The document discusses preparations for the implementation of the GDPR on May 25th 2018. It notes that nearly full implementation will be impossible by the deadline and that a short transition period is needed, during which infringements should not automatically lead to sanctions. The focus should be on advice. It also discusses establishing consistent sanctions across EU states for GDPR infringements, but concludes that adopting firm penalties is not possible and that sanctions must take into account specific circumstances of controllers/processors and EU member states.
1. E-VOLUTION OF DATA PROTECTION
(IMPLEMENTATION OF DATA PROTECTION REFORM)
Developments and Challenges in EU Privacy Law
Aspects from a German Perspective
CONFERENCE,
7 - 8 September 2017, Tartu, Estonia
Brandenburg State Commissioner for Data Protection and Access to Information
Stahnsdorfer Damm 77, 14532 Kleinmachnow, GERMANY
Tel: +49 33203 356-0, Fax: +49 33203 356-49
E-mail: poststelle@lda.Brandenburg.de
Internet: http://www.lda.brandenburg.de
2. Article 99 GDPR
Entry into Force and Application
Preparation works to be done until May 25th 2018 when the GDPR will apply:
1. Regulations by national lawmakers
2. Implementation of various new procedures
Example: Article 42 GDPR:
• develop mechanisms for the accreditation of certification bodies
• draft criteria for certifications
LDA Brandenburg 2
3. Article 99 GDPR
Entry into Force and Application
3. Interpretation and understanding of the GDPR provisions
• Guidelines by
o European Data Protection Board – EDPB (Article 70 GDPR)
o Article 29 Working Party
• Preliminary “short papers” by the German supervisory authorities
LDA Brandenburg 3
4. Article 99 GDPR
Entry into Force and Application
CONCLUSION
• Nearly impossible for controllers and processors to fully
implement the GDPR by May 25th 2018
• A second – short – transition period is needed
• During this second transition period infringements should not
automatically lead to sanctions
• Focus on other regulatory tools, especially on advice
LDA Brandenburg 4
5. Article 83 GDPR
General Conditions for Imposing Administrative Fines
GDPR focusses on a consistent and high level protection of personal data
which requires equivalent sanctions for infringements in the Member States
• Options:
o establish an EU-wide comparability in the level of sanctions
o develop a joint schedule of fines
o fix minimum fines
• Obstacles:
o economic, social and cultural diversity between member states
o circumstances of the specific case
LDA Brandenburg 5
6. Article 83 GDPR
General Conditions for Imposing Administrative Fines
CONCLUSION
• Adopt a list with firm penalties is not possible.
• The equitable application of the GDPR does not demand a
complete levelling.
• Instead: Achieve a system of sanctions taking into account
o specific circumstances of data controllers and processors
o specific circumstances of the Member States (e.g.: economic,
social, cultural)
LDA Brandenburg 6