Companies therefore have no choice but to make data privacy and data protection law a core field of their corporate governance. This is the only way to ensure sustainable corporate governance. This encompasses employee data, including social and health data, customer data, third party and service provider data as well as competitor data and other types of personal information.
In addition to opportunities, there are also risks. Besides protecting against attacks from third parties, the training, integration and motivation of employees is crucial to a company’s data protection. Are your employees sufficiently trained in the handling of relevant data? How can you avoid dissatisfied or terminated employees causing a data leak? The resulting serious disadvantages in competition as well as the damage to your company’s reputation among customers and the general public cannot be overestimated. This is already demonstrated by common cases of data theft, hacker attacks or poor data management.
What is the legal framework?
The EU General Data Protection Regulation (GDPR) has applied in the European Union since 25 May 2018. The guiding principles of European data protection law are regulated in 99 articles. Companies processing personal data in the European Union, irrespective of their domicile, must comply with the following basic principles defined in the GDPR:
- Market location principle,
- Right to be forgotten,
- Right to data portability,
- Privacy by Design/Privacy by Default,
- Appointment of data protection officer for a company,
- Data protection impact assessment,
- Principle of purpose limitation,
- Provisions on the consent of the parties concerned.
The General Data Protection Regulation, which is directly binding for all companies and public authorities, establishes a strict sanctions regime in which fines of up to 20,000,000 EUR or 4% of the total worldwide annual turnover of a company can be imposed.
The new version of the German Federal Data Protection Act (Bundesdatenschutzgesetz: BDSG) came into force at the same time as the General Data Protection Regulation. Here, the legal framework for companies operating in Germany is specified in some parts.
How can we help?
Our team of data privacy experts has many years of extensive and practical experience in advising, developing and implementing data protection instruments that enable companies to implement active and proactive data protection management, such as:
- Binding Corporate Rules (BCR),
- Use of EU Standard Contractual Clauses,
- Advice on the accreditation and use of the EU-U.S. Privacy Shield for data transmission between the EU and the U.S.,
- Conducting audits on data protection and data security,
- Data protection training for board members, managing directors and HR managers,
- Advice and support during data protection audits by the data protection supervisory authorities,
- Representation of companies before supervisory authorities in prohibition and fine proceedings,
- Consulting and crisis response in cases of personal data protection breaches (Data Breach Response).
The BUSE data privacy team is at your disposal to help you achieve your business goals. We help you to prevent legal data protection risks before they arise. In the event that data protection is violated, we support you in quickly identifying dangers and neutralising them in the long term.
Based on our team members’ extensive operational experience, we implement strategic, flexible and proven concepts that meet the highest standards and quality requirements. In this way, our clients are able to meet the data protection requirements – in Germany, the European Union and worldwide.
