The General Data Protection Regulation (GDPR) has now been in force throughout the EU for two years. It is now time to take stock and explore the impact of the GDPR on HR departments, what new features the regulation has brought and what has become of it.
Countless companies ramped up remote working orders for their employees in view of COVID-19 and the measures taken by the federal and state governments since mid-March 2020. As lawyer and data protection officer Sebastian Günnewig explains, even in this particular crisis, the employer is usually liable if, for example, an employee in the home office violates the General Data Protection Regulation (GDPR). It is a matter of protecting personal data, which also applies to those working from home.
187 fines imposed for violations of the GDPR in 2019
Notorious as bureaucratic monsters, large and small companies alike have had a hard time with the introduction of the GDPR, and many of them continue to feel insecure. “Germany’s companies are struggling with the GDPR”, headlines the magazine Freitag, noting that even almost two years after it became legally binding, dissatisfaction still prevails across the board. After an initial grace period, the number of infringements has risen dramatically.
According to the magazine Handelsblatt, until December 2019, 187 companies in Germany were fined. The highest sum of 14.5 million euros was imposed on the Berlin real estate giant “Deutsche Wohnen”, which, however, showed little understanding or willingness to pay. In fact, the data protection commissioner of the German capital collected just over 200,000 euros, as the Berliner Morgenpost reported at the end of March 2020.
Checkout is in May
The GDPR must also be observed while working from home.
By the end of May 2020, two years after the GDPR came into force, something like a cash up must be made. Until then, an evaluation of the basic data protection regulation will be carried out in accordance with Art. 97. Brussels is, however, still a long way from this, as stated in a Deutschlandfunk contribution to two years of GDPR. With regard to the opening clauses, in particular, there is still a great deal of uncontrolled growth in the EU and the individual Member States.
The HR software and solution provider rexx systems had already defined two years ago what HR personnel must prepare for with regard to the GDPR. The essential points remain current:
- Clear language and voluntary nature of the request for release of personal data
- More obligations with regard to Commissioned Data Processing (DP): Outsourcing does not protect against the primary responsibility of the principal. The external service provider is merely the “extended arm”, as lawyer Sören Siebert of eRecht24 explains. The rights of instruction and control, as well as the Technical and Organisational Measures (TOM), are to be recorded in writing in a Commissioned Data Processing or an Order Processing Contract. The professional secrecy obligation deriving from par. 203 of the German Criminal Code, according to which anyone who discloses a foreign secret is liable to prosecution, has now been extended by section 3, which permits the inclusion of third parties or professionally active assistants. In order to bring this into line with the GDPR, par. 203 section 4 of the German Criminal Code was created, according to which third parties can also make themselves liable to prosecution. However, the professional secrecy holder is not off the hook and can also be prosecuted if he/she has failed to oblige the third party to maintain secrecy or the third party has failed to oblige other persons involved.
- The rights of the data subjects have been invigorated: they must be informed by the responsible persons of their rights to information, rectification, blocking, deletion and the possibility of complaining to the competent supervisory authority. Privacy by design and privacy by default apply still, which means that data protection must be anchored in the technology or in the software. The extent to which software manufacturers can be prosecuted for this remains a matter of dispute. As the Handelsblatt reported in December 2019, there has been some movement in the debate, at least among German data protectionists. In their report for the evaluation due in May, they have stipulated that “manufacturers must also be more strongly held accountable for products relevant to data protection law”.
- The obligation to report violations of personal data protection within 72 hours still applies under Art. 33 (1) of the GDPR. The persons concerned must also be notified in accordance with Art. 34 (1) of the GDPR. However, as the BayDSG states for Bavaria, there are various grounds for exclusion with regard to the obligation to notify, for example in the case of “precautionary risk shielding”, in the event of subsequent risk minimisation, or if the effort involved is disproportionate.
- Sanctions or fines of up to 20 million euros or four per cent of the worldwide yearly turnover have remained. In reality, however, the fines imposed in Germany have turned out to be realistic. And as the example of Berlin shows, they are obviously difficult to collect.
Conclusion: Not much has really changed for HR departments since the GDPR came into force on 25 May 2018. However, it could become problematic for software manufacturers who have not yet fully internalised the GDPR guidelines. In addition, there are still many companies that do not work with professional HR software and continue to count on “Excel and Outlook”. Coming back to home office: Corona has taught many companies in a short time that it works. Teleworking via the cloud will, therefore, remain an issue even after the crisis. But to make sure that the GDPR does not fall by the wayside, companies will have to invest more in IT security. Then, just as with the rexx Suite, it will not be an issue for HR employees to process applications, internal company processes and other personnel matters from home.