Article

One year EU General Data Protection Regulation - What do the supervisory authorities say and what's next?   

In view of the still prevailing ambiguity regarding the interpretation and implementation of the requirements of the EU General Data Protection Regulation (GDPR), official statements, guidelines and other publications by data protection supervisory authorities and other institutions often represent a valuable aid for companies and public institutions in dealing with personal data.

In view of the still prevailing ambiguity regarding the interpretation and implementation of the requirements of the EU General Data Protection Regulation (GDPR), official statements, guidelines and other publications by data protection supervisory authorities and other institutions often represent a valuable aid for companies and public institutions in dealing with personal data.

Our GDPR Navigator offers you a systematic overview with links to publications of data protection authorities and other institutions on data protection issues published since the GDPR became applicable. It is possible to filter the search results by content (for example by keywords such as “data processing” or “data breach”). In addition, the search results can be sorted by publishers - this allows you to find the statements of the supervisory authority that is responsible for your company and business.

Whether in view of the operation of Facebook Fanpages, GPS monitoring of company vehicles, video surveillance of employees, hacking attacks or the processing of customer data - the GDPR has already led to decisions at various levels, from German federal data protection authorities to the European Court of Justice. Even if the fines are usually well below the amount of 50 million euros that the French data protection authority has imposed on Google, one thing is clear: The times of “watch and wait” are over. The supervisory authorities are willing to take measures when they become aware of potential violations of the GDPR - both against medium-sized companies as well as against global corporate groups.

The GDPR sets out binding rules for the processing of personal data throughout the European Union. For companies, public authorities and other responsible persons, this entails a multitude of new obligations, which in the past were often not laid down in national data protection legislation. Example include extended information obligations towards data subjects, new notification obligations in the event of data breaches, the obligation to carry out so-called data protection impact assessments and the obligation to keep records of processing activities.

Not only the implementation of specific legal requirements but also the establishment and ongoing development of data protection management systems represent considerable challenges for both companies and public authorities involved. Since this area of law is still in the process of development, many questions regarding the interpretation and implementation of the requirements of the GDPR remain unanswered. Settled case-law and a clear practice of the data protection authorities at national and even more at European level will still have to be developed. It should also be noted that the regulatory complexity of data processing will increase in general. On the one hand, there will be adaptions of the German Federal Data Protection Act to the GDPR (Draft bill to adapt the German Federal Data Protection Act). On the other hand, at the European level, the Commission will submit its report on the evaluation and review of the GDPR by 25 May 2020. It is to be expected that the report will show elementary need for adaptation of the GDPR. At the same time, further negotiations on the draft ePrivacy Regulation are to be expected, which will include specific regulations on the handling of electronic communication data. In addition, the “Regulation on the free movement of non-personal data” will entail further legal changes regarding data processing.

Since many legal issues relating to the processing of personal data have not yet been clarified, official opinions, position papers and guidelines from data protection authorities and other organizations provide important information. Although these documents are only interpretations of the law and, therefore, not binding on the courts, they are important orientation aids, contribute to legal development and allow controllers to obtain industry-specific information on a variety of data protection issues. In addition, they often reveal specific legal positions taken by the supervisory authorities, the knowledge of which has a measurable value for controllers, not least in view of the considerable fines imposed for data protection infringements.

Deloitte has a well-founded expertise in the areas of digitalization, cyber security and data protection and supports its clients in successfully realizing complex projects and developing practical solutions in these areas. We pursue a holistic and interdisciplinary approach that is not limited to compliance with regulatory requirements. Together with our experts in the fields legal, technology and governance, we create long-lasting values for our clients' business practices.

When it comes to data protection and data strategy, our interdisciplinary service platform „Deloitte Center for Data Privacy“ offers specific expertise. Together with our clients, we develop solution strategies in order to offer various organizations ways of ensuring compliance with data protection requirements and optimizing the use of data (enabling).   

We look forward to continuing to think ahead on the subject of data protection and to accompanying the changes in practice. 

 
Systematic overview on data protection issues in German language:
Did you find this useful?

Related topics