GDPR - Orientation Guidelines
The new EU General Data Protection Regulation (GDPR) will apply directly in all EU/EEA Member States as of 25 May 2018. By this effective date at the latest, enterprises, associations and other bodies will have to implement the new statutory data protection standards if they are to avoid fines, damage claims or other disadvantages. In view of what in some cases are quite significant amendments to the GDPR, the less than 16-month period remaining for its implementation (involving, inter alia, enterprise-specific (project) planning, inventory, actual/target situation analysis and the implementation of new or the adjustment of existing data protection structures and processes) is extremely tight. Many legal questions connected with the new provisions have not been (conclusively) clarified to date and, in particular, how the data protection authorities are likely to interpret these issues remains open in many cases.
The Article 29 Data Protection Working Party has drafted a number of guidelines (on the topics of data portability, data protection officers, and the lead supervisory authorities for groups of companies (One-Stop-Shop)). It is to be expected that new working papers will be published.
Against this background, also the Bavarian Data Protection Authority [Bayerisches Landesamt für Datenschutzaufsicht, BayLDA] is currently publishing on its website a series of short papers on individual provisions and topics of the GDPR. The aim is to present the current opinions – albeit not legally binding opinions – of the BayLDA on the GDPR.
To date, short papers have been published on topics such as the (technical and organisational) security of the data processing (Art. 32 GDPR), consent (Art. 7 et seq. GDPR), commissioned (data) processing (Art. 28 GDPR) and cross-border data transfers into third countries (Art. 44 et seq. GDPR) as well as on revisions of the GDPR such as certification (Art. 42 GDPR) and the right to erasure, respectively “right to be forgotten” (Art. 17 GDPR). Further short papers are to be published once or twice a month and will each handle further focuses of the GDPR.