The General Data Protection Regulation (GDPR) is a milestone in the development of data protection law that may not be overestimated in its relevance. The GDPR implements various changes as compared to the current situation. German and other companies should prepare for these changes entering into force May 2018.<\/p>\n
Art. 5 GDPR<\/a> stipulates the below principles for processing personal data:<\/p>\n Companies shall understand these principles as general principles for tailoring their data protection organisation without a need for direct implementation or a direct requirement to base any particular assessment on these principles. Assessment of particular data handling shall rather be carried out by applying statutory justifications e.g. in Art. 6 GDPR<\/a>.<\/p>\n Both DPD<\/a> and GDPR<\/a> consider data processing as illegal unless there is a specific justification in place (see Recital 40 GDPR<\/a>). Art. 6(<\/span>1) GDPR<\/a> contains a number of justifications for processing personal data, Art. 9(<\/span>2)<\/a> GDPR for processing special categories of personal data (not subject to this article) and chapter IX for processing personal data in special processing situations.<\/p>\n Under Art. 6(<\/span>1)(<\/span>a) GDPR<\/a>, the data subject\u2019s consent is a valid justification for processing personal data. Also under Art. 7(<\/span>a) DPD<\/a> and Section 4(<\/span>1) BDSG<\/a>, data subjects\u2019 consent is considered as a justification for data processing. Detailed requirements regarding the declaration of consent follow from Art. 7 GDPR<\/a> and Recitals 32<\/a>, 42<\/a> and 43<\/a> GDPR<\/a>. In addition, there are more specific requirements for collecting a declaration of consent from children in the context of information society services.<\/p>\n Under the GDPR, as under the current legal framework, a declaration of consent must be freely given, based on an informed decision of the concerned person and made in a clear manner (see Recital 32 GDPR<\/a>). Differing from today\u2019s requirements under Section 4a(<\/span>1) Sentence 3 BDSG<\/a>, under the GDPR<\/a> a declaration of consent must not generally be made in writing. Rather, written, oral, electronic and other ways to express a declaration of consent are considered equal (see Recital 32 GDPR<\/a>). Also implicit declarations of consent will therefore be legally valid where provided by the data subject in an active manner. Remaining silent \u2013 or in an online context \u2013 pre-checked boxes are no active expression of consent under Art. 8 GDPR<\/a> and hence no declaration of consent.<\/p>\n The data controller has the burden of proof in regard to the requirements of a valid declaration of consent according to Art. 7 (1) GDPR<\/a>. From a data controller\u2019s perspective, it would therefore be prudent to collect declarations of consent in written or electronic form and retain it at least for the duration of the processing. Art. 7 GDPR<\/a> expressively states that a data subject may revoke a declaration of consent at any time with effect for the future. This is in line with the current understanding of Section 4a (<\/span>1) BDSG. Accordingly, a data controller is bound by an obligation to design any consent-based data processing in a manner that enables execution of individually revoked declarations of consent.<\/p>\n Under Art. 8(<\/span>1) GDPR<\/a>, children may provide a valid declaration of consent in the context of information society services from the age of 16. A declaration of consent expressed by children under the age of 16 becomes valid upon the parent\u2019s confirmation. According to Art. 4 No. 25 GDPR<\/a> and Directive (EU) 2015\/1535 on procedures for the provision of information in the field of technical regulations and of rules on information society services<\/a>, information society services are typically provided in return for money in the context of distance distribution, such as in app purchases and other (mobile) value added services.<\/p>\n The GDPR contains general statutory justifications for processing personal data in Art. 6(<\/span>1)(<\/span>b)-(f) GDPR<\/a>. Under these rules, personal data may be processed if necessary for the purposes listed below:<\/p>\n In order to justify data processing for the performance of contractual obligations under Art. 6(<\/span>1)(<\/span>b) GDPR<\/a>, the data controller must check and ensure that such data processing is in fact required for the performance of contractual obligations. The extent to which data processing is permitted is in the first place defined by the scope of contractual obligations as agreed by the parties.<\/p>\n Processing personal data under the legitimate interest justification of Art. 6(<\/span>1)(<\/span>f) GDPR<\/a> requires justified interests of the data controller that outweigh the data subjects opposed interests, i.e. a balancing of interest test. When carrying out such balancing of interest, the data controller must in particular consider the data subjects\u2019 fundamental rights and freedoms. Art. 6(<\/span>1)(<\/span>f) GDPR<\/a> now explicitly states that when processing children\u2019s personal data under a legitimate interest justification, one must particularly consider their specific interests.<\/p>\n In order to assess the scope of justified data processing under the legitimate interest justification of Art. 6(<\/span>1)(<\/span>f) GDPR<\/a>, it appears prudent to apply the principles developed under the predecessor rule of Section 28 (1) No. 2 BDSG<\/a> mutatis mutandis. In addition, Recital 47 GDPR<\/a> contains further guidance for an appropriate connection between data controller and data subject and the foreseeability of data processing that turns relevant when establishing the legitimate interest justification. Where such appropriate connection is in place, e.g. in a sales and purchase of goods relationship, common data processing will be rather easy to justify. However, as today under the BDSG, also under the GDPR, justifying data processing under legitimate interests will always depend on assessing the circumstances of the individual case.<\/p>\n Chapter IX GDPR contains statutory justifications and the permission for Member States to implement individual justifications for special processing situations. Member States may in particular \u201creconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.\u201d In other words, member states may implement justifications for data processing for such purposes.<\/p>\n Principles and rules governing the freedom of expression, press publications and scientific research as in place at a member state regulatory level will therefore continue to establish data protection justifications in certain cases. Art. 86 GDPR<\/a> provides for a similar rule in regard to the right to information about public authorities\u2019 activities which namely may turn relevant for the German Federal Freedom of Information Act (IFG) [PDF<\/a>] and the German States\u2019 Freedom of Information Acts. These laws will continue to provide for data protection justifications in particular cases.<\/p>\n Art. 88 GDPR<\/a> establishes employment data protection law at the EU regulatory level by giving the member states authority to implement respective data protection rules. Art. 88 GDPR<\/a> may trigger a new discussion about implementing employment data protection rules in Germany. So far, there have been a number of draft laws and legislative initiatives \u2013 the only result being the minimalistic and \u201ctemporary\u201d provision in Section 32 BDSG<\/a>.<\/p>\n Processing personal data for archival purposes, scientific and historic research is under Art. 89(<\/span>1) GDPR<\/a> in principle subject to the GDPR. Under Art. 89(<\/span>2) GDPR<\/a>, the Member States may, however, implement additional legal provisions. As currently the case, also under the GDPR, the German Federal Archive Act (Bundesarchivgesetz)<\/a> and the German States\u2019 Archive Acts may therefore restrict data protection rights and provide for data protection justifications.<\/p>\n The church data protection acts, namely the Church Act on Data Protection of the Protestant Church and the Regulation on Church Data Protection of the Catholic Church will be applicable under Section 91 GDPR<\/a>. Currently, there is a respective Setup under Art. 140 German Constitution (Grundgesetz)<\/a> in connection with Art. 137 of the German Constitution of 1919 (Weimarer Reichsverfassung)<\/a>. However, under Section 91 GDPR<\/a>, the church data protection acts apply only to the extent that they are in line with the principles of the GDPR.<\/p>\n The GDPR further develops German and European data protection law in particular on the basis of the DPD. This also holds true for the principles for processing personal data and data protection justifications that are subject of this article. Companies do not have to completely change their data processing procedures under the GDPR. Where data processing is in line with current data processing requirements, at large the requirements under the GDPR are likely to be fulfilled as well. In any case, it is advisable to carefully assess deviating legal requirements and to implement respective measures in preparation for the GDPR.<\/p>\n Other parts of this series:<\/p>\n Part 1: EU Data Protection Regulation \u2013 New Series<\/p>\n Part 2: Fines, Penalties and Damages for Data Protection Infringements<\/p>\n\n
\nThese principles have largely been in place under the regulation\u2019s predecessor, Art. 6 Data Protection Directive (DPD)<\/a>, and have been of relevance to interpretation of the German Data Protection Act (BDSG)<\/a> even though they were not directly implemented in the wording of the BDSG. The principles of Art. 5 GDPR<\/a> in particular turn relevant for interpreting justifications for processing personal data contained in the GDPR and other statutes. They also limit and define the member states\u2019 competence to complement the GDPR with domestic legal instruments as provided for in various GDPR opening clauses.<\/p>\n2. Justifications<\/h2>\n
3. Consent<\/h2>\n
4. General Statutory Justifications<\/h2>\n
\n
\nThese statutory justifications are at large similar to their predecessors in Art. 7(<\/span>b)-(f) DPD<\/a> and Section 28 BDSG<\/a>. For affected companies, particularly relevant are the justification to process personal data for the performance of contractual obligations and to pursue legitimate interests as currently covered by Section 28(<\/span>1) No. 2 BDSG<\/a> and Section 28(<\/span>1) No. 2 BDSG<\/a>. Similar justifications will also be in place under the GDPR.<\/p>\n5. Special Processing Situations<\/h2>\n
6. Conclusion<\/h2>\n