Implementation of the nDSG
In the meantime, empirical values have formed as to how data protection law is to be implemented. Especially for large companies and companies in a complex or regulated environment, numerous other questions will arise. But as we all know, even the longest journey begins with the first step.
Checklists for SMEs
Implementation for larger companies
The revised law no longer trusts companies to ensure data protection without creating a certain structure and organization. It is still much more principle-oriented than the GDPR, but certain processes and framework conditions must be documented.
The revised law deliberately refrains from imposing a separate, general duty to document processing operations or the associated decisions. However, the legislator still provides for so-called accountability obligations in certain areas. These include, for example, the obligation to retain data for the data protection impact assessment or logging, but above all the obligation to keep a processing directory.
The current FADP only requires explicit information about the processing of personal data in exceptional cases (when particularly sensitive personal data such as health data or personality profiles are obtained). In most cases, it is sufficient if processing is self-evident.
This changes with the revised law. Analogous to the GDPR, the law requires information for all processing unless an exception applies. This even applies to self-evident and trivial processing. This does not help anyone, but a violation of this obligation can even be punishable.
Companies should therefore provide information about their processing, usually in the form of data privacy statements. These are notices or documents that comment on data processing – they are not part of the contract and should not generally be part of GTCs.
The revised DPA requires the conclusion of contracts in certain cases. This results from the fact that the DPA distinguishes between different roles of companies.
Data protection law aims to ensure protection. It cannot therefore permit transfers to countries without restriction if the necessary protection is lacking there. Like the GDPR and the current DPA, the revised DPA therefore initially only permits such transfers if the recipient state guarantees adequate data protection. If data is exported illegally, this may be punishable under the revised FADP.
The law generally follows a risk-based approach. This means that the responsible parties have to adjust their compliance measures in accordance with their assessment of the risks for those affected. In some cases, however, the law specifies higher requirements for particular risks.
In addition to the points mentioned, there are of course other points to consider. Without claiming to be exhaustive: two of the most important points are certainly data deletion and data security.