Data Protection Academy » Data Protection News » Adaptation of data protection
Adaptation of data protection
Bundestag passes mock exoneration and devalues data protection and civil rights
In this article you will learn:
- The most important facts about the adapted data protection law by the Bundestag on 26.06.2019
- Why the new regulation on the obligation to appoint a data protection officer from 20 employees upwards does not relieve the burden, but rather increases it
- Which civil rights were cut by the Bundestag
Shortly before the summer break, the Bundestag decides, in a cloak-and-dagger operation, to adapt 154 different laws. The so-called "Second Act for the Adaptation of Data Protection Law to Regulation (EU) 2016/679 and for the Implementation of Directive (EU) 2016/680 (Second Data Protection Adaptation and Implementation Act EU - 2nd DSAnpUG-EU)" makes many far-reaching cuts without any real discussion within the parliamentary groups, but above all in public.
Data Protection Officer's appointment obligation increased to 20 employees
An important adjustment for the data protection industry concerns the obligation of the Data Protection Officer (DPO) to appoint a data protection officer. In the future, the appointment of a company or external data protection officer will generally only become mandatory for companies with 20 or more employees.
Many professional and interest associations, such as the Pharmacy Associationas well as relevant media, such as the South German Online, celebrate this change as a relief from data protection.
From the point of view of experienced data protection officers, however, the decision does a disservice to the companies concerned, as the requirements for implementing data protection have not changed in principle despite the modified ordering obligation.
Because in the future, too, it will apply:
- To draw up the list of processing activities and, in doing so, to examine all relevant processes in the company for data flow, data types, data categories and legality and, in the case of high risks, to conduct data protection impact assessments.
- To create a clean contractual situation for data processing with business partners and third party organisations, such as contract processing agreements, joint controls, EU standard contract clauses or corporate binding rules.
- To critically examine data security, to implement necessary technical and organizational measures and to document this implementation in a sustainable manner.
- To create an ideally DIN 66399-compliant deletion concept for all relevant types of data and to implement this in the form of deletion rules in the organization.
- Establish the rights of data subjects, such as the information duties, disclosure obligations or deletion requests
If the legislator had really wanted to do something to ease the burden on small organisations, one would have Recital 13 of the GDPR to take seriously. There it is described in sentence 3:
"In order to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation provides for a derogation from the requirement to keep a register of establishments employing fewer than 250 persons".
However, it is not clear how this simplification for micro-enterprises or SMEs could be achieved without limiting data protection rights derived from the fundamental right to informational self-determination. One possibility would be to standardize data protection requirements as far as possible on an industry-specific basis and thus to work in conformity with the law and effectively from the outset.
Financial relief versus increasing legal uncertainty
Financial aspects seemed to have played a major role in the Bundestag's decision, because it is clear that the involvement of an external data protection officer costs money.
However, this is countered by the fact that employees without specialist knowledge, who often have to implement data protection alongside their day-to-day business, are overwhelmed by the content.
An increase in the limit for the obligation to appoint a data protection officer therefore inevitably leads to a reduction in the level of data protection, increases legal uncertainty and thus increases the risk of warnings and fines for companies.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Implementing data protection yourself without professional software or consultants is often the more expensive option
How does the cost of a data protection officer actually compare to do-it-yourself data protection?
The following calculation is realistic for the involvement of an external data protection consultant, when using professional data protection software:
- An external data protection officer needs a few hours with software support in a small and medium-sized company to implement basic data protection (80-90 %).
- For the open 10-20 %, which often consists of specific questions on the Data protection exist, a project can be set up in the sense of an appointment as data protection officer. Such projects are often even supported by the state.
- Using appropriate data protection software, routine tasks and the documentation obligations, such as management of data subject queries and data breaches, administration of order processing contracts, data deletions and the preparation of an activity report are carried out simply and automatically in compliance with the law.
If the data protection is implemented by internally commissioned, non-expert employees, a different picture emerges:
- The introduction to data protection is extremely difficult and time-consuming for laypersons and often even lawyers from other legal fields. Users often need several days or weeks.
- Many newcomers to data protection begin with an Internet search, download non-validated templates or attend one information event after the other without really being able to make a goal-oriented introduction to the topic and, in the end, to judge whether the measures taken are in conformity with the law.
It is therefore advisable, despite the changed ordering obligation, to carry out the initial recording and the initial setup of the data protection management system with the help of data protection software or a data protection expert.
Irrespective of the problems described above, it can be assumed that data protection authorities will probably be increasingly inundated with requests for data protection in the future. The problems will therefore only be shifted, which is hardly in the sense of the authorities' control obligations to comply with data protection.
Civil rights were restricted by the Bundestag
Furthermore, the following important adjustments were made shortly:
- Extension of data retention of digital radio of authorities and organisations with security tasks (BOS) to 75 days
- Extension of the powers of the Federal Office for Information Security (BSI), by restricting the rights of data subjects
- No significant adjustments in employment data protection that would provide more legal certainty
The conclusion to be drawn from this decision is that a discharge in point Data protection is merely suggested. The implementation according to the GDPR is still mandatory, only that you do not have to appoint an internal expert for this. In the long term, this would have negative consequences with regard to the previously high level of data protection in Germany.
The decision must be approved by the Federal Council in order to come into force.
Do you have specific questions about data protection or would you like professional advice? Our data protection experts are there for you throughout Germany! Come to us!
- COVID-19 and data protection - March 25, 2020
- Data protection in the USA - part 3 of the delegation visit - December 6, 2019
- Data protection in the USA - part 2 of the delegation visit - December 3, 2019