Policy letter spring 2024
Dear readers,
Data protection officers are not part of everyday business life, they are involved too little and far too late in current projects and too little is invested in their further training. This is the conclusion of a study by the European Data Protection Board (EDPB), which paints a devastating picture. The EDPB is an independent European body tasked with ensuring the standardised application of the General Data Protection Regulation. I cannot agree with all parts of the comments – certainly also because the picture of the work of data protection officers is very heterogeneous across Europe. But even in this country, the work of colleagues in companies and authorities often enjoys the reputation of being the bearer of bad news. We have made it our duty to change this misconception and equally to empower my colleagues, to enable rather than prohibit them. But we also need your support to do this.
In this policy letter, we would like to share our practical view of data protection with you several times a year and whenever it is important. As the oldest professional association in Germany, we have been representing the interests of the many data protection officers in Germany for over 30 years – with an honorary board that is still familiar with the needs of both those affected and those responsible in many companies and organisations on a daily basis. And these needs are often linked to the desire for comprehensible and pragmatic data protection for modern co-operation in the digital age.
This first issue should therefore also be seen as an explicit invitation to discuss and share ideas on how we can simplify the handling of data in general and personal data in particular in Germany and Europe. With the data protection officers in Germany, you have many thousands of guides for digitalisation at your side and with the BvD, you always have a competent and open contact partner. I hope you enjoy reading this
Yours
Data protection officers are part of the solution
A bill from the Federal Council caused an uproar in the data protection scene and threatened to jeopardize the working basis for many company data protection officers. As a professional association, we are now relieved that the planned deletion of Section 38 of the German Federal Data Protection Act (BDSG), which regulates the appointment of data protection officers, has not passed the chamber of states.
The draft of a first law to amend the BDSG will now enter the parliamentary process. We generally welcome the idea of reducing bureaucratic burdens for companies when it comes before the Bundestag. However, the data protection officer is not the bureaucratic burden, as the General Data Protection Regulation (GDPR) means an increase in bureaucracy for businesses. This is due to the GDPR’s extensive documentation and notification obligations. Against this background, it seems fatal if national legislation gives the impression to data controllers and company management that the national legislator could exempt them from their obligations and their – also personal – responsibility under the GDPR.
Shaking up the national obligation to appoint a data protection officer does not change any of these obligations. Rather, consideration should be given to increasing the powers of the data protection officer. To ease the burden on companies, we suggest, for example, that the data protection impact assessment be prepared by the data protection officer with the involvement of the specialist departments. The data protection officer presents the results to the management, which then determines the next steps based on these proposals. A similar approach could be taken when keeping the processing register.
In order to create a balance between a high level of protection, economic opportunities and bureaucratic relief, we are available as experts and contacts in the further legislative process with the practical focus of many hundreds of member companies.
How the GDPR could be made less bureaucratic: Streamline documentation requirements
The GDPR has a pronounced compliance methodology, which is expressed in the fact that every admissibility check is accompanied by documentation and information obligations and every obligation to act is accompanied by organizational obligations. So far, so understandable and sensible. However, in practice, there is duplication in many places, which neither increases the level of security nor gives data subjects more control over their data.
For example, the question of the permissibility of processing pursuant to Art. 6 GDPR is flanked by the documentation obligation pursuant to Art. 5 para. 2 GDPR (so-called accounting obligation) and the obligation to indicate the legal basis to the data subject pursuant to Art. 13, 14 GDPR as well as the obligation to record it in the register of processing activities pursuant to Art. 30 GDPR. This means that even a simple admissibility check triggers three further obligations.
Every company must ensure transparency in the processing of personal data. This means that the data subject must be proactively informed comprehensively about the processing of personal data and be provided with information on request. However, according to the GDPR, these obligations must not only be fulfilled, but must also be disclosed in accordance with Art. 5 Para. 2 in conjunction with Art. 5 Para. 1 lit. a GDPR. Para. 1 lit. a GDPR, it must also be documented that these obligations are fulfilled, and according to Art. 12 GDPR, measures must be demonstrably implemented – regardless of the size of the company – to fulfill these transparency obligations. Here, the BvD suggests that the latter two documentation obligations should be interpreted on a risk-based basis in the case of simple admissibility checks and only be considered necessary in the case of high risk in order to relieve companies of bureaucratic costs.
AI Act: Why a lack of provider liability is preventing the further digitalization of SMEs
The BvD is calling for greater involvement of providers in liability issues relating to AI and software solutions in the national implementation of the AI Act. The association has already advocated provider liability in the past because it is often no longer possible for users to verify how software is structured. As the algorithms of the artificial intelligence pushing onto the market become ever more complex, this security risk is further exacerbated.
As data protection officers must have a regulatory understanding and IT security officers must at least have a technical understanding of how data flows and is processed and what risk levels are associated with the use of AI, greater liability is imperative. This is because those responsible cannot actually recommend a solution that they are unable to assess – in practice, they are buying the proverbial pig in a poke.
This lack of transparency is therefore becoming a real digitalization killer, especially for SMEs. Many “hidden champions” in this country are already complaining about excessive demands and are not in a position to undertake lengthy audits. This does not even take into account the shortage of skilled workers. The BvD is calling on German legislators to make improvements in the upcoming implementation legislation.
Thomas Spaeing on the European Data Protection Day 2024
‘Data protection is the protection of people’s rights and freedoms.’
