Since 25 May 2018, data protection law has been regulated by the General Data Protection Regulation (GDPR). The GDPR is the principle of data protection in the European Union and uniformly regulates the handling of personal data. National rules of the EU member states supplement the GDPR. Data protection in Germany is extended by the Federal Data Protection Act (BDSG).
In companies, the implementation of these legal requirements is ensured and monitored by a company data protection officer. Responsible supervisory authorities in the respective federal states in turn check compliance with data protection in companies. The highest federal supervisory authority in data protection matters is the Federal Commissioner for Data Protection and Freedom of Information.
The principles of the GDPR in relation to the processing of personal data include:
- Transparency and lawfulness
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
At the core, the General Data Protection Regulation states that data processing may only take place for clear and legitimate purposes. In addition, the GDPR prescribes information and documentation obligations for companies. These include, for example, the creation of a record of processing activities or a data protection impact assessment. Officials must prove that they comply with the regulations of the GDPR.
To meet all these obligations our external data protection officers get into the game!