On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, the report discusses the perceived problem and proposes a solution.

The report begins by noting that the GDPR has significantly increased the workload of German Supervisory Authorities over the past year and a half.  This is due not only to an “enormous growth” in the number of complaints and consultation requests received, but also additional work resulting from the GDPR’s cross-border cooperation procedure.  Since the increased workload has not always been met with increased resources, the authorities have found it difficult to effectively supervise compliance.  Controllers are apparently aware of this and, as a result, have neglected their duties to be GDPR compliant.

The report then lists the provisions of the GDPR that the German Supervisory Authorities believe have led to some issues in practice, namely:

  • Article 5(1)(b) (purpose limitation);
  • Article 13 (right of information);
  • Article 15(3) (right to a copy of one’s personal data);
  • Article 24 (data protection by design);
  • Article 33(1) (data breach notification);
  • Article 37(7) (notification of the data protection officer (“DPO”));
  • Article 41 (accreditation);
  • Articles 58(2)(b) (competences of the supervisory authorities); and
  • 97(2)(b) (sanctions).

The report also states that the GDPR lacks appropriate provisions on profiling and direct marketing.

Below, we discuss some of the changes to the GDPR proposed by the German Supervisory Authorities:

  • Article 5(2) (purpose limitation) – The German Supervisory Authorities find it hard to accept that the processing of personal data for a compatible purpose (Art. 6(4)) does not require a separate legal basis. They also claim that the scientific research exception in Art. 5(2)(b) is too broad.
  • Article 13 (right of information) – Transparency requirement can be an annoyance to data subjects, particularly in offline circumstances (g., telephone calls).  The Supervisory Authorities suggest adopting an exception for cases where data subjects expect the data processing to take place, in which case the information should only be provided at the request of the data subject.  In addition, controllers should be exempt from the obligation to provide fair processing information if the processing is necessary to protect the vital interests of the data subject or of another natural person (Article 6(1)(b)).
  • Article 25 (data protection by design) – This provision sets out principles that are in fact addressed to producers of hardware and software, which are not actually subject to the GDPR (the companies using the hardware and software are the data controllers). The Supervisory Authorities propose to include a definition of “producer” in the GDPR and to expressly subject such parties to an obligation to develop and design products, services and applications in accordance with the GDPR’s requirements.
  • Article 33(1) (data breach notification) – Companies should not be required to notify data breaches which are likely to be of low risk to the rights and freedoms of the data subjects. The report also suggests inserting a requirement for controllers to notify security incidents (even if not confirmed data breaches) which are likely to present a high risk for the rights and freedoms of the data subjects.
  • Article 37(7) (notification of DPO) – The requirement to notify the contact details of the DPO to the Supervisory Authorities should be deleted considering that the controller must make this information public.
  • In relation to direct marketing, the report points out that the expectations of data subjects appear to vary among different EU Member States. This can lead to different outcomes in the balancing of the legitimate interests of the controller vis-à-vis the interests of the data subjects.  For this reason, EU lawmakers should introduce common criteria on how to balance these interests.
  • With regard to profiling, the report calls for more specific rules and to only allow profiling when a controller has obtained consent from (or has entered into a contract with) the data subject.

The German Supervisory Authorities end the report by calling on the European Commission to consider their suggestions in its forthcoming 2-year review of the GDPR due by May 25, 2020.