inform everything that follows. They don't give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions. "
  13. ECJ: judgment in case C ‑ 131/12. ( ECLI: EU: C: 2014: 317 ). May 13, 2014, accessed on June 26, 2018 (margin no. 71): “Any processing of personal data must - subject to the exceptions permitted in Art. 13 of Directive 95/46 - the principles set out in Art. 6 of the Directive with regard to the quality of the data and one of the principles listed in Art. 7 of the directive with regard to the permissibility of the processing of data (cf. judgments Österreichischer Rundfunk et al., EU: C: 2003: 294, Rn. 65; ASNEF and FECEMD, C ‑468/10 and C ‑ 469/10, EU: C: 2011: 777, para. 26, and words, C ‑ 342/12, EU: C: 2013: 355, para. 33). "
  14. Eike Michael Frenzel: General Data Protection Regulation, Federal Data Protection Act . Comment. Ed .: Boris Paal , Daniel Pauly. 2nd Edition. CH Beck, Munich 2018, ISBN 978-3-406-71838-0 , Art 5 Rn. 2 .
  15. ECJ: judgment in the case C ‑ 201/14. ( ECLI: EU: C: 2015: 638 ). October 1, 2015, accessed on June 26, 2018 (marginal number 34): "Consequently, the requirement of processing personal data in good faith as provided for in Art. 6 of Directive 95/46 obliges an administrative authority to inform the data subjects that the personal data are forwarded to another administrative authority in order to be processed by this in its capacity as its recipient. "
  16. ^ Philipp Reimer: European General Data Protection Regulation . Hand comment. Ed .: Gernot Sydow. Nomos, Baden-Baden 2017, ISBN 978-3-8487-1782-8 , Art. 5 Rn. 1 .
  17. Eike Michael Frenzel: General Data Protection Regulation, Federal Data Protection Act . Comment. Ed .: Boris Paal , Daniel Pauly. 2nd Edition. CH Beck, Munich 2018, ISBN 978-3-406-71838-0 , Art 5 Rn. 16 .
  18. Tobias Herbst: General Data Protection Regulation / BDSG . Comment. Ed .: Jürgen Kühling, Benedikt Buchner. CH Beck, Munich 2018, ISBN 978-3-406-71932-5 , Art. 5 Rn. 10f .
  19. ^ Information Commissioner's Office: Lawful basis for processing. In: Guide to the General Data Protection Regulation. Retrieved on June 26, 2018 (English): "The first principle requires that you process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis under Article 6. And to comply with the accountability principle in Article 5 (2), you must be able to demonstrate that a lawful basis applies. "
  20. Translation Center for the Bodies of the European Union : Principle of Good Faith. IATE ID: 1087248. Retrieved January 2, 2019 (English, French, Italian, Dutch).
  21. Federal Constitutional Court: Judgment of December 15, 1983. (PDF) Az. 1 BvR 209/83, 1 BvR 269/83, 1 BvR 362/83, 1 BvR 420/83, 1 BvR 484/83. (No longer available online.) P. 46 , archived from the original on March 7, 2010 ; Retrieved on June 26, 2018 : "With the right to informational self-determination, a social order and a legal order enabling this would not be compatible, in which citizens can no longer know who knows what, when and on what occasion."
  22. Article 29 Data Protection Group : Opinion 03/2013 on purpose limitation. (PDF) Working paper 203. European Commission, April 2, 2013, accessed on June 26, 2018 (English): “Purpose specification and the concept of compatible use contribute to transparency, legal certainty and predictability; they aim to protect the data subject by setting limits on how controllers are able to use their data and reinforce the fairness of the processing. "
  23. ECHR : judgment in complaint 12433/86. Lüdi ./. Switzerland. In: Human Rights Documentation . Council of Europe, June 15, 1992, accessed June 26, 2018 (English, French, Bulgarian, Russian, Slovenian, Spanish).
  24. ECHR : judgment in complaint 20605/92. Halford ./. United Kingdom. In: Human Rights Documentation . Council of Europe, May 4, 2000, accessed June 26, 2018 (English, French, Armenian, Latvian, Slovak, Slovenian, Spanish).
  25. ECHR : judgment in complaint 27798/95. Amann ./. Switzerland. In: Human Rights Documentation . Council of Europe, February 16, 2000, accessed June 26, 2018 (English, French, Spanish).
  26. ECHR : judgment in complaint 28341/95. Rotaru ./. Romania. In: Human Rights Documentation . Council of Europe, June 25, 1997, accessed June 26, 2018 (English, French, Azerbaijani, Macedonian, Romanian, Serbian, Spanish).
  27. ECHR : judgment in complaint 62617/00. Copland ./. United Kingdom. In: Human Rights Documentation . Council of Europe, April 3, 2007, accessed June 26, 2018 (English, French, Albanian, Armenian, Azerbaijani, Bosnian, Bulgarian, Georgian, Icelandic, Macedonian, Romanian, Russian, Spanish, Turkish, Ukrainian).
  28. ECHR : judgment in complaint 4158/05. Gillan and Quinton ./. United Kingdom. In: Human Rights Documentation . Council of Europe, January 12, 2010, accessed June 26, 2018 (English, French, German, Albanian, Armenian, Azerbaijani, Bosnian, Bulgarian, Croatian, Georgian, Icelandic, Macedonian, Romanian, Russian, Spanish, Turkish, Ukrainian).
  29. Ulf Brühann: Directive 95/46 / EC on the protection of natural persons when processing personal data and on the free movement of data . In: Eberhard Grabitz, Meinhard Hilf, Martin Nettesheim (Hrsg.): The law of the European Union . Comment. 40th edition. Beck, Munich 2010, ISBN 978-3-406-60907-7 , Section A 30, Art. 6 Rn 9 .
  30. Eike Michael Frenzel: General Data Protection Regulation, Federal Data Protection Act . Comment. Ed .: Boris Paal , Daniel Pauly. 2nd Edition. CH Beck, Munich 2018, ISBN 978-3-406-71838-0 , Art 5 Rn. 27 .
  31. a b Ulrich Dammann , Spiros Simitis : EC data protection directive . Comment. Nomos, Baden-Baden 1997, ISBN 978-3-7890-4517-2 , Article 6 marginal no. 6 .
  32. Peter Gola, Andreas Jaspers et al: General Data Protection Regulation at a glance. DATAKONTEXT: Munich 2016, ISBN 978-3-89577-774-5 , p. 18: "Since those affected - as has been comprehensively proven by opinion polls - mostly do not read such data protection clauses and this reluctance to read will not subside as the volume of the text increases ..."
  33. Dennis-Kenji Kipker: Privacy by Default and Privacy by Design . In: Data protection and data security . tape 39 , no. 6 , May 2015, p. 410 , doi : 10.1007 / s11623-015-0438-0 .
  34. Mario Martini : General Data Protection Regulation, Federal Data Protection Act . Comment. Ed .: Boris Paal , Daniel Pauly. 2nd Edition. CH Beck, Munich 2018, ISBN 978-3-406-71838-0 , Art 25 Rn. 8 .
  35. Ann Cavoukian: Privacy Design Principles for an Integrated Justice System. (PDF) Working Paper. (No longer available online.) Information and Privacy Commissioner of Ontario, April 5, 2000, archived from the original on February 25, 2007 ; accessed on June 24, 2018 (English): "Privacy design principles need to be built into the technology architecture at the outset of the technology initiative. For privacy design principles to be useful, beyond general discussion and agreement in the planning stage, however, they need additional specificity. "
  36. ^ Conference of the Federal and State Data Protection Commissioners : A Modern Data Protection Law for the 21st Century. (PDF) Key points. State Commissioner for Data Protection Baden-Württemberg, March 18, 2010, p. 7 , accessed on June 24, 2018 : “The technical integration of data protection into products and processes, e.g. B. with regard to data avoidance or data economy as well as simple and effective self-data protection of the users, on the other hand, would help avoid later data protection problems. "
  37. Ann Cavoukian: Privacy by Design. (PDF) (No longer available online.) Information and Privacy Commissioner of Ontario, January 2009, archived from the original March 30, 2016 ; accessed on June 24, 2018 (English): “In brief, Privacy by Design refers to the philosophy and approach of embedding privacy into the design specifications of various technologies. [...] This approach originally had technology as its primary area of ​​application, but I have since expanded its scope to two other areas. In total, the three areas of application are: (1) technology; (2) business practices; and (3) physical design. "
  38. Ann Cavoukian: Privacy by Design. (PDF) The 7 Foundational Principles: Implementation and Mapping of Fair Information Practices. (No longer available online.) Information and Privacy Commissioner of Ontario, May 2010, archived from the original on March 21, 2018 ; accessed on June 24, 2018 .
  39. Alexander Roßnagel , Andreas Pfitzmann , Hansjürgen Garstka : Modernization of data protection law . Assessment. Ed .: Federal Ministry of the Interior. Berlin September 2001, DNB  963524534 , p. 35 below ( semanticscholar.org [PDF; accessed June 24, 2018]).
  40. Giovanni Buttarelli : Overcoming the Challenges Associated with Big Data: A Call for Transparency, User Control, Built-in Privacy, and Accountability. (PDF) Opinion 7/2015. European Data Protection Officer, November 19, 2015, p. 17f , accessed on June 24, 2018 .
  41. ^ Wilhelm Steinmüller , Leonhard Ermer, Wolfgang Schimmel: Data protection in risky systems: A concept developed using the example of a medical information system (=  specialist IT reports . Volume 13 ). Springer-Verlag, Berlin / Heidelberg 1978, ISBN 978-3-540-08684-0 , doi : 10.1007 / 978-3-642-48218-2 .
  42. Marit Hansen: Data Protection by Default in Identity-Related Applications . In: Simone Fischer-Hübner, Elisabeth de Leeuw, Chris Mitchell (Eds.): Policies and Research in Identity Management . Third IFIP WG 11.6 Working Conference (=  IFIP Advances in Information and Communication Technology . Volume 396 ). Springer, Heidelberg / Berlin 2013, ISBN 978-3-642-37281-0 , doi : 10.1007 / 978-3-642-37282-7_2 (English, inria.fr [PDF]).
  43. Article 29 Data Protection Working Party - Police and Justice Working Group: The Future of Data Protection: Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to the Protection of Personal Data. (PDF) Working Paper 168. European Commission, December 1, 2009, p. 15f , accessed on June 24, 2018 : “The application of such a principle [“ Privacy by Design ”] would make the use of privacy technologies necessary (PET), underlined by “Privacy by Default” - default settings and the necessary tools that enable users to better protect their personal data (e.g. access controls, encryption). "
  44. John Schwartz: 'Opting In': A Privacy Paradox. In: The Washington Post. Nash Holdings LLC, September 3, 2000, accessed June 24, 2018 .
  45. Susan Athey, Christian Catalini, Catherine E. Tucker: The Digital Privacy Paradox: Small Money, Small Costs, small talk . In: MIT Sloan Research Paper . No. 5196-17 . Stanford Graduate School of Business, Stanford April 17, 2018, doi : 10.2139 / ssrn.2916489 (English).
  46. Tobias Dienlin, Sabine Trepte: Is the privacy paradox a relic of the past? An in-depth analysis of privacy attitudes and privacy behaviors . In: European Journal of Social Psychology . tape 45 , no. 3 . John Wiley & Sons, July 14, 2014, ISSN  1099-0992 , doi : 10.1002 / ejsp.2049 (English).
  47. Monika Taddicken: The 'Privacy Paradox' in the Social Web: The Impact of Privacy Concerns, Individual Characteristics, and the Perceived Social Relevance on Different Forms of Self-Disclosure . In: Journal of Computer-Mediated Communication . tape 21 , no. 2 , January 1, 2014, p. 248-273 , doi : 10.1111 / jcc4.12052 (English).
  48. Digital courage: Privacy by Default: Data protection must not remain an exception. (No longer available online.) May 9, 2014, archived from the original on July 24, 2017 ; accessed on June 24, 2018 .
  49. Data protection Wiki editor: Technical and organizational measures. In: Data Protection Wiki. Ruhr-Universität Bochum , BvD , April 29, 2016, accessed on June 24, 2018 .
  50. S 4.32 Physical erasure of data carriers before and after use. In: IT-Grundschutz Catalog. Federal Office for Information Security, 2013, accessed on June 24, 2018 .
  51. M 2.1 Definition of responsibilities and regulations. In: IT-Grundschutz Catalog. Federal Office for Information Security, 2013, accessed on June 24, 2018 .
  52. M 2.505 Determination of technical and organizational measures according to the state of the art for the processing of personal data. In: IT-Grundschutz Catalog. Federal Office for Information Security, 2013, accessed on June 24, 2018 .
  53. David Engemann: Does a small business owner need a data protection officer? State representative for data protection and freedom of information NRW as well as the dealer association on the question of the appointment of a data protection officer for small businesses. February 6, 2018, accessed February 26, 2018 .
  54. ↑ on this Riesenhuber. In: BeckOK data protection law, as of February 1, 2018, Art. 88, Rn. 67 ff. With further references.
  55. ^ A b Christoph Weiss: The reorganization of data protection in Europe. In: fm4.orf.at. FM4 , February 28, 2012, accessed January 2, 2019 .
  56. Professional association of data protection officers in Germany : EU plans for data protection burden the economy. ( Memento from May 18, 2015 in the Internet Archive ) In: BvDnet.de from May 10, 2015.
  57. BvD : Data protectionists urge clear rules for data transfer from the EU to third countries. BvD publishes position paper on the EU General Data Protection Regulation. ( Memento from July 15, 2015 in the Internet Archive ) from July 13, 2015.
  58. Press release: Subsidiarity complaint on the European General Data Protection Regulation. Federal Council, March 30, 2012, accessed on February 24, 2015 .
  59. Negotiating position of the European Parliament from October 21, 2013
  60. a b Svenja Bergt: Fabric softener for data protection. In: TAZ . March 4, 2015, accessed March 4, 2015 .
  61. Heise-Online: Legal expert: General data protection regulation as the "greatest catastrophe of the 21st century"
  62. According to experts, the new EU General Data Protection Regulation has no effect. In: Heise.de. Retrieved October 5, 2016 .
  63. Study: EU General Data Protection Regulation misses all goals - Kassel lawyers unravel the legal situation. (No longer available online.) In: uni-kassel.de. University of Kassel, September 29, 2016, archived from the original on December 15, 2017 ; accessed on January 2, 2019 .
  64. SN 39/16: On the opening clause of the General Data Protection Regulation , Opinion No. 39/2016 of the German Bar Association by the Professional Law Committee on the opening clauses of the General Data Protection Regulation (EU) 2016/679 of April 27, 2016, Berlin, August 2016 .
  65. Opinion No. 39/2016, p. 3.
  66. Use of the opening clauses in Art. 90 GDPR in conjunction with Art. 58 Paragraph 1 Letters e and f GDPR, "in order to reconcile the right to the protection of personal data with the obligation to keep mandate-related information confidential" (Opinion No. 39 2016, p. 3).
  67. Use of the opening clauses in Art. 6 Para. 1 Clause 1 lit. e GDPR, as the processing of personal data is in the public interest in accordance with Art. 6 Para. 1 Clause 1 Letter e GDPR if it serves the practice of a lawyer (Opinion No. 39/2016, p. 5 ff).
  68. In Art 15. DSGVO are regulated access rights. There should be no right to information "if and to the extent that the personal data are subject to professional secrecy, including an obligation to maintain confidentiality under the Articles of Association, and must therefore be treated confidentially" (Opinion No. 39/2016, p. 7).
  69. a b c Kevin J. O'Brien: Silicon Valley Companies Lobbying Against Europe's Privacy Proposals. In: New York Times. January 25, 2013, accessed March 30, 2013 .
  70. Overview on the LobbyPlag.eu website
  71. ^ Amendments / Overview. In: lobby plague. Retrieved June 11, 2013 .
  72. ^ Uwe Ebbinghaus, Stefan Schulz, Thomas Thiel: Trial of Power with Silicon Valley. March 11, 2014, accessed March 16, 2014 .
  73. Volker Briegleb, Stefan Krempl: EU Parliament gives the green light for data protection reform. In: heise.de. October 21, 2013, accessed October 22, 2013 .
  74. Markus Beckedahl: EU General Data Protection Regulation passes first reading in the EU Parliament. In: netzpolitik.org , March 12, 2014.
  75. EU General Data Protection Regulation: EU ministers agree on data protection reform . In: The time . June 15, 2015 ( zeit.de [accessed June 16, 2015]).
  76. Press release of the European Commission of December 15, 2015 .
  77. Council of the European Union: Position of the Council at first reading with regard to the adoption of the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data, on the free movement of data and the repeal of Directive 95/46 / EC (data protection Basic regulation)
  78. ^ Council of the European Union: Data protection reform: Council adopts position at first reading (press release of April 8, 2016).
  79. European Parliament: Parliament passes EU data protection reform - EU fit for the digital age (press release of April 14, 2016).
  80. Official Journal of the European Union of May 4, 2016: OJ. EU 2016 L 119/1 .
  81. Council of the European Union: Corrigendum to 2012/0011 (COD), No. 12399/16 of October 27, 2016 (PDF).
  82. Andreas Albert and Nicolai Kwasniewski: "How an agreement perforates data protection". In: Spiegel Online . November 25, 2016.
  83. Correct appointment of the data protection officer (DPO). In: GDPR templates. July 21, 2019, accessed on October 11, 2019 (German).
  84. Federal Law Gazette for the Republic of Austria: Data Protection Adjustment Act 2018. (PDF) July 31, 2017, accessed on November 17, 2017 .
  85. Austrian Chamber of Commerce: EU General Data Protection Regulation (GDPR): The Data Protection Adjustment Act 2018. (No longer available online.) Austrian Chamber of Commerce, September 26, 2017, archived from the original on December 1, 2017 ; accessed on November 22, 2017 .
  86. Austria washes itself softly to EU rules. In: orf.at. April 25, 2018. Retrieved April 26, 2018 .
  87. No penalties: Austria is pulling its teeth on the new data protection. In: heise.de. April 24, 2018. Retrieved April 26, 2018 .
  88. dsb.gv.at
  89. Companies are barely making any progress in implementing GDPR. In: wiwo.de. September 27, 2018, accessed January 8, 2019 .
  90. Little progress - implementation of the General Data Protection Regulation. In: industrie.de. Konradin Mediengruppe , October 4, 2018, accessed January 8, 2019 .
  91. Rüdiger Franz: Doubts about benefits - EU data protection is a lot of work for Bonn's economy. In: general-anzeiger-bonn.de. January 8, 2019, accessed January 9, 2019 .
  92. Dietmar Neuerer: Companies are threatened with fines of "considerable scope". In: handelsblatt.de. Retrieved October 30, 2018 .
  93. David Zajonz: Three months GDPR - The big wave of warnings did not materialize . In: tagesschau.de. August 25, 2018, accessed January 8, 2019 .
  94. Labeling of the intercoms , website of City of Vienna - Wiener Wohnen , accessed October 31, 2018.
  95. Heike Anger, Dietmar Neuerer: Authorities impose the first fines for violations of the GDPR. In: handelsblatt.de. January 19, 2019, accessed on January 25, 2019 : “North Rhine-Westphalia (33) imposed the most fines, followed by Hamburg (3) and Baden-Württemberg and Berlin (2 each) and Saarland (1). The Bavarian State Office for Data Protection Supervision (BayLDA) alone, which monitors compliance with data protection law in private commercial enterprises, freelancers, clubs and associations, and on the Internet, currently has 85 fine proceedings under the GDPR. With a view to the amount of the fines, there is currently apparently a grace period. The state data protection officer of Baden-Württemberg has imposed the highest individual fine so far, at 80,000 euros. In this specific case, health data ended up on the Internet due to inadequate internal control mechanisms. Hamburg imposed fines totaling 25,000 euros, North Rhine-Westphalia just under 15,000 euros. "
  96. OLG Hamburg, judgment of 25.10.2018 - 3 U 66/17. Retrieved March 27, 2020 .
  97. KG Berlin judgment of March 21, 2019 - 23 U 268/13. Retrieved March 27, 2020 .
  98. OLG Naumburg, judgment of 07.11.2019 - 9 U 6/19. Retrieved March 27, 2020 .
  99. OLG Stuttgart, judgment of February 27, 2020 - 2 U 257/19. Retrieved March 27, 2020 .
  100. CNIL: Délibération de la formation restreinte n ° SAN - 2019-001 du 21 janvier 2019 prononçant une sanction pécuniaire à l'encontre de la société GOOGLE LLC. In: Légifrance . January 19, 2019, accessed on January 25, 2019 (French, “  [C] omme cela a également été relevé au titre du manquement aux obligations de transparence, l'information fournie n'est pas suffisamment claire et compréhensible en ce qu'il est difficile pour un utilisateur d'avoir une appréhension global des traitements dont il peut faire l'objet et de leur portée.  "(German:" As was also established in connection with the violation of the transparency requirements, the information provided is not sufficiently clear and understandable, so that a user cannot understand what processing is carried out with his data. ")).
  101. CNIL: Délibération de la formation restreinte n ° SAN - 2019-001 du 21 janvier 2019 prononçant une sanction pécuniaire à l'encontre de la société GOOGLE LLC. In: Légifrance . January 19, 2019, accessed on January 25, 2019 (French, “  Elle constate néanmoins que s'agissant de la dernière catégorie [‹ Informations conservées pendant de longues périodes pour des raisons précises. ›], Seules des explications très générales sur la finalité de cette conservation sont fournies et aucune durée précise ni les critères utilisés pour déterminer cette durée ne sont indiqués. Or cette information figure parmi celles devant être obligatoirement délivrées aux personnes en application du a) du ° 2 de l'article 13 du Règlement.  »(German:“ It is stated that in the latter category ['Information that is kept for certain reasons for a longer period of time.'] Only very general explanations of storage purpose are given and no precise duration or the criteria for determining this duration are given However, this information is mandatory information according to Article 13 (2) (a) of the Ordinance. ")).
  102. Simon Rebiger, Ingo Dachwitz: The GDPR is showing its first teeth: 50 million fine imposed on Google. In: netzpolitik.org. January 21, 2019, accessed January 25, 2018 .
  103. European regulator desperate due to insufficient enforcement of the GDPR, accessed on January 9, 2020.
  104. First day for the new European Commission, accessed on January 9, 2020.