On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, the report discusses the perceived problem and proposes a solution.

The report begins by noting that the GDPR has significantly increased the workload of German Supervisory Authorities over the past year and a half.  This is due not only to an “enormous growth” in the number of complaints and consultation requests received, but also additional work resulting from the GDPR’s cross-border cooperation procedure.  Since the increased workload has not always been met with increased resources, the authorities have found it difficult to effectively supervise compliance.  Controllers are apparently aware of this and, as a result, have neglected their duties to be GDPR compliant.

The report then lists the provisions of the GDPR that the German Supervisory Authorities believe have led to some issues in practice, namely:

  • Article 5(1)(b) (purpose limitation);
  • Article 13 (right of information);
  • Article 15(3) (right to a copy of one’s personal data);
  • Article 24 (data protection by design);
  • Article 33(1) (data breach notification);
  • Article 37(7) (notification of the data protection officer (“DPO”));
  • Article 41 (accreditation);
  • Articles 58(2)(b) (competences of the supervisory authorities); and
  • 97(2)(b) (sanctions).

The report also states that the GDPR lacks appropriate provisions on profiling and direct marketing.

Below, we discuss some of the changes to the GDPR proposed by the German Supervisory Authorities:

  • Article 5(2) (purpose limitation) – The German Supervisory Authorities find it hard to accept that the processing of personal data for a compatible purpose (Art. 6(4)) does not require a separate legal basis. They also claim that the scientific research exception in Art. 5(2)(b) is too broad.
  • Article 13 (right of information) – Transparency requirement can be an annoyance to data subjects, particularly in offline circumstances (g., telephone calls).  The Supervisory Authorities suggest adopting an exception for cases where data subjects expect the data processing to take place, in which case the information should only be provided at the request of the data subject.  In addition, controllers should be exempt from the obligation to provide fair processing information if the processing is necessary to protect the vital interests of the data subject or of another natural person (Article 6(1)(b)).
  • Article 25 (data protection by design) – This provision sets out principles that are in fact addressed to producers of hardware and software, which are not actually subject to the GDPR (the companies using the hardware and software are the data controllers). The Supervisory Authorities propose to include a definition of “producer” in the GDPR and to expressly subject such parties to an obligation to develop and design products, services and applications in accordance with the GDPR’s requirements.
  • Article 33(1) (data breach notification) – Companies should not be required to notify data breaches which are likely to be of low risk to the rights and freedoms of the data subjects. The report also suggests inserting a requirement for controllers to notify security incidents (even if not confirmed data breaches) which are likely to present a high risk for the rights and freedoms of the data subjects.
  • Article 37(7) (notification of DPO) – The requirement to notify the contact details of the DPO to the Supervisory Authorities should be deleted considering that the controller must make this information public.
  • In relation to direct marketing, the report points out that the expectations of data subjects appear to vary among different EU Member States. This can lead to different outcomes in the balancing of the legitimate interests of the controller vis-à-vis the interests of the data subjects.  For this reason, EU lawmakers should introduce common criteria on how to balance these interests.
  • With regard to profiling, the report calls for more specific rules and to only allow profiling when a controller has obtained consent from (or has entered into a contract with) the data subject.

The German Supervisory Authorities end the report by calling on the European Commission to consider their suggestions in its forthcoming 2-year review of the GDPR due by May 25, 2020.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.