What is the GDPR? The GDPR (long: General Data Protection Regulation) is an EU-wide regulation that standardizes the processing of personal data by public bodies and private companies. It serves to protect personal data and ensure the free movement of data within the EU internal market. It is also known as the GDPR (General Data Protection Regulation).
GDPR: when, how and where does it apply?
The GDPR is applicable in all member states of the European Union from May 25, 2018. Individual states may enact legislation to reconcile the right to the protection of personal data with the right to freedom of expression and information. The GDPR has already been applicable to legislation of this kind since it came into force in May 2016. Beyond this, weakening or strengthening national regulations are not permitted, with the exception of certain opening clauses.
GDPR and new BDSG in Germany
In Germany, opening clauses and the revision of national data protection law at federal level are regulated by the new version of the Federal Data Protection Act (BDSG) and the amendment of other laws. The GDPR replaces the EC Data Protection Directive 95/46/EC from 1995 and will be mandatory for all companies that store and process the personal data of natural persons from May 2018. This also includes employee data for payroll accounting and the like. This means that the GDPR has an almost comprehensive scope of application. It also applies to companies that are not based in the EU if they process the data of EU citizens and/or also offer their products to EU customers.
What are the core components of the GDPR?
The GDPR builds on Directive 95/46/EC, but at the same time amends it in many places, in some cases significantly. Some key points of the new EU Data Protection Directive are:
The right to erasure:
Upon request, companies must completely delete the data stored on a data subject if they no longer need it – and in such a way that it cannot be restored. Anonymization is an alternative. In general, data must be automatically deleted as soon as there is no longer a reason to store it. The basis for this is the purpose for which the data was collected. If this purpose no longer exists or has been revoked by the data subject, the reason for storage no longer applies.
The right to data portability:
Data subjects must be provided with their data in a standard and
machine-readable format if they so wish. Among other things, this serves the transfer of personal data in the course of a change of employer. Upon request, companies must also initiate and process such data transfers themselves.
The obligation of companies to provide information:
Whether, which and how the relevant data is collected and processed must be comprehensible to the data subjects at all times. Apart from this, companies must inform the data subjects of the process each time data is collected; there is an obligation to provide information. This also applies to the receipt of data via third parties.
In order to meet the new requirements of the GDPR, clearly structured workflows and processes are necessary, along with complete documentation.
The duty to provide information (“accountability”):
It is already clear from the previous points that the GDPR entails far-reaching obligations for companies to provide evidence. In addition, in some situations, it must be checked separately whether the rights of the data subject have been adequately taken into account. This may be the case with a personality assessment, for example.
Employee data protection (and its strengthening):
Here, the German legislator has made use of the opening clause and stipulated that personal employee data may only be used if it is necessary for the assessment of applicants or the employment relationship. In conjunction with the extended rights of the GDPR, this leads to an increase in employee data protection.
Penalties: What will change as a result of the GDPR?
As already mentioned, the GDPR largely corresponds to Directive 95/46/EC. Irrespective of this, there are new data protection regulations that companies should definitely observe, if only because of the drastically increased range of fines. While a fine of up to 300,000 euros is currently possible in individual cases under Section 43 BDSG, the maximum fine under the GDPR is up to 20 million euros or up to 4% of the annual turnover of the entire group achieved worldwide in the previous financial year. The higher value is decisive here. Monitoring and sanctioning of violations is expressly provided for.
Advantages of using an ERP system
In order to be able to meet the new requirements of the GDPR, clearly structured workflows and processes are necessary, along with seamless documentation. The latter is particularly, but not only, crucial with regard to the right to data portability and the obligation to provide information. Data encryption that is always up to date is also essential to prevent unauthorized access to stored data. An ERP system like APplus provides the ideal basis for GDPR compliance right from the start. It helps to meet your requirements and minimize the risk of fines.
Legal notice:
The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, timeliness or completeness of the journalistic guides and information provided on this website.
The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.
Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.
