Back to overview

GDPR: General Data Protection Regulation

The GDPR sets a new legal framework for data protection in the EU

Just another law on privacy?

The European General Data Protection Regulation (GDPR) published in May 2016, replaces the previous “Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data” by the European Community. Unlike the previous directive, it is a regulation which, due to its direct legal effect, does not have to be implemented by a patchwork of national laws in the member states.


Citizens should now be entitled to a uniform level of protection of their personal data throughout the EU. This means that the movement of goods is less disturbed and the average level of protection is raised in general.

As of May 25th 2018, the GDPR is directly applicable and national laws should only develop on it in minor details. On February 1st 2017, the German federal government adopted a draft law for such an amendment (DSAnpUG-EU). The resulting new Federal Data Protection Act (“Bundesdatenschutzgesetz”, i.e. BDSG-neu), however, can be criticized as beeing too long with 85 paragraphs and conflicting with European law (repetition of GDPR and reduction of data protection in some areas). It remains exciting to see whether this adaptation act will be adopted by the Bundestag and Bundesrat on March 8th 2017, or whether more changes are will be made.

Facts: That is new about it

The basic concept of data protection of the previous directive remains intact. The GDPR pursues the informational self-determination and, hence, extends the rights of affected natural persons by the following items:

  • In the case of a leak of protected data, affected persons and supervisory authorities must be notified within 3 days (if the data has not been encrypted or pseudonymized)
  • More stringent requirements for legal approvals by the data subjects (double opt-in)
  • Extended right of access. For example, data processors must be able to specify all the parties involved as well as a particular data protection officer, for each act of data processing.
  • Right to data portability (for transferability in case a service provider is to be replaced)
  • Right to be forgotten (data erasure)


According to the location-of-business principle all companies which process data of EU citizens are affected by the GDPR. This even applies to companies that do not have a branch in the EU. A great deal of work is to be done here, especially in case of companies operating from outside of the EU territory, because the scope has been extended considerably.

For EU-based companies, the provision of services and products across the EU will be somewhat easier, because ideally, many national implementation laws based on the old data-protection directive will no longer be applicable, and in fact only the GDPR will have to be observed.

For companies that have to comply with the GDPR, the fine for violations can be considerable: Up to 20 million euros or four percent of global (!) annual turnover (whichever is the higher) are possible verdicts per individual violation!

In times of Big Data and IoT, the collected and processed data volumes are growing everywhere. Finally the closed company boundary has become a concept of the past. Both factors make the protection of these large amounts of data less than trivial.

What companies should do next

Corporations have just a bit more than a year to check their activities for compliance with the GDPR and establish a compliance plan. The regulation itself recommends “data protection by design” and data “protection by default”.

Since, for example, the notification requirement in case of a data leak only applies to unencrypted data, it is advisable to use encryption wherever possible. Disk and database encryption should become standard. In addition, format-preserving encryption provides an additional option of introducing end-to-end encryption without necessarily having to make changes to existing intermediary systems.


More Links:

Impact of the GDPR on HR and Recruiting:

The impact of GDPR on HR & Recruitment

Image: ©iT-CUBE SYSTEMS AG 2017

Leave a Reply

Wir nehmen Datenschutz ernst! Deshalb informieren wir Sie, was mit Ihren Daten geschieht:

  • Daten aus Formularen und Webseiten-Tracking können von uns zur Analyse gespeichert werden
  • Die Daten können zur Optimierung der Webseite ausgewertet werden. Das ermöglicht es uns, besser zu verstehen, wo das Interesse unserer Besucher liegt. Wir benutzen primär Hubspot für dieses Tracking (mehr dazu finden Sie in der Erklärung auf unserer Datenschutzseite, siehe unten)
  • Wir geben Ihre Daten nicht an Dritte weiter. Im Rahmen von Veranstaltungen, an denen Sie teilnehmen möchten, kann es nötig sein, dass Ihre Daten an Vertragspartner übermittelt werden.
  • Sie haben jederzeit ein Recht auf die Herausgabe, Berichtigung oder Löschung persönlicher Daten.
  • Sie können Ihre Einwilligung, mit uns in Kontakt zu treten, jederzeit mit sofortiger Wirkung widerrufen.

Weitere Details dazu, was wir mit den Daten tun und nicht tun finden Sie auf unserer Datenschutzseite, oder schreiben Sie mich bei Fragen direkt an!

Felix Möckel
Data Protection Officer