The General Data Protection Regulation (GDPR) is an EU regulation designed to regulate and harmonise the storage and processing of personal data. The regulation affects companies, public authorities and website operators within the European Union. The GDPR came into effect in the EU on May 25 2018.
Initial efforts to protect personal data and the privacy of consumers began in the EU in the 1970s. Finally, a common system was established for the first time in 1995 by Directive 95/46/EC. However, implementation was the responsibility of each Member State.
In 2018, a binding regulation for all members of the EU was adopted in the form of the GDPR.
The basic EU data protection regulation applies throughout the EU to all companies based in the European Union. In addition, companies from other countries must also comply with the GDPR if they process data from EU citizens and maintain a branch in an EU country.
According to the GDPR, the following data is classified as personal data. People can be identified by for example assigning different data to a number or location.
According to the GDPR, if violations of data protection are detected by a website operator or online shop, the principle of "one-stop-shop" applies. This means that EU citizens can directly contact the data protection authority in their country, regardless of where data protection has been violated. For companies, the one-stop-shop principle has the advantage that they only have to work with one data protection authority. This is usually the data protection authority in the country in which they have their headquarters.
After the introduction of the GDPR, certain companies are now obliged to appoint a data protection officer (DPO). The data protection officer can be appointed internally or externally.
A data protection officer is obligated in the following cases:
More than nine employees work with the automated processing of personal data, no matter whether the employees are freelancers or permanent employees. For example, a necessity could arise if more than nine employees have access to data from Google Analytics or other web analysis tools. The data processed is particularly sensitive because it allows conclusions to be drawn about ethnicity, political preferences or state of health. The category is defined in Article 9 of the GDPR. This may be the case, for example, if a company offers a fitness app that collects health data and personal data. The main responsibility includes the extensive regular and systematic monitoring of affected persons. This clause particularly affects companies whose core business is the processing of personal data, such as credit agencies or analysts in the field of big data.
Companies can also voluntarily appoint a data protection officer even if not obligated. The data protection officer's task is to ensure that data protection is observed and to maintain the so-called "processing directory". In addition, the DAB serves as a contact for clients who have questions about the storage of their personal data. The data protection officer does not need any special training, but in case of doubt they must be able to prove the necessary expertise.
According to the GDPR, in most cases, companies are obliged to keep a so-called "procedural directory". This is a paper or electronic directory in which the storage of personal data is documented. These include, for example, the purpose of the data processing, categories of persons, or the transfer of data to providers in third countries outside the EU. In addition, the procedural directory contains the deletion periods for the stored data, sorted by data category.
The list is not public, but must be made available at the request of the data protection authorities.
The positive news: theoretically, companies are only obliged to maintain such a directory if, for example, they employ more than 250 people. However, companies are also obliged to create a procedural directory whose data is processed "not just occasionally". All companies that perform daily web analysis must maintain a directory. All online shops and small businesses would therefore be affected by this regulation.
Violations of the GDPR may result in high fines. Fines of up to 20 million euros or up to four percent of the worldwide sales of the previous year can be imposed. The high level of penalties is one of the innovations in data protection implemented by the GDPR. As before, warnings may also be issued in the event of infringements.
Criticism The implementation of the GDPR has led to strong criticism in many places. Because many website operators are unable to assess the consequences of the regulations and fear expensive warnings, they have discontinued their websites. US media companies have also reacted to the GDPR and in some cases discontinued their services in Europe immediately after the regulations came into force.
Another major point of criticism: although the GDPR was actually intended to simplify data protection within the EU, the legislation has caused chaos in some areas due to many unsettled cases. Webmasters, companies and online shops cannot rely on clear procedures and in the worst case risk high penalties. Some critics even forsee the end of the free Internet.
The EU data protection regulation affects all those who work with personal data. This has direct consequences for online marketing. For example, in newsletter marketing, advertisers must increasingly ensure that they have the approval to send the mailings. It is also important to be able to prove exactly how the data can be processed during web analysis.
In principle, all those affected must reckon with a higher expenditure of time and the associated higher costs for their marketing campaigns.