BDI and BDA welcome the conclusion of the trilogue negotiations. As a regulation, the reform package will supersede the patchwork of different data protection rules that still exists within the EU and largely harmonise data protection in the EU from 2018. This and the application of the principle: lex loci solutionis are of great advantage for German business.
In addition, particularly important for business are above all the following provisions: as a general rule, consent of the data subject must be given by a clear affirmative action but not “expressly”. This means that conclusive consent can be given, for instance in general terms and conditions. However, in the case of particularly sensitive data (e.g. health data), consent must be given “expressly”. This provision – in particular the possibility to give conclusive consent as a general rule – is extremely welcome since this enables companies to manage statements of consent relatively workably in day-to-day practice.
In principle, a change in the purpose of data use should be possible. It should thus be possible to process data for purposes other than as originally foreseen if these are “compatible” with the original purpose. For this assessment, the conditions in article 6 paragraph 3 a) in particular have to be taken into account. According to point e), a change of purpose is permissible inter alia if certain security mechanisms such as encryption or pseudonymisation are applied. According to article 76 paragraph 1 of the regulation, collective redress should always be possible insofar as the individuals affected mandate an appropriate association to lodge a complaint on his or her behalf.
Collective actions for damages by an association should be possible if the individuals affected so mandate and if this is provided for in the law of the Member State. According to article 76 paragraph 2 of the regulation, such a group action can be brought without a mandate only if this is provided for in the law of the Member State.
The level of possible sanctions for infringements of the regulation is now set at a maximum of four percent of worldwide turnover.
It is welcome that no data controller liability without fault is to be introduced and that article 7 enshrines as express linkage ban. This means that conclusion of a contract cannot be made dependent on consent to processing insofar as these data are not necessary for execution of the contract.
In article 82 as well as in recital 124 it is now provided that more specific rules for the processing of personal data in the employment context can be agreed in collective agreements. On the initiative of Germany, it is clarified in recital 124 that company-level agreements also fall within the concept of “collective agreements”.
According to article 7 in conjunction with recital 124 on article 82, it is clear that the possibility to give consent in the employment relationship continues to obtain. The conditions under which personal data can be processed in the employment context on the basis of the employee’s consent can be established in the Member State’s law or collective agreements.
Regarding group data protection, it will be specified in recital 38a that a justified interest can exist in transferring personal data within a corporate group or institution to a central point for internal administrative purposes, including the processing of personal data of customers and employees.
Article 82 regulates that Member States can enact more specific provisions for protection of employee data. As a result, requirements for protection of employee data will not be uniform across the EU. However, BDA had deployed efforts for wide-ranging harmonisation, also of employee data protection.
BDI and BDA will also continue to flank actively the process of transposing and implementing the general data protection regulation in the Member States.