The Conference of Independent Data Protection Supervisors of the Federal Government and the States (Data Protection Conference, DSK) has on November 6, 2019 a Report on the experience gained in the application of the GDPR adopted. The DSK comes to the following conclusions and recommendations, among others:
- The GDPR has proven itself in principle. In some areas, however, questions arise about the Everyday suitability (e.g., with regard to the obligation to provide information). Here, the authorities are in favor of individual facilitations in the offline area, especially for verbal or telephone contacts or when taking an order or a business card or entering an appointment. Here, staged information should suffice. The authorities propose to add a new paragraph to Art. 13 GDPR to be inserted, with wording strongly reminiscent of “recognizability” as defined in the Swiss Data Protection Act:
The information referred to in paragraphs 1 and 2 shall be only on demand the data subject, insofar as the controller carries out data processing operations that the data subject, according to the specific circumstances expected or must expect and
- both the disclosure of data to other entities and the transfer to third countries are excluded,
- no data are processed that are subject to Art. 9 DS-GVO fall,
- the data is not processed for direct marketing purposes, and 4. neither profiling nor automated decision-making takes place.
The data subject shall be informed of this possibility.
- The principle of Data Protection by Design is hardly ever implemented in practice: “The DS-GVO should therefore also oblige software manufacturers to comply with this design principle that promotes data protection. In practice, this applies in particular to manufacturers of complex software such as operating systems, database management systems, standard Office packages or very specialized applications. The DSK therefore proposes to include a new legal definition of “manufacturer” and to add it to Art. 24 GDPR expressly subject to corresponding obligations, by a new Art. 24 para. 4:
4) The Manufacturer develops and designs its products, services and applications, taking into account the right to data protection and the state of the art, in such a way that it ensures that controllers and processors are able to comply with their data protection obligations without having to make unreasonable changes to those products, services and applications. He supports them in drawing up the inventory of processing activities (Art. 30), in notifying a personal data breach (Art. 33) and in notifying data subjects (Art. 34) by providing them, upon request, with all the necessary information to do so.
Accordingly, the manufacturer should also be able to be the addressee of enforcement measures and liability claims (amendments to Art. 79 and 82). - The Data Protection Conference calls for a tightening of the legal framework for the Profiling, because the “process of profiling as such from most of the norms of the DS-GVOThe data protection law does not cover the use of data, e.g. for automated decision-making, so that an assessment can usually only be made according to the general facts of Art. 6 DS-GVO takes place”.
- With regard to the right to information, it would be desirable to clarify whether and to what extent a “Right to copy” exists.
- At the Data breach notification a corresponding obligation to notify the authorities should also apply if a breach of data security has been established, but is only suspected and it is not certain whether this also results in a breach within the meaning of Art. 12 No. 4 GDPR (e.g., unauthorized access). In this case, however, a reporting obligation should only apply if the security breach leads to a “high” risk for the persons concerned.
- At the Earmarking The question arises whether a further purpose that is compatible with the original purpose needs its own legal basis or – as a result of compatibility – can be based directly on the legal basis of the initial purpose. Here the DSK clarification that the secondary purpose needs its own legal basis. For this purpose, recital 50 sentence 2 should be deleted (“In this case, no separate legal basis is required other than that for the collection of the personal data”).
- For the Direct mail should be in the GDPR a separate legal basis or balancing of interests must be included.
- At Profiling the legal framework needs to be tightened up: “To this end, the prohibition of automated individual decision-making in Art. 22 should be DS-GVO be extended to include data processing for profiling purposes. The only legal basis for profiling – in addition to a special legal basis – is to be consent or a contract. This ensures that profiling only takes place if the data subject is aware of it and consents to it.”
There is a list of other proposed changes in the document.