Only a few weeks left until the go-live of the EU General Data Protection Regulation As of 25 May 2018, all data protection standards in the EU will be raised to a uniform level with the EU General Data Protection Regulation (EU-GDPR). With regard to the processing of personal data, among others, companies, authorities and freelancers must adapt their process and structure organisation (for example in Human Resources area) to the EU-GDPR. In addition to meeting all operational and legal requirements, the EU-GDPR also requires the implementation of technical-organisational measures. The new regulation not only applies to companies based within the EU, but also to companies from third-countries offering, inter alia their goods and services within the EU. The aim of the EU-GDPR is the standardisation of the data protection laws and ensuring greater protection of personal data. Thus, the new regulation requires essential obligations from companies in the processing of personal data. This achieves the goal of strengthening the rights of natural persons. The Federal Republic of Germany has already ensured a high level of data protection with the Federal Data Protection Law (BDSG). With the new regulation, other EU member states are now required to also adapt their data protection standards. This will allow a better cooperation in the processing of personal data within the EU.
Implementation of the “Rights of the data subjects”
The tightening of the “Rights of the data subject” (Art. 12 – Art. 23 EU-GDPR) is one of the extended provisions of the European data protection law in the new General Data Protection Regulation (GDPR).The EU-GDPR understands the “Rights of the data subject” or “subject rights” as the rights of any natural person in relation with the handling of their personal information by responsible parties (natural or also legal persons), who process these data.
This right was already mostly specified in the Federal Data Protection Law (BDSG) in § 33 to 35, however, so far, little use was made of it. However, it can be assumed, that this aspect will be focused on by many EU citizens by 25.05.2018, due to the media attention around the EU-GDPR. It can be assumed that due to the aforementioned aspect, companies and also authorities can expect significantly more inquiries about personal data. To counteract this effort, a separate process should be implemented, for example for the information process in the procedural and organizational structure. In particular, against the background that a disclosure must be processed within four weeks, this process should be set up as lean as possible. In practices this means: Less process participants and interfaces to departments make compliance with the reporting deadline possible. Therefore the number of involved persons within the process must be limited. Furthermore, there is also the challenge of identifying all systems with process personal data. These systems must generate the personal data which must be handed over as copies toge