The new European General Data Protection Regulation (GDPR) [(EU) 2016/679], which is valid as of May 25th, 2018, replaces existing data protection laws throughout Europe and introduces significant changes that will have an impact on businesses in Europe, but also around the world. The GDPR imposes a variety of new requirements on companies accessing the data of EU residents. We will work closely with you to help understand the scope and applicability of the GDPR and to design GDPR-compliant programs and contracts.

The key changes and additional requirements introduced by the GDPR are:

Strengthening of individuals’ rights to personal data

Individuals have the right

  • to be given a copy of the personal data relating to them in a commonly used format, and
  • to have that information transmitted to another party (the ‘right to data portability’), and
  • to have their personal data removed from systems or online content (the ‘right to be forgotten’), and
  • not to be subjected to automated data profiling (where this would produce a legal effect)

Therefore, organisations must determine how they will enable individuals to exercise these rights and align their processes accordingly.

Enhanced requirements for the supply chain

Businesses must only use other parties to process personal data that provide sufficient guarantees with respect to the implementation of appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to employ sub-processors.
Therefore, organizations need to review and amend their contracts with these parties to address the changes in responsibilities.

New data privacy governance, data mapping and impact assessment requirements

Organizations (may) need to appoint a data protection officer to be responsible for implementing and monitoring compliance with the GDPR and to carry out assessments of an organization’s data processing in certain circumstances. Organizations are required to map their processing of personal data and undertake data protection impact assessments for higher risk processing.

European data protection law will now apply worldwide

In addition to businesses that are established in the European Union, also organizations that are located outside the EU, but process personal data in relation to their offer of goods or services to individuals within the EU (or as a result of monitoring individuals within the EU) have to comply with European data protection law.
Therefore, non-EU based businesses need to analyse whether they will be subject to the new rules and how they will comply. In particular they have to determine, whether they have to designate a representative within the EU according to Art. 27 GDPR. For more information see our legal service offer GDPR EU Representative

New data breach notification obligation

Organizations have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.

Tougher sanctions for non-compliance

The maximum fine for a breach of European data protection law will be substantially increased to up to 4% of an enterprise’s worldwide turnover or up to €20 million per infringement, whichever is higher.


How we can support you

Data privacy documents and systems

We assist you in establishing and maintaining privacy policies, procedures, training tools and cross-functional programs regarding the protection of your company’s personal data, that are tailored to your individual requirements. Once these privacy structures are in place, we work with you on an ongoing basis to update them as laws and regulations, or the company’s own business needs, evolve.

Data sharing contracts

We review and advise you on whether the contracts that you have in place with parties to whom you transfer personal data or from which you process personal data as a contractor (commissioned data processing) enable your business to comply with its requirements under the GDPR. This includes updating and renegotiating those contracts if necessary.

International transfers

We examine which personal data is transferred internationally by your business and advise you on the extent to which this complies with the GDPR. This includes the drafting of model contracts and Binding Corporate Rules (BCR) to create and implement measures that will enable your business to carry out those transfers lawfully.

Data breach notifications

We stay up to date on all EU data breach notification requirements and can rapidly advise you on whether disclosure – also to affected individuals – is required.