The EU General Data Protection Regulation (GDPR) became effective on 24 May 2016. After a transitional period of two years, it becomes enforceable from 25 May 2018 for all companies marketing products to individuals within the European Union (EU) – even if organizations reside outside the EU. We summarize the most important regulations for you.
Data protection in the EU has been a patchwork made up of a wide range of different regulations which differed from country to country. The goal of the GDPR is to harmonize the processing of personal data by organizations and thus create equal opportunities for competition within the EU.
The GDPR also applies to organizations outside the EU (lex loci solutionis) as long as their data processing affects people living in the EU. Hence the new regulation also affects American companies like Google and Facebook. Avoiding the new regulations by relocating data processing abroad is therefore not an option since the GDPR also applies to servers outside the EU.
The creation of equal opportunities among companies operating in the EU is the main advantage of the new regulation for marketers. However, it must also be mentioned that the GDPR does not level out all national differences: the regulation contains opening clauses, which allow specific aspects of data protection to be settled separately by individual countries. The GDPR is thus both regulation and directive.
GDPR: The most important changes
There are more opportunities for companies to process personal data especially with regard to marketing in Germany. Under the GDPR, data processing requires consent. This is given if the consent of the person concerned directly agrees to data processing, the data processing is indicated for the fulfillment of contracts or legal obligations or there is a legitimate interest in data processing. In concrete terms, this means that publicly available data may be used for marketing purposes when acquiring new customers. This has not yet been permitted under German data protection law. This legitimate interest, however, implies that data collection is necessary for planned marketing activities and that it does not conflict with the legitimate interests of the data subjects. In theory, therefore, all data cannot be arbitrarily collected and processed unless they are tied to a specific purpose.
This leads to an important aspect of the GDPR: purpose limitation. Data processed may only be processed for the original purpose. This means an email request regarding an offer does not give the right to use this email address for other marketing purposes such as newsletters.
The regulations introduced by the GDPR include many that strengthen the rights of people living in the EU. Two central elements here are the right to access as well as the right to erasure, also called "right to be forgotten". Affected persons may request a copy of the company's data sets concerning them. These must be provided to the data subject in a standard file format on request. If there is no legal reason for the further processing of the data, these must be deleted at the request of the data subject. This also applies to data that has been made public.
There are also challenges for companies regarding their compliance with the GDPR's information transparency regulations. In practice, this means that all legal texts (consent, data protection clarifications, terms of use etc.) must be updated. In addition to the contact details of the responsible bodies (including the data protection officer, for example), a large amount of information has to be made available:
- Purpose and legal basis of data processing
- Recipients of data transfer (if transmitted to third parties)
- Storage period
- Information on rights to access, rectification, erasure, restriction of processing, data portability and to object
- Data source (if data were not collected directly from the data subject)
- Indication of whether the data subject is legally or contractually obliged to provide data
- Information about whether the data is used for profiling
The GDPR also entails new documentation and reporting requirements. Organizational and technical measures for data security must be taken and documented accordingly. If there are data leaks, they must be reported to the supervisory authority and the data subjects within 72 hours.
Overall, it can be said that the GDPR provides companies with new rights and obligations. In any case, they should also be implemented by May 2018. Organizations that fail to comply with these new regulations may pay penalties of up to four percent of their annual turnover .
A more detailed guide to the GDPR can be found in our free white paper on the topic:
Our service: We are happy to advise you about the GDPR and support you in the implementation of the technical prerequisites. Get in touch!
