Most important principles

Transparency and information obligations, Art 12 f.

The GDPR has increased the requirements for information obligations when Personal Data are collected from the Data Subject. In addition to the known information duties such as identity of the controller, purpose and categories of recipient, there is also an obligation to inform about other aspects, such as

  • Contact data of the controller and its substitution
  • Contact details of the Data Protection Officer
  • Legitimate interests of the controller
  • Intention to transfer to a third country or an international organization (and the related adequacy decision of the Commission)
  • Duration of storage
  • Rights of the Data Subject such as information, deletion, rectification, restriction and right to withdrawal, right to lodge a complaint with a Supervisory Authority
  • The existence of automated decision-making including profiling and at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the Data Subject
Lawfulness of the processing, Art. 5 f.

The processing of Personal Data are only lawful if consent for one or more purposes is given, if the processing is required under a contract (or pre-contractual measures), if there is a legal basis for the processing or if a legitimate interest of the controller or a third party requires the processing, Art. 6 Nr. 1 GDPR. Data processing cannot be based on a legal basis of a third country. The high requirements (voluntariness, comprehensible form, simple language) needs to be observed. Written form is not explicitly required, but the company must keep the documentation of the consent. Therefore, the written consent is advisable. The Data Subject still has the right to revoke his/her consent for the future. This must be as simple as granting consent – a revocation in the “same way” as the consent is given is in principle not to be readout for this purpose. The previously applicable “prohibition of coupling” also applies under the GDPR. The conclusion of a contract or the provision of a service may not be made dependent on the consent of the Data Subject, if the Data Processing for which the Data Subject’s consent is given, is not necessary for the performance of the contract. Regarding the consent of a child special rules are in place, Art. 8 GDPR. The processing of Sensitive Data are generally prohibited, except with the consent of the Data Subject, Art. 9 GDPR.

Consent of a child, Art. 8

One new aspect is the inclusion of a child’s consent requirements. According to the GDPR, this is only lawful if the child has reached the age of 16 or the consent of the parents is given.


The GDPR has introduced the term “profiling”. Profiling” means any automated processing of Personal Data aimed at the use of the data to evaluate, analyze or predict certain personal aspects of a Data Subject. The GDPR gives every Data Subject the right not to be exclusively subject to a decision based on automated processing, if this decision can have legal effects or can significantly affect the Data Subject in a similar way. Therefore, the controller has the obligation to take appropriate measures to ensure the safety of the rights and freedoms of the Data Subject as well as the legitimate interests. The minimum requirement includes the right of a person to intervene, to present his or her point of view and to appeal the decision.

Advertising address and direct marketing, Art 6 para. 1 f.

The GDPR provides a general balance of interests between the legitimate interests of the company and the interests or fundamental rights of the Data Subject (the advertised party). This means, that as a first step, the conflicting interests must be weighed against each other before advertising measures can be carried out. According to the recitals of the GDPR, the processing of Personal Data for the purpose of direct marketing must now be regarded as a legitimate interest of a company.

Further processing, Art. 6

The principle of purpose limitation was also taken into account by the GDPR. The Regulation distinguishes between first processing and further processing. Further processing is therefore only permitted if it is compatible with the original, clear and legitimate purpose for which the data was collected. This is referred to as “compatibility testing” because it is necessary to determine whether the original purpose of the first processing is also compatible with the purpose of the further processing.

Right to erasure, (right to be forgotten), Art. 17

The application of the GDPR does not alter the legal requirement that Personal Data has to be deleted in the case of a loss of purpose if no other legal basis can justify further processing. New is a specific obligation to delete Personal Data of children (up to the age of 16). Furthermore, companies have to comply with new obligations in cases where they have made Personal Data “public”, for example by providing the data to a third party. In consideration of the available technologies and the implementation costs of appropriate measures, companies have to inform other companies that the Data Subject requires the deletion of all stored data like links, copies and replications of the data.

Right to data portability, Art. 20

The GDPR obliges companies to return the data of a Data Subject that has been provided to the company in a structured, common and machine-readable format. At the request of the Data Subject, this data must also be transferred directly to another company, if this is technically feasible. The end of heterogeneous, company-specific file formats of European companies has thus at least been heralded on paper.

Responsibility of the controller, Art. 24

The controller shall take appropriate technical and organizational measures to ensure that Personal Data are processed in accordance with the GDPR. The technical and organizational measures have to be reviewed and, if necessary, updated. In advance the controller has to determine the likelihood and severity of the risks to the personal rights and freedoms of the Data Subjects. He must provide evidence that Personal Data are processed in accordance with the GDPR. The controller shall, prior to the processing, carry out and document a risk assessment on the basis of objective criteria. In context of the assignment the risks of the data processing and the probability of their occurrence must be taken into account. Cause, type, probability of occurrence and severity can be used as criteria. In this context, it should be interesting to see whether these risks or their occurrences are recognised at all (e.g. cyber attack).

Data Protection by design and by default, Art. 25

Companies have the obligation to make Data Protection friendly default settings. They must provide suitable technical and organizational measures both at the time of conception and at the time of the actual Data Processing. According to appropriate default settings, only Personal Data, which is necessary for the processing is processed. This obligation covers both the amount of Personal Data collected and the extent of their processing, their retention period and accessibility.

Processing carried out on the behalf of the controller, Art. 28 (1) and Joint Controllers, Art. 26

Older Data Protection Laws already knew the legal figure of the “Order Data Processing Contract”, but the GDPR stipulates both, a new name and partly different requirements. First, the new name of the contract of Art. 28 GDPR is “processing carried out on the behalf of the controller”. What’s new is the express demand for guarantees on the processors site. Furthermore exists the possibility to conclude a Data Processing Agreement electronically. Besides processing carried out on behalf of the controller, the GDPR stipulates the possibility of, so called, Joint Controllers. Joint Controllers captures the case, that two controllers are responsible for the Data Processing. Both controllers define the purpose and the processing together and lay down their responsibilities. The agreement has to be transparent and needs to provide which controller is responsible for which task. Especially the duty regarding information obligation and how to deal with Data Subjects Rights must be described.

Security of processing, Art. 32

The risk-based approach of the GDPR obliges companies to implement suitable technical and organizational measures to ensure an adequate level of protection appropriate to the potential risk. Besides the state of the art, implementation costs, nature, scope, context and purpose of processing of Personal Data, also the risk of varying likelihood and severity for the rights and of natural persons have to be taken into account. The GDPR explicitly requires the technical use of pseudonymisation and encryption. Provision have to be made for confidentiality, integrity, availability and resilience of the systems. Companies must ensure rapid restoration of access to data in the event of a physical or technical incident, just as they must establish regulatory processes to regularly assess and evaluate the effectiveness of existing technical and organizational measures.

Notification obligations in the event of Data Breaches, Art. 33

The GDPR stipulates what to do in case of a Data Breach. The Data Subject must be notified if his/her Personal Data are infringed and it’s likely to lead to a risk to the rights and freedoms of the Data Subject. The Data Subject shall be informed – without undue delay and in clear and simple language – of the nature of the breach, the name and contact details of the Data Protection Officer or other contact person for further information, a description of the consequences of the breach of Personal Data Protection, a description of the measures taken or proposed to remedy the breach and, where appropriate, to mitigate its possible adverse effects. Moreover, the controller has to notify the responsible Supervisory Authority of the Data Breach within 72 hours after he became aware of the violation.

Data Protection Impact Assessment, Art. 35

The Data Protection Impact Assessment, short DPIA, has to be carried out whenever the envisaged Data Processing operations showed particular risks to the rights and freedoms of the Data Subjects. This obligation applies to all Data Processing operations and to the entire life cycle of Data Processing. This applies in particular to the use of new technologies which, due to the nature, scale, circumstances and purposes of the processing, are likely to present a high risk to the personal rights and freedoms of the Data Subject. A DPIA requires a systematic description of the processing operations envisaged and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the undertaking, an assessment of the necessity and proportionality of the processing operations to the purpose, and an assessment of the risks to the rights and freedoms of Data Subjects.

Tasks and duties of the Data Protection Officer, Art. 37 et seq.

Art. 39 GDPR outlines the scope and duties of the Data Protection Officer. These include, above all:

  • informing and advising controllers, processors and employees
  • monitoring compliance with the GDPR and national regulations
  • raising awareness regarding Data Protection and conducting trainings
  • advice and monitoring in connection with the DPIA
  • cooperation with the Supervisory Authority
  • Acting as a contact point for the Supervisory Authority
  • Risk-oriented performance of tasks
  • Extension of the catalogue of tasks possible by agreement

The Data Protection Officer thus has a broad field of duties. He assumes the role of a mediator, is the contact person for the Supervisory Authority and is responsible for ensuring that the Supervisory Authority receives the necessary documents and information to fulfil its powers of investigation, correction, approval and consultation. In addition, the Data Protection Officer is also the contact person for Data Subjects and is available as a discussion partner within the company. The Data Processing Authority remains responsible for compliance with Data Protection Regulations, the DPO merely works towards compliance and has no other decision-making powers. In order to be able to carry out its tasks to the full extent, the DPO must be involved in accordance with Art. 38 (1) GDPR” is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” In accordance with Art. 38 para. 3 sentence 3 GDPR, the DPO is not subject to instructions and is directly subordinated to the highest management level.

Certification, Art. 42

Data Protection specific certification procedures as well as Data Protection seals and test marks are of great importance since the GDPR entered into force. They are intended to provide evidence of compliance with the Regulation. Certification by accredited certification bodies or by the competent Supervisory Authority will be granted on the basis of approved criteria.

International Data Transmission, Art. 44 et seq. GDPR

A transfer of Personal Data to a third country or an international organization may take place without special authorization in case the Commission has established that an adequate level of Data Protection exists in the third country. If an adequate level of protection is not available, the known instruments such as Standard Contractual Clauses, Binding Corporate Rules or the consent of the Data Subject have to be used. With regard to Binding Corporate Rules in particular, it is welcomed that the relevant requirements are listed in the GDPR.

Liability and right to compensation, Art. 82

Because of the GDPR the potential liability risk of any company increased. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor. It will no longer solely be checked whether a damage was actually caused by the alleged Data Processing, but also whether the data processing corresponded to an expected proper Data Processing. Any controller involved in the processing of data are liable for the caused damage. The concerned controller/processor has the possibility to prove that he is not in any way responsible for the caused damage.

Fines and sanctions, Art. 83 et seq.

The GDPR contains drastic innovations especially in this context. Supervisory Authorities are permitted to impose “deterrent” fines. Depending on the seriousness of the infringement, the GDPR’s framework for fines amounts to EUR 10,000,000 or EUR 20,000,000 or, in the case of a company, up to 2 % or 4 % of the total annual worldwide turnover of the preceding financial year, whichever is higher. Besides financial sanctions, some countries also face prison sentences.

Extension of liability to foreign companies, Art. 3

The liability of the GDPR also applies to foreign companies. Even if they do not have a legal entity in a member state of the EU (so-called market location principle). For this extension of liability, it is only necessary that the Data Processing serve to offer goods or services to citizens of the European Union or to observe their behavior, insofar as this behavior takes place in the European Union. In addition to Facebook, Google and Co., every seller of goods and service provider will be liable.