After nearly five years of intensive work, accompanied with charged political discussions and wide societal echo, the European Union’s (EU) Data Protection Reform has finally become a reality. The new framework consists of a General Data Protection Regulation (GDPR), which replaced the former Data Protection Directive, and a new Directive for the police and criminal justice sector. They came into force in May 2016 and became applicable law in May 2018. The reform aims at modernizing and har-monizing data protection across the EU and is an essential element of the broader and particularly ambitious Digital Single Market Strategy that the EU launched in parallel and whose far-reaching consequences will unfold in the years to come.
As this new European Data Protection Regulation will obviously entail many changes for all kinds of companies in the EU and thus Germany, the aim of this seminar paper is to answer the following question: “What measures do German companies have to implement in order to meet the data protection requirements of the new EU GDPR, which is applicable since May 25th 2018?”
To answer this question, first some important terms that play a role in the regulation are defined (e.g. privacy by design / privacy by default). Then a systematic literature analysis is carried out to identify the most important contents of the GDPR, such as possible penalties for non-compliance. In addition, it will be described how companies outside the EU will be affect-ed by this European legislation.
Next, it will be examined which are the crucial differences of the GDPR compared to the former German Bundesdatenschutzgesetz (BDSG), which documentary measures companies must implement as well as which infringements must be reported to supervisory authorities.
Furthermore, the state of sources for this most current topic will be discussed by reviewing the various types of literature (journals, scientific papers, professional service firm literature) used in this seminar paper.
Last but not least, the most important results of this seminar paper are summarised and then, based on these conclusions, four theses are presented and substantiated. Finally an outlook is given on further regulations that are currently in the EU legislative process and will come into effect in the coming years.
Table of Contents
1 INTRODUCTION
2 TERMINOLOGY
3 FUNDAMENTALS OF THE EU GDPR
3.1 CONTENTS OF THE EU GDPR
3.2 EXTENDED RANGE OF SANCTIONS
3.3 RELEVANCE FOR COUNTRIES OUTSIDE THE EU
4 EFFECTS OF THE EU GDPR ON GERMAN COMPANIES
4.1 CRUCIAL DIFFERENCES TO THE FORMER BUNDESDATENSCHUTZGESETZ (BDSG)
4.1.1 Increased reporting obligations
4.1.2 Extended rights of objection
4.1.3 Right to be forgotten
4.1.4 Right to Data Transferability
4.1.5 Changes in age restrictions
4.2 DOCUMENTATION REQUIREMENTS
4.3 VIOLATIONS TO BE REPORTED
5 LITERATURE ANALYSIS
5.1 SYSTEMATIC LITERATURE ANALYSIS
5.2 ADDITIONAL LITERATURE
5.3 PROFESSIONAL SERVICE FIRMS
6 CONCLUSION
Research Objectives & Key Themes
The primary objective of this seminar paper is to analyze the implications of the new EU General Data Protection Regulation (GDPR) for German companies. It seeks to answer the central research question regarding the specific measures that German organizations must implement to ensure compliance with the regulatory requirements effective since May 25th, 2018.
- Fundamental terminology and definitions under the GDPR.
- Key differences between the new GDPR and the former German BDSG.
- Documentation and reporting requirements for businesses.
- Organizational challenges and the impact of increased sanction risks.
- Assessment of the readiness of German firms in a changing regulatory landscape.
Excerpt from the Book
3.1 Contents of the EU GDPR
The purpose of the GDPR is to protect the personality and fundamental rights of persons whose data are processed. In principle, the GDPR means that persons now have these six important rights in the area of data protection:
1. right to information about which data is stored
2. right to object to the processing of personal data, for example in direct marketing
3. right to be forgotten, i.e. the deletion of one's own data
4. right to data transferability, i.e. transfer of own data to third parties
5. right to a complete and comprehensible data protection declaration
6. right to information within 72 hours in the event of a data breakdown, for example due to hacker attacks.
Both natural and legal persons are covered by the protection area. The term "processing" refers to any handling of personal data - from collection to archiving and destruction. Perhaps the most hotly discussed change is the introduction of a “right to be forgotten” by virtue of Article 17 GDPR.
Chapter Summaries
1 INTRODUCTION: Outlines the emergence of the GDPR, its connection to modern data scandals, and the core research question regarding compliance for German companies.
2 TERMINOLOGY: Defines essential concepts such as personally identifiable information, privacy by design, and privacy by default to set a foundation for the regulatory discussion.
3 FUNDAMENTALS OF THE EU GDPR: Examines the regulatory shift from directives to regulations, specific rights granted to data subjects, and the scope of sanctions.
4 EFFECTS OF THE EU GDPR ON GERMAN COMPANIES: Details the practical shifts from the former BDSG, covering reporting, documentation, and violation notification procedures.
5 LITERATURE ANALYSIS: Documents the systematic research process used to identify relevant professional and academic sources concerning the impact of the GDPR.
6 CONCLUSION: Summarizes the increased burden on businesses, the impact on SMEs, and presents four central theses regarding the future of data protection in the EU.
Keywords
GDPR, General Data Protection Regulation, EU, Data Privacy, Compliance, BDSG, Data Protection Officer, Reporting Obligations, Right to be forgotten, Data Transferability, Documentation Requirements, Sanctions, Risk Management, Data Breach, European Law
Frequently Asked Questions
What is the primary focus of this seminar paper?
The paper focuses on the implications of the EU General Data Protection Regulation (GDPR) specifically for German companies and the measures they must adopt to ensure compliance.
What are the central themes discussed in the work?
Central themes include the fundamental changes in data rights, documentation requirements, increased potential sanctions, and the operational challenges faced by companies post-May 2018.
What is the core research question?
The research question asks: "What measures do German companies have to implement in order to meet the data protection requirements of the new EU GDPR, which is applicable since May 25th 2018?"
Which scientific methodology was applied?
The author conducted a systematic literature analysis using databases like Business Source Premier, EconBiz, JSTOR, and WISO to identify and synthesize relevant consulting and academic literature.
What is covered in the main body of the text?
The main body covers terminology, the fundamental pillars of the GDPR, specific regulatory differences compared to the German BDSG, documentation duties, and reportable violations.
Which keywords define this paper?
Key terms include GDPR, compliance, data protection, BDSG, documentation requirements, data breach, and corporate governance.
What is the significance of the "one-stop-shop mechanism" described in the paper?
It allows companies operating in multiple EU member states to deal with a single supervisory authority at their registered office rather than individual authorities in every country.
How does the GDPR affect small and medium-sized enterprises (SMEs) compared to large corporations?
The paper notes that SMEs face disproportionately higher bureaucratic and consulting costs, whereas large corporations have more resources to absorb the compliance impact.
What is the "right to be forgotten" as defined in this context?
It is an expanded right under Article 17 GDPR, allowing data subjects to demand the deletion of their personal data under specific conditions, such as the withdrawal of consent.
- Citation du texte
- Robert Komorowsky (Auteur), 2018, Corporate Governance and the new GDPR (General Data Protection Regulation), Munich, GRIN Verlag, https://www.grin.com/document/437828
