GDPR Two Years On: Companies Still Facing Uncertainty

Two years of the GDPR, 187 fines in Germany in 2019 alone, and a record fine of 14.5 million Euro imposed by the Berlin Data Protection Authority on a German real estate company. In interview, Clarissa Benner, LL.M. and Legal Counsel at eco, takes stock of the GDPR. The attorney-at-law also explains why companies are still struggling with the implementation of the GDPR.

eco Association: On 25 May 2020, the General Data Protection Regulation (GDPR) will have been in effect in the EU Member States for two years. The GDPR is to be evaluated by the end of May 2020 in accordance with Article 97. What is your interim conclusion concerning the GDPR?

Clarissa Benner: A unified EU-wide legal framework is something to be very much welcomed in principle. In the meantime, individual departments within companies have at least developed a basic grasp of when and where the requirements of the GDPR are to be observed. 

However, in Germany, for example, the supervisory authorities have really let companies down when it comes to their implementation of the GDPR requirements. Assistance tools and process templates were either not published at all or were published too late. If these had been available in advance, many misunderstandings could have been avoided, such as the blacking-out of photos in kindergartens or the question of whether names may still be printed on doorbells.

eco: In Germany in 2019, 187 fines were imposed on the basis of the GDPR. What’s more, according to the German-language business newspaper Handelsblatt, the rate of fines has increased dramatically. For example, a fine of 9.55 million Euro was imposed on a mobile and landline company. In your opinion, why is it that companies are still not succeeding in implementing the GDPR in compliance with the law?

Benner: Companies still lack assistance tools for the standardized adaptation of corporate processes to meet the requirements of the GDPR. Numerous questions remain unanswered as to how the requirements of the GDPR are to be handled correctly. Small companies also lack the personnel and know-how to meet the requirements.

eco: There is still uncertainty in companies about the implementation of the GDPR. Which areas are causing particular problems in the implementation of data protection? And how can companies rectify this situation?

Benner: One challenge stems from the fact that the GDPR does not, for example, recognize any corporate group exemptions. According to the GDPR, companies that belong to a corporate group are not treated as a single entity, but rather as independent units. The exchange of data within the corporate group is therefore not readily permitted. For example, the sending of personnel or customer data by email to a foreign branch represents a data transfer under data protection law. In particular when it comes to data transfers to third countries, EU standard contractual clauses or binding corporate rules must therefore be implemented.

Furthermore, the GDPR does not distinguish between B2B and B2C, but treats these all equally. This demands a lot of bureaucratic effort, especially for the work between companies. For example, anybody complying very strictly with the GDPR would need to inform the person handing over a business card about all data subject rights, processing activities and so on at the moment of its handover.

It would also be useful if supervisory authorities were to provide companies with more model texts and practical examples to clarify issues such as: When exactly do I need a contract arrangement; when do I need a contract for joint control; and when are companies responsible in parallel with each other?

Examples of legally-compliant consent texts would also be helpful, such as guidelines for marketers which clarify when I need consent and when I can rely on my legitimate interest.

eco: The GDPR was only the first step – what else is in store for us with the ePrivacy Regulation?

Benner: That’s not so easy to say, given that the ePrivacy Regulation was actually supposed to come into force with the GDPR on 25.05.2018. In particular, it is intended to regulate the use of cookies and the transmission of direct advertising via electronic communication to end users. However, the Member States have not yet been able to reach a consensus on a common draft law. The most recent development was that of 21.02.2020 when the Croatian Council Presidency presented a revised text of the ePrivacy Regulation to the Member States. Now it is up to the Croatian Council Presidency to win the Member States over. But no matter what, the ePrivacy Regulation is not expected to enter into force before 2023 and will therefore not be immediately enforceable before 2025. One way or another, it is clear that, for an indefinite period of time, there will continue to be numerous open questions in the field of electronic communication.

Clarissa Benner LL.M. joined eco’s legal team as an attorney-at-law and a specialist in data protection in late 2017. Prior to joining eco, she worked as Legal Counsel with a teleshopping station in Grünwald, having previously spent four years working as an attorney in a media law firm in Munich. She completed her earlier legal apprenticeship in the district of the Higher Regional Court of Cologne. In addition to her core legal qualifications, Clarissa holds a Masters in Media Law.