Corporate Governance and the new GDPR (General Data Protection Regulation)

Seminar Paper, 2018

23 Pages, Grade: 2,0



1 Introduction

2 Terminology

3 Fundamentals of the EU GDPR
3.1 Contents of the EU GDPR
3.2 Extended range of sanctions
3.3 Relevance for countries outside the EU

4 Effects of the EU GDPR on German companies
4.1 Crucial differences to the former Bundesdatenschutzgesetz (BDSG)
4.1.1 Increased reporting obligations
4.1.2 Extended rights of objection
4.1.3 Right to be forgotten
4.1.4 Right to Data Transferability
4.1.5 Changes in age restrictions
4.2 Documentation requirements
4.3 Violations to be reported

5 Literature analysis
5.1 Systematic Literature Analysis
5.2 Additional Literature
5.3 Professional Service Firms

6 Conclusion

7 Bibliography

1 Introduction

After nearly five years of intensive work, accompanied with charged political discussions and wide societal echo, the European Union’s (EU) Data Protection Reform has finally become a reality. The new framework consists of a General Data Protection Regulation (GDPR), which replaced the former Data Protection Directive, and a new Directive for the police and criminal justice sector. They came into force in May 2016 and will become applicable law as of May 2018. The reform aims at modernizing and harmonizing data protection across the EU and is an essential element of the broader and particularly ambitious Digital Single Market Strategy that the EU launched in parallel and whose far-reaching consequences will unfold in the years to come.[1]

GDPR likely will take on even greater prominence when seen through the lens of the continued fallout created by Facebook and Cambridge Analytica, which have put the protection of customer data in the public eye like never before.[2]

Just a quick reminder: in 2014, Facebook invited users to learn more about their personality type. For this purpose, Facebook used a questionnaire "This is Your Digital Life" developed by Dr. Kogan at Cambridge University. By participating in this survey, 270,000 users may have unintentionally - but allowed under Facebook Terms of Use - shared information about themselves via identity, network and likes with their friends on Facebook. Only when the data was passed on to Cambridge Analytica did Kogan violate the guidelines. These prohibit third party developers from passing on or selling collected data. Almost four years after this violation of the directives took place, the case has recently come to the public by chance.[3]

As this new European Data Protection Regulation will obviously entail many changes for all kinds of companies in the EU and thus Germany, the aim of this seminar paper is to answer the following question: “What measures do German companies have to implement in order to meet the data protection requirements of the new EU GDPR, which is applicable since May 25th 2018?”

To answer this question, first some important terms that play a role in the regulation are defined (e.g. privacy by design / privacy by default). Then a systematic literature analysis is carried out to identify the most important contents of the GDPR, such as possible penalties for non-compliance. In addition, it will be described how companies outside the EU will be affected by this European legislation.

Next, it will be examined which are the crucial differences of the GDPR compared to the former German Bundesdatenschutzgesetz (BDSG), which documentary measures companies must implement as well as which infringements must be reported to supervisory authorities.

Furthermore, the state of sources for this most current topic will be discussed by reviewing the various types of literature (journals, scientific papers, professional service firm literature) used in this seminar paper.

Last but not least, the most important results of this seminar paper are summarised and then, based on these conclusions, four theses are presented and substantiated. Finally an outlook is given on further regulations that are currently in the EU legislative process and will come into effect in the coming years.

2 Terminology

At the beginning of this seminar paper some important terms in connection with the GDPR are to be explained.

Personally identifiable information

Under GDPR, “personal data” is broadly defined to include a person’s name, address, phone, e-mail, as well as economic, social, cultural genetic and mental characteristics. Photos, bank details, posts on social networking websites, political opinions, health information, computer IP addresses and more—also are considered personal data. Although the focus may appear to be on data that is captured and stored electronically, in the end, it doesn’t matter whether the data is stored electronically on a server or on paper in a filing cabinet. Those holding these types of information now have to obey new, strict rules around transparency and accountability.[4]

Privacy by Design

According to Art. 25 para. 1 GDPR, those responsible are obliged to ensure that data processing systems are as "data-friendly" as possible already during the development and implementation of data processing systems; accordingly, data protection requirements must be taken into account directly in the specification of new products or functions. This also means, e.g. when selecting suitable software in the company, to ensure that the technology meets the latest data protection standards.[5]

Privacy by Default

The "Privacy by Default" stipulated in Art. 25 para. 2 GDPR requires that any default settings for the use of online services or shops be selected in such a way as to work as "data-conservingly" as possible, i.e. only collect such data as is necessary for the respective processing purpose; accordingly, products and functions must already guarantee a high level of data protection for the customer at the first start-up and in the following and if there are different options for data storage or data disclosure, these must be set as restrictively as possible. Only the person concerned can make any changes to the settings if he/she wants to use certain services or functions.[6]

Opening clauses

A special feature of the GDPR is that some of the regulations contain so-called “opening clauses”. Within this framework, the respective member states - but only in these areas - can make their own regulations, which must then also be applied by the companies. Depending on the location of the company's registered office, these regulations may, of course, contain different or separate data protection regulations of the member states, the knowledge and implementation of which are then also necessary. The German legislator has already reacted to the opening clauses with a law (Data Protection Adaptation and Implementation Act EU – Datenschutz-Anpassungs- und Umsetzungsgesetz EU, DSAnpUG-EU), often referred to as BDSG-neu in colloquial language.[7]

3 Fundamentals of the EU GDPR

One difference from the existing law that is evident without a closer look at the legal texts is that the new data protection rules are framed in a regulation, as opposed to the previously used instrument of the directive. While both types of EU legal acts can in principle ensure a high level of harmonization across the member states, a regulation is directly applicable and does not require additional domestic implementation (whereas a directive defines the results to be achieved leaving the choice of the means for achieving them up to the member states). Moreover, regulations immediately become part of a national legal system, have a legal effect independent of national law, and override contrary national laws. Overall, this guarantees a higher level of harmonization and fewer differences across member states—also disciplining certain member states, such as Ireland, for their rather mild enforcement of data protection rules (notably vis-à-vis Facebook).[8]

3.1 Contents of the EU GDPR

The purpose of the GDPR is to protect the personality and fundamental rights of persons whose data are processed. In principle, the GDPR means that persons now have these six important rights in the area of data protection:

1. right to information about which data is stored
2. right to object to the processing of personal data, for example in direct marketing
3. right to be forgotten, i.e. the deletion of one's own data
4. right to data transferability, i.e. transfer of own data to third parties
5. right to a complete and comprehensible data protection declaration
6. right to information within 72 hours in the event of a data breakdown, for example due to hacker attacks.

Both natural and legal persons are covered by the protection area. The term "processing" refers to any handling of personal data - from collection to archiving and destruction.[9]

Perhaps the most hotly discussed change is the introduction of a “right to be forgotten” by virtue of Article 17 GDPR. The latter extends the existing right under Article 12(b) of the Data Protection Directive’s “right of erasure.” In particular, a data subject can now have her personal data erased and no longer processed, where the data is no longer necessary in relation to the purposes for which it was collected; where a data subject has withdrawn her consent or objects to the processing of personal data concerning her; or where the processing of her personal data is otherwise contrary to the Regulation.[10]


[1] Cf. Burri/Schär (2016), p. 479-480.

[2] Cf. Kirk (2018), p. 40.

[3] Cf. Gattiker (2018), p. 3-4.

[4] Cf. Kirk (2018), p. 40.

[5] Cf. Schumm (2018), p. 181.

[6] Cf. Schumm (2018), p. 181.

[7] Cf. Mester (2017), p. 12-13.

[8] Cf. Burri/Schär (2016), p. 489.

[9] Cf. Gattiker (2018), p. 3.

[10] Cf. Burri/Schär (2016), p. 490.

Excerpt out of 23 pages


Corporate Governance and the new GDPR (General Data Protection Regulation)
University of Applied Sciences Aalen
Emergent Issues in Governance
Catalog Number
ISBN (eBook)
ISBN (Book)
Quote paper
Robert Komorowsky (Author), 2018, Corporate Governance and the new GDPR (General Data Protection Regulation), Munich, GRIN Verlag,


  • No comments yet.
Read the ebook
Title: Corporate Governance and the new GDPR (General Data Protection Regulation)

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free