The time has finally come, GDPR is now binding!
After years of negotiations and a two-year transition period, the time has finally come. The General Data Protection Regulation (GDPR) entered into force on May 24 2016. Today, May 25 2018, the transition period ends and GDPR is now binding.
Similar to the German Data Protection Act, the main focus of GDPR is on “personal data”. Unlike in the past, the application of GDPR is consistent and homogenous throughout the European Union, and does not depend on where the company is based anymore. Bearing this in mind, non-European companies are also subject to GDPR.
Any data breaches have to be disclosed to the supervisory authorities as soon as they occur. The liability has significantly increased through GDPR. In the future, there will be penalties of up to € 20 million, or four percent of the annual turnover worldwide in case of violations. Other key elements of the regulation are the right to be forgotten, the right of data portability and the principles of “Privacy by Design” and “Privacy by Default”.
The aim is to harmonize national data protection laws within the EU. However, the desired harmonization is not fully completed with the European Data Protection Basic Order. For example, today German providers of electronic information and communication services are subject to the Telemediengesetz (TMG). Again, a European standardization is planned. Originally, the new ePrivacy Regulation should enter into force together with the GDPR, but it is still pending in the European legislative process and is expected to be adopted at the end of 2018 at the earliest.