DSK: Pro­gress report on the GDPR; pro­po­sal of faci­li­ta­ti­ons and tightenings

The Con­fe­rence of Inde­pen­dent Data Pro­tec­tion Super­vi­sors of the Federal Government and the Sta­tes (Data Pro­tec­tion Con­fe­rence, DSK) has on Novem­ber 6, 2019 a Report on the expe­ri­ence gai­ned in the app­li­ca­ti­on of the GDPR adop­ted. The DSK comes to the fol­lo­wing con­clu­si­ons and recom­men­da­ti­ons, among others:

  • The GDPR has pro­ven its­elf in princip­le. In some are­as, howe­ver, que­sti­ons ari­se about the Ever­y­day sui­ta­bi­li­ty (e.g., with regard to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on). Here, the aut­ho­ri­ties are in favor of indi­vi­du­al faci­li­ta­ti­ons in the off­line area, espe­cial­ly for ver­bal or tele­pho­ne con­ta­cts or when taking an order or a busi­ness card or ente­ring an appoint­ment. Here, sta­ged infor­ma­ti­on should suf­fice. The aut­ho­ri­ties pro­po­se to add a new para­graph to Art. 13 GDPR to be inser­ted, with wor­d­ing stron­gly remi­nis­cent of “reco­gniza­bi­li­ty” as defi­ned in the Swiss Data Pro­tec­tion Act:

    The infor­ma­ti­on refer­red to in para­graphs 1 and 2 shall be only on demand the data sub­ject, inso­far as the con­trol­ler car­ri­es out data pro­ces­sing ope­ra­ti­ons that the data sub­ject, accord­ing to the spe­ci­fic cir­cum­stan­ces expec­ted or must expect and

    1. both the dis­clo­sure of data to other enti­ties and the trans­fer to third coun­tries are excluded,
    2. no data are pro­ces­sed that are sub­ject to Art. 9 DS-GVO fall,
    3. the data is not pro­ces­sed for direct mar­ke­ting pur­po­ses, and 4. neit­her pro­filing nor auto­ma­ted deci­si­on-making takes place.
      The data sub­ject shall be infor­med of this possibility.
  • The princip­le of Data Pro­tec­tion by Design is hard­ly ever imple­men­ted in prac­ti­ce: “The DS-GVO should the­re­fo­re also obli­ge soft­ware manu­fac­tu­rers to com­ply with this design princip­le that pro­mo­tes data pro­tec­tion. In prac­ti­ce, this app­lies in par­ti­cu­lar to manu­fac­tu­rers of com­plex soft­ware such as ope­ra­ting systems, data­ba­se manage­ment systems, stan­dard Office packa­ges or very spe­cia­li­zed app­li­ca­ti­ons. The DSK the­re­fo­re pro­po­ses to inclu­de a new legal defi­ni­ti­on of “manu­fac­tu­rer” and to add it to Art. 24 GDPR express­ly sub­ject to cor­re­spon­ding obli­ga­ti­ons, by a new Art. 24 para. 4:

    4) The Manu­fac­tu­rer deve­lo­ps and designs its pro­ducts, ser­vices and app­li­ca­ti­ons, taking into account the right to data pro­tec­tion and the sta­te of the art, in such a way that it ensu­res that con­trol­lers and pro­ces­sors are able to com­ply with their data pro­tec­tion obli­ga­ti­ons without having to make unre­a­son­ab­le chan­ges to tho­se pro­ducts, ser­vices and app­li­ca­ti­ons. He sup­ports them in drawing up the inven­to­ry of pro­ces­sing acti­vi­ties (Art. 30), in noti­fy­ing a per­so­nal data bre­ach (Art. 33) and in noti­fy­ing data sub­jects (Art. 34) by pro­vi­ding them, upon requ­est, with all the necessa­ry infor­ma­ti­on to do so.
    Accord­in­gly, the manu­fac­tu­rer should also be able to be the addres­see of enfor­ce­ment mea­su­res and lia­bi­li­ty claims (amend­ments to Art. 79 and 82).

  • The Data Pro­tec­tion Con­fe­rence calls for a tigh­tening of the legal frame­work for the Pro­filing, becau­se the “pro­cess of pro­filing as such from most of the norms of the DS-GVOThe data pro­tec­tion law does not cover the use of data, e.g. for auto­ma­ted deci­si­on-making, so that an assess­ment can usual­ly only be made accord­ing to the gene­ral facts of Art. 6 DS-GVO takes place”.
  • With regard to the right to infor­ma­ti­on, it would be desi­ra­ble to cla­ri­fy whe­ther and to what extent a “Right to copy” exists.
  • At the Data bre­ach noti­fi­ca­ti­on a cor­re­spon­ding obli­ga­ti­on to noti­fy the aut­ho­ri­ties should also app­ly if a bre­ach of data secu­ri­ty has been estab­lished, but is only suspec­ted and it is not cer­tain whe­ther this also results in a bre­ach wit­hin the mea­ning of Art. 12 No. 4 GDPR (e.g., unaut­ho­ri­zed access). In this case, howe­ver, a reporting obli­ga­ti­on should only app­ly if the secu­ri­ty bre­ach leads to a “high” risk for the per­sons concerned.
  • At the Ear­mar­king The que­sti­on ari­ses whe­ther a fur­ther pur­po­se that is com­pa­ti­ble with the ori­gi­nal pur­po­se needs its own legal basis or – as a result of com­pa­ti­bi­li­ty – can be based direct­ly on the legal basis of the initi­al pur­po­se. Here the DSK cla­ri­fi­ca­ti­on that the secon­da­ry pur­po­se needs its own legal basis. For this pur­po­se, reci­tal 50 sen­tence 2 should be dele­ted (“In this case, no sepa­ra­te legal basis is requi­red other than that for the collec­tion of the per­so­nal data”).
  • For the Direct mail should be in the GDPR a sepa­ra­te legal basis or balan­cing of inte­rests must be included.
  • At Pro­filing the legal frame­work needs to be tigh­te­ned up: “To this end, the pro­hi­bi­ti­on of auto­ma­ted indi­vi­du­al deci­si­on-making in Art. 22 should be DS-GVO be exten­ded to inclu­de data pro­ces­sing for pro­filing pur­po­ses. The only legal basis for pro­filing – in addi­ti­on to a spe­cial legal basis – is to be con­sent or a con­tract. This ensu­res that pro­filing only takes place if the data sub­ject is awa­re of it and cons­ents to it.”

The­re is a list of other pro­po­sed chan­ges in the document.