[Please scroll down for English language version]
Europaparlament beschließt Datenschutzgrundverordnung
Das Europaparlament hat gestern nach mehr als vier Jahren Verhandlungen auf EU-Ebene die neue Datenschutzgrundverordnung verabschiedet.
„The European Commission welcomes the final adoption of the new EU data protection rules by the European Parliament, following the adoption by the Council last Friday. Today’s vote marks a significant achievement, and the culmination of over four years of hard work with the European Parliament, the Council, business, civil society and other stakeholders.
The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.
The Data Protection Directive for police and criminal justice authorities ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe. These new rules come at a time when improved cooperation in the fight against terrorism and other serious crime is more necessary than ever, as shown by the recent terrorist attacks in Paris and Brussels.
These rules are for the benefit of everyone in the EU. Individuals must be empowered: they must know what their rights are, and know how to defend their rights if they feel they are not respected.
Our work in creating first-rate data protection rules providing for the world’s highest standard of protection is complete. Now we must work together to implement these new standards across the EU so citizens and businesses can enjoy the benefits as soon as possible.“
Diese Verordnung ersetzt die seit 1995 geltende Richtlinie und wird in weiten Teilen – anders als die Richtlinie – unmittelbar in Kraft treten, ohne einen weiteren Umsetzungsakt der nationalen Gesetzgeber. Viel diskutiert waren schon während der Verhandlungen auf EU-Ebene die empfindlichen Strafen, die künftig auf Unternehmen zukommen, je nach Art des Datenschutzverstoßes bis zu 20 Mio. Eur oder 4 % des weltweiten Umsatzes. Die Verordnung wird europaweit im Mai 2018 in Kraft treten; der deutsche Gesetzgeber arbeitet mit Hochdruck an den per Öffnungsklausel zugelassenen nationalen Regelungen, etwa zum Beschäftigtendatenschutz.
Die Version des Rates mit den letzten Änderungen vom 8. April 2016 finden Sie hier (PDF).
Warum ist das jetzt schon relevant?
Zum Zeitpunkt des Inkrafttretens müssen Unternehmen die Anforderungen der neuen Regelungen bereits erfüllen, und nicht erst mit deren Umsetzung anfangen. Das setzt umfangreiche Vorarbeiten voraus. Die meisten Unternehmen speichern Daten, ohne sich dieser Daten oder der Gründe für die Speicherung überhaupt ausreichend bewusst zu sein. Die moderne Technologie ermöglicht es Unternehmen eine Vielzahl von persönlichen Daten anzusammeln, ohne sich dessen überhaupt auch nur bewusst zu sein (zum Beispiel in gespeicherten e-mails, in geschäftlichen Vorgängen, aus GPS-Überwachung usw.). Eine Erfassung ist aber zwingende (und zeitraubende) Voraussetzung dafür, die Regeln umzusetzen.
Das gilt für die allgemeinen Regelungen der EU-Verordnung, die auch auf Arbeitsverhältnisse anwendbar sein werden, etwa zu Informations-, Korrektur- oder Löschungsansprüchen, Datenportabilität, oder Maßnahmen zum technischen Schutz der Daten. Das gilt aber auch für die zu erwartenden Ergänzungen durch den deutschen Gesetzgeber auf dem Gebiet des Arbeitsrechts.
In einem weiteren Schritt müssen Verfahren geändert oder neu eingeführt werden und Policies entwickelt werden. Das erfordert Verhandlungen mit dem zuständigen Betriebsratsgremium, was in aller Regel ebenfalls längere Zeit in Anspruch nimmt.
Die Änderungen im Einzelnen
Die wichtigsten Änderungen aus Arbeitgebersicht beleuchten wir in einem detaillierten Beitrag auf diesem Blog. Auch über unsere Allianz Ius Laboris kommentieren wir die neue europäische Verordnung aus internationaler Sicht.
European Parliament adopts EU Data Protection Regulation
After more than four years of negotiations, the European Parliament has passed the EU Data Protection Regulation yesterday.
„The European Commission welcomes the final adoption of the new EU data protection rules by the European Parliament, following the adoption by the Council last Friday. Today’s vote marks a significant achievement, and the culmination of over four years of hard work with the European Parliament, the Council, business, civil society and other stakeholders.
The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.
The Data Protection Directive for police and criminal justice authorities ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe. These new rules come at a time when improved cooperation in the fight against terrorism and other serious crime is more necessary than ever, as shown by the recent terrorist attacks in Paris and Brussels.
These rules are for the benefit of everyone in the EU. Individuals must be empowered: they must know what their rights are, and know how to defend their rights if they feel they are not respected.
Our work in creating first-rate data protection rules providing for the world’s highest standard of protection is complete. Now we must work together to implement these new standards across the EU so citizens and businesses can enjoy the benefits as soon as possible.“
This Regulation will replace the Directive about data protection which has been in force since 1995. As opposed to the Directive, the Regulation will be applicable directly to German companies in large parts without the need for implementation by the national legislator. Especially the penalties which are provided for in the new Regulation have been under scrutiny during the negotiations on the EU level: For of breaches of data protection law, companies may face penalties of up to 20 Mio Eur or 4 % of their worldwide annual turnover. The Regulation will come into force across Europe in Mai 2018. The German legislator is currently in the process of preparing a draft German legislation for those areas of data protection where national legislation has been allowed by opening clauses in the Regulation, including the area of employee data protection.
You can find the Council’s last draft document with all relevant changes as of April 8, 2016 here (PDF).
Why is this relevant now?
Although the Regulation won’t come into force until May 2018, by that time, companies must be compliant, and not just start to prepare to be compliant. This requires extensive preparation. Most companies hold personal data without even being aware of all of these data or why they have been saved. Modern technology enables companies to collect vast amounts of personal data without even being aware (such as in saved e-mails, in commercial files, by GPS tracking etc). Being aware of which data have been saved and are being processed is an important and time consuming precondition of being able to comply.
This needs to be taken into account for the general rules on data protection in the EU Regulation which will also be applicable to the employment relationship, such as the individual’s right to information about saved data, correction or deletion of saved data, or the right to data portability, or the stricter rules on technical data protection. This is also true for the specific employment related rules on data protection which are not yet known but soon to be passed by the German legislator.
In a next step, processes will need to be changed or implemented in the first place, and policies need to be developed. Under German law, this requires works council consent, which often entails time consuming negotiations.
More details
We present the most important changes for German employers in a separate article on this blog, and also provide an international viewpoint on the regulation via our alliance ius laboris.