What do HR managers need to look out for in the future?
The Federal Data Protection Act still applies in Germany - but in one year, it will be serious for the member states of the European Union: on the 25. May 2018 replaces the new EU General Data Protection Regulation (GDPR) with the previously valid national law.
It entered into force already in May 2016, but the Member States have a two-year deadline to regulate the requirements of the EU-DSGVO and the national characteristics by opening clauses.
5 Tips for Personals
The aim of the new regulation is the harmonization of data protection law at European level. This should give the individual more control over his own data. An important innovation in the EU-DSGVO is the common liability rule.
1. Up to 20.000 million euro penalty
In the still valid Federal Data Protection Act, the customer is always liable in the case of order data processing. From May 2018 onwards, however, binding rules apply - so both clients and service providers will be prosecuted for breaches of data protection law.
Since the upper limit for the fine has been adjusted, too Company Take special care in choosing their service providers. In the future, companies will face 300.000 million penalty or four percent of the previous year's turnover instead of 20 Euro - whichever is higher.
2. Special rules through opening clauses
The BDSG (new) has already been approved by the Bundestag and received the approval of the Federal Council at the 12.05.2017. In many articles of the Basic Regulation so-called opening clauses are installed.
The opening clauses specify that EU Member States can more precisely regulate certain specifications in detail. For example, companies in Germany, where more than nine employees process personal data in automated form, are currently required to appoint a data protection officer. In the new Basic Regulation, on the other hand, the function of the data protection officer does appear, but there is no precise personal limit. These can then specify a further national standard for Member States.
3. The processing of personal data
Another example concerns the processing of personal data - the currently valid Federal Data Protection Act prohibits this generally, except the data subject expressly agrees to a data processing or there is a legal basis.
Such a basis is for example the employment relationship. If an employee is employed by a company, the latter may process his / her data without asking him beforehand. The same applies to the duration of the application process: Until the procedure is completed, the company does not have to obtain the applicant's consent.
4. Consent to the Privacy Waiver
In the new EU-DSGVO, employee data protection can now be regulated by the individual member states themselves by means of an opening clause. In Germany, the previous regulations remain largely intact. One innovation, however, is that company agreements can regulate matters and that individual consent is not necessary.
As has already been taken into account in the case-law, it is also clarified there that the voluntary consent to a data protection offense in an employment relationship needs special indications, for example, an advantage of the employee acquired with it.
5. What HR departments should do now
HR departments of the companies should make appropriate arrangements due to the innovations. This applies in particular to the aspect of joint liability with service providers. If a company stores sensitive applicant data for processing to a service provider, it must first convince itself that the data is just as secure as it is in its own home. Therefore, they should ask their service providers for proof of the technical-organizational data protection measures taken and a template for an order processing contract.
If the service provider is prepared and makes the relevant documents available quickly and easily, he is highly likely to be trustworthy. If the documents are also subject to the examination of the data protection officer and are possibly supplemented by data protection certificates from external bodies, this is a good basis for long-term cooperation. If, on the other hand, the service provider is struck by the question, it is better to ignore the contract.
More knowledge - PDF download, eCourses or personal advice
Offline download: Download this text as PDF - Read usage rights, Because we do not automatically submit the title of this text for privacy reasons: When buying in "interests" the title register if support is needed. After buying text exclusively Download at this URL (please save).
Your eCourse on Demand: Choose your personal eCourse on this or another desired topic, As a PDF download. Up to 30 lessons with each 4 learning task + final lesson. Please enter the title under "interests". Alternatively, we are happy to put together your course for you or offer you a personal regular eMailCourse including supervision and certificate - all further information!
Consultant packages: You want to increase your reach or address applicants as an employer? For these and other topics we offer special Consultant packages (overview) - For example, a personal phone call (price is per hour).