New European General Data Protection Regulation coming into force on 25 May 2018

12/03/2018  On 25 May 2018 the new European General Data Protection Regulation¹ will come into force, harmonizing the data protection rules in the EU. It will directly apply in all EU member states without the need for any national implementation laws (Art. 288 Treaty on the Functioning of the EU). The regulation provides for new data protection obligations of enterprises and sharpens existing ones. Further, fines for breaches have been increased significantly. On the same day, a revised German Federal Data Protection Act (Bundesdatenschutzgesetz) will come into force, specifying and sharpening some of the European data protection laws for Germany.

In short, the main duties for enterprises² under the new data protection rules are:

  • to maintain a record of processing activities,
  • to designate a data protection officer,
  • to carry out a data protection impact assessment,
  • to implement appropriate technical and organisational measures designed to implement data-protection principles and ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed and ensuring a level of data security appropriate to the risk,
  • to notify a personal data breach promptly to the competent supervisory authority,
  • to cooperate on request with the supervisory authority.

Also, the information and other rights of affected natural persons (the “data subject”) have been strengthened.

Please contact us at JP Rechtsanwälte if you need help in complying with the new data protection rules.


¹ complete name: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
² with exceptions for certain smaller enterprises
Mario Lindner
Mario Lindner