Implementation of GDPR and control mechanisms of data protection institutions in Germany

Similar documents
Data Protection Bill [HL]

GDPR: Belgium sets up new Data Protection Authority

Article 1. Federal Data Protection Act (BDSG)

Data Protection Bill [HL]

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

Annex - Summary of GDPR derogations in the Data Protection Bill

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

REGULATION (EU) 2016/679 General Data Protection Regulation

Adequacy Referential (updated)

Interinstitutional File: 2012/0011 (COD)

Data Processing Addendum

ARTICLE 29 Data Protection Working Party

Appendix 1 Data Processing Agreement

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

STATUTORY INSTRUMENT 2002 NO THE ELECTRONIC COMMERCE (EC DIRECTIVE) REGULATIONS Statutory Instruments No. 2013

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Telekom Austria Group Standard Data Processing Agreement

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

Law Enforcement processing (Part 3 of the DPA 2018)

Opinion 6/2015. A further step towards comprehensive EU data protection

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Data Processing Agreement

Act No. 502 of 23 May 2018

The Act on Processing of Personal Data

DATA PROCESSING ADDENDUM

DATA PROTECTION (JERSEY) LAW 2018

Collection of Laws No. 93/2009 ACT. dated 26 March on auditors, and amending certain other legislation (the Auditors Act).

PART 1: EVOLUTION OF THE EUROPEAN UNION PART 2: INSTITUTIONAL STRUCTURE AND LAW MAKING

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Council of the European Union Brussels, 13 April 2015 (OR. en)

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Data Processing Agreement

16 March Purpose & Introduction

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

closer look at Rights & remedies

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

Data Protection in Germany

SUPPLIER DATA PROCESSING AGREEMENT

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

FUJITSU Cloud Service K5: Data Protection Addendum

1. Processing of personal data legal basis, purpose and scope Legal basis fulfillment of statutory legal requirements

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Applications for accreditation: Membership. Compilation of membership accreditation assessment received on 9 July 2016

Data Protection Policy. Malta Gaming Authority

DATA PROTECTION LAWS OF THE WORLD. Romania

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

The modernised Convention 108: novelties in a nutshell

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

GDPR. EU General Data Protection Regulation. ebook Version 1.2

OJ Ann. I(I) L. 156(I) 2004 No 3851,

National commission for data protection (Commission nationale pour la protection des données, NCDP, CNPD)

Introduction to the Environmental Crime Directive 2008/99/EC

SWORN DECLARATION. 1. Identification of the undersigned person. Last name of the undersigned (as indicated on the identity card or passport)

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 12 February /13 Interinstitutional File: 2010/0210 (COD) LIMITE MIGR 15 SOC 96 CODEC 308

PERSONAL DATA PROTECTION

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Act on Out-of-Court Legal Services (Rechtsdienstleistungsgesetz, RDG)

SURVEY OF ANTI-CORRUPTION MEASURES IN THE PUBLIC SECTOR IN OECD COUNTRIES: GERMANY

Introduction to the Environmental Crime Directive 2008/99/EC

Exhibit MC - Standard Contractual Clauses (processors)

6153/1/18 REV 1 VH/np 1 DGD2

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Factsheet on the Right to be

Official Journal of the European Union L 94/375

Federal Law Gazette I Issued on 6 November 2015 No of 11 FEDERAL LAW GAZETTE FOR THE REPUBLIC OF AUSTRIA Issued on 6 November Part I

General Regulations Updated October 2016

Cross-Border Internal Investigations: Data Protection and Employee Issues. June 11, 2014

Revised statutes of the Association medica mondiale e.v.

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(3) thereof,

Terms of Business

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

Investigatory Powers Bill

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

Irish Government Publishes Data Protection Bill 2018

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

Sanctions Policy (Audit Enforcement Procedure)

SSLI \6.0 v1.0

HAUT-COMMISSARIAT AUX DROITS DE L HOMME OFFICE OF THE HIGH COMMISSIONER FOR HUMAN RIGHTS PALAIS DES NATIONS 1211 GENEVA 10, SWITZERLAND

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Ad hoc information request (FRANET) May Data Protection: Redress mechanisms and their use GERMANY

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Transcription:

Regulation (EU) 2016/679 Implementation of GDPR and control mechanisms of data protection institutions in Germany Mr. Bernhard Bannasch Deputy Saxon Data Protection Commissioner, Head of Division Employees of the Saxon Data Protection Commissioner accessing the premises of a controller in 2016 1

Implementation of GDPR in Germany 2

Federal State 1 Federation 16 States (f. i. Saxony, capital Dresden, 4,14 million inhabitants (LV 1,9 million), population density 227/km² (LV 30/km²) 1 federal data protection commissioner 17 state commissioners (2 in Bavaria) Always two levels: federal and state, different competencies 3

GDPR = Regulation: generally and directly applicable in each MS (article 288(2) of TFEU), in force as of today, 00.00 h Aim: full harmonisation of data protection in the EU MS did not always adhere to Directive 95/46/EC, cf. ECJ C-468/10 (ASNEF); C-469/10 (FECEMD). Since 1995 many changes occurred in economic life, in particular with regard to economic activities in the www ( ecommerce ) Implementation took place in some MS only in an unsatisfactory manner, cf. Ireland, where the DPA was never able to assert himself against facebook Ltd. No consistent level of data protection within the EU, furthermore differences which hindered the free flow of data in the single market (cf. Rec. 13 of GDPR), fragmented data protection landscape. From today, MS legislation has only complementary function. MS legislation fills in regulatory choices allowed for MS in respect of those issues where full harmonisation was not intended. 4

GDPR = Regulation: generally and directly applicable in each MS (article 288(2) of TFEU), in force as of today, 00.00 h Numerous opening clauses, to be : i. a. Article 6(2,3) with regard to the public sector (Art. 6 Abs. 1 lit. c und e): factually national legislation = gateway to national data processing provisions in the public sector. Furthermore, Chapter IX (Articles 85-91) Provisions relating to specific processing situations = left to the national legislator. f. i. press legislation, freedom of information, national identification number, processing in the context of employment, archive legislation, scientific and historical research purposes or statistical purposes, churches and religious associations. 5

GDPR = Regulation: generally and directly applicable in each MS (article 288(2) of TFEU), in force as of to-day, 00.00 h Concept of current data protection legislation stays essentially the same. GDPR builds upon Directive 95/46/EG. On the other hand, there are many new provisions which must be respected and taken into account, in particular with regard to the enormous extension of administrative fines (Article 83 of GDPR), concerns companies. Overall, the GDPR (and Directive 2016/680) are influenced by German data protection philosophy; main protagonists were German (f. i. members of the data protection division in the Commission, the rapporteur for the GDPR in the European Parliament, Mr. Jan Phillip Albrecht MEP). It remains to be seen to what extent the GDPR will factually be able to regulate the www, big data, privacy by default or -design or data transfers into (unsafe) third countries. GDPR is, in my opinion, a remarkable piece of legislation, a huge progress. 6

Adaptation to GDPR in Germany Review of the whole legislation On the federal level: Contact group founded in early 2016, Berlin, representatives of each Federal Ministry Lead role with the Federal Ministry of the Interior, which drafted the Federal (omnibus) Act on Adaptation to the GDPR and Implementation of Directive 2016/680 On the state level (Saxony): Interministerial working group founded in mid-2016, Dresden, representatives of each State Ministry GDPR: Lead role with the Saxon Ministry of the Interior, which drafted the Saxon (omnibus) Act on Adaptation to the GDPR JHA-Directive: Lead role with the Saxon Ministry of Justice which is currently still drafting a Saxon Law to implement Directive (EU) 2016/680 (police, including police measures to avert dangers; prisons and similar institutions) 7

Let`s have a closer look on the federal level: (Omnibus) Law on the Adaptation of Data Protection Legislation to Regulation (EU) 2016/679 and on Implementation of Directive 2016/680 of 30 June 2017, came into force as of today, 00.00 h Only general data protection legislation (Second Law on Implementation, pertaining to the specific federal data protection legislation, f. i. social welfare legislation, registration legislation etc., is in preparation) Article 1: Federal Data Protection Law = general adaptation act Part 1: Common provisions Part 2: GDPR implementing provisions Part 3: Provisions on data processing with regard to JHA-Directive Part 4: Special provisions for processing outside GDPR and JHA-Directive Article 2: Amendments to the Federal Law on Protection of the Constitution Article 3: Amendments to the Law on Military Counterintelligence Service Article 4: Amendments to the Law on Federal Intelligence Service Article 5: Amendments to the Security Screening Act Article 6: Amendments to the Law on Telecommunication Surveillance Article 7: Amendments to the Federal Data Protection Law Article 8: Coming into force 8

Let`s have a closer look on the federal level: Article 1 (Federal Data Protection Law): Part 1: Common provisions Scope, Definitions Processing by public institutions, Video surveillance Appointment, Status, Tasks of DP Officials The Federal Data Protection and Freedom of Information Commissioner Representation in the European Data Protection Board, Cooperation of Federation and states with regard to the EU Judicial remedies Part 2: GDPR implementing provisions 2016/679 Processing of specific categories of personal data and processing for other purposes Processing relating to specific processing situations Rights of the data subject Duties of the controller and processor Supervisory authorities for non-public institutions Sanctions Judicial remedies 9

Let`s have a closer look on the federal level: Part 3: Provisions on data processing with regard to Directive 2016/680 Scope, definitions and general principles for the processing of personal data Legal bases for processing personal data Rights of the data subject Duties of the controller and processor Data transfer to third countries and international organisations Cooperation of supervisory authorities Liability and sanctions Part 4: Special provisions for processing outside GDPR and Directive 2016/680 Processing personal data in the framework of activities outside GDPR and Directive 2016/680 10

Result, concerning private companies and much of the public sector: GDPR Specific provisions acc. to article 6(2) GDPR (public sector) f. i. Tax Code Federal Data Protection Act (Chapter 1 and 2) f. i. Law regulating Art and Copyright Questions Specific processing situations, articles 85 ff. of GDPR 11

Result, concerning police, prosecution offices` and prison legislation: JHA Directive Federal Data Protection Act, Chapter 1 and 3 = General provisions, as far as not regulated in specific acts 12

Result, concerning the area outside GDPR and JHA- Directive (f. i. intelligence services): GDPR Federal Data Protection Act, Chapter 1 and 4 ; articles 3-7 of Adaptation Act 13

Let`s have a closer look on the state level (Saxony): (Omnibus) Law on Adaptation of State Legislation to the GDPR of 26 April 2018, came into force as of today, 00.00 h Both general as well as specific data protection legislation (all in one) Article 1: Saxon Data Protection Implementation Act Purpose, scope Principles of data processing Rights of the data subject Specific data prossing situations The Saxon Data Protection Commissioner Final provisions (adminsitrative offences, transitional arrangements) Article 2: Amendments to the Law on Subsidies` Data Bases Article 3: Amendments to the Law on the Saxon Reconstruction Bank Article 4: Amendments to the Saxon Law on Private Media Article 5: Amendments to the Saxon Press Act Article 6: Amendments to the Saxon Law on Foundations Article 7: Amendments to the Saxon Stasi Commissioner Act Article 8: Amendments to the Saxon Law on Referendums Article 9: Amendments to the Saxon e-government Act 14

Let`s have a closer look on the state level (Saxony): Article 10: Amendments to the Saxon e-government Implementing Regulation Article 11: Amendments to the Saxon Civil Servants Act Article 12: Amendments to Saxon Disciplinary Law Article 13: Amendments to the Saxon Remuneration Act Article 14: Amendments to the Law on Public Health Service in the Free State of Saxony Article 15: Amendments to the Professional Code for Nursing Staff Article 16: Amendments to the Saxon Burial Law Article 17: Amendments to the Saxon Law on Cancer Screening Article 18: Amendments to the Saxon Hospital Act Article 19: Amendments to the Saxon Healing Professions Chamber Act Article 20: Amendments to the Saxon Midwife Act Article 21: Amendments to the Regulation on Healing Professions and Pharmacy Article 22: Amendments to the Saxon Regulation on the Hardship Commission Article 23: Amendments to the Saxon Refugee Admission Act Article 24: Amendments to the Law on Ethnic German re-immigrants Article 25: Amendments to the Saxon Law on Archives Article 26: Amendments to the Saxon Law on Statistics Article 27: Amendments to the Saxon Law on Restaurants Article 28: Amendments to the Saxon Law on Architects 15

Let`s have a closer look on the state level (Saxony): Article 29: Amendments to the Saxon Law on Engineers Article 30: Amendments to the Saxon Law on Right to Access Environmental Information Article 31: Amendments to the Saxon Law on Waste Management and Soil Protection Article 32: Amendments to the Saxon Law on Schools Article 33: Amendments to the Saxon Regulation on Professional High Schools Article 34: Amendments to the Saxon Regulation on Professional Schools Article 35: Amendments to the Saxon Regulation on Basic Schools Article 36: Amendments to the Saxon Regulation on Technical Colleges Article 37: Amendments to the Saxon Regulation on Schools for Children with Learning Difficulties Article 38: Amendments to the Saxon Regulation on Specialized Secondary Schools Article 39: Amendments to the Saxon Regulation on Vocational Colleges Article 40: Amendments to the Saxon Regulation on Middle Schools Article 41: Amendments to the Saxon Regulation on Secondary School Baccalaureate Article 42: Amendments to the Saxon Law on Determination of Professional Qualification Article 43: Amendments to the Saxon Law on Care and Quality of Housing Article 44: Amendments to the Saxon Law on Freedom of Universities Article 45: Amendments to the Saxon Law on Blind Person`s Pensions Article 46: Amendments to the Saxon Data Protection Act Article 47: Coming into force, end of binding force 16

Result on the state level: GDPR Saxon Law on Adaptation to GDPR Article 1: Saxon Data Protection Implementation Act f. i. Saxon Law on Hospitals Article 2-45: Specific legislation, article 6(2) and specific processing situations (public sector) f. i. Saxon Press Law Art. 46: Saxon Data Protection Act, continued validity until 6/2019, with regard to JHA- Directive and national security sector 17

Result on the state level: JHA Directive Saxon Law on Implementation of JHA-Directive (still in preparation) f. i. Saxon Law on Police Art. 46: Saxon Data Protection Act, continued validity until 6/2019, with regard to JHA- Directive and national security sector f. i. Saxon Law on Security Vetting 18

Control mechanisms of data protection institutions in Germany 19

Previous tasks of the Saxon Data Protection Commissioner (competent for all public and non-public institutions in Saxony; from today onwards: not for the tax administration) 1. Random or prompted supervising of data processing, 2. Handling petitions (> 300 in the public, > 1,000 in the non-public sector/a) 3. Participation in legislation 4. Counselling of public and non-public institutions 5. Activity reports 20

New powers, much more detailed, Article 58: Investigative powers: (a) to order the controller and the processor to provide any information ; (b) to carry out data protection audits; (c) to carry out a review on certifications issued pursuant to Article 42(7); (d) to notify the controller or the processor of an alleged infringement ; (e) to obtain access to all personal data and to all information necessary..; (f) to obtain access to any premises, including to any data processing equipment and means, in accordance with Union or Member State procedural law. 21

New powers, much more detailed, Article 58: Corrective powers: (a) to issue warnings to a controller or processor ; (b) to issue reprimands to a controller or a processor ; (c) to order to comply with the data subject's requests to exercise his or her rights ; (d) to order to bring processing operations into compliance with this Regulation, where appropriate, in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure or restriction of processing and the notification of such actions to recipients ; (h) to withdraw a certification ; (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation. 22

New powers, much more detailed, Article 58: Authorisation and advisory powers: (a) to advise the controller in accordance with the prior consultation procedure ; (b) to issue opinions to the national parliament, the Member State government or to other institutions and bodies as well as to the public ; (c) to authorise processing referred to in Article 36(5), ; (d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5); (e) to accredit certification bodies pursuant to Article 43; (f) to issue certifications and approve criteria of certification in accordance with Article 42(5); (g) to adopt standard data protection clauses ; (h) to authorise contractual clauses referred to in point (a) of Article 46(3); (i) to authorise administrative arrangements referred to in point (b) of Article 46(3); (j) to approve binding corporate rules pursuant to Article 47. 23

New conditions for imposing fines, much more detailed, Article 83: (1) effective, proportionate and dissuasive (2) due regard shall be given to the nature, gravity and duration, the intention, any action taken by the controller, the degree of responsibility, any previous infringements, the degree of cooperation, the categories of personal data, the manner in which the infringement became known, the compliance with previous measures, adherence to approved codes of conduct, any other aggravating or mitigating factors. (3)(4) Fines up to 10 millions or 2% resp. up to 20 millions or 4% of the total annual turnover. (8) Exercise of these powers shall be subject to appropriate procedural safeguards. German Federal Data Protection Law and Saxon Data Protection Implementation Law: No fines against public bodies (but against single public servants). 24

Thank you for your attention! Paldies! Mr. Bernhard Bannasch bernhard.bannasch@slt.sachsen.de 25

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback