On 17 September, Bitkom will host the 5th Privacy Conference. In advance of the conference we are talking with some speakers about current privacy issues, the impact of the GDPR and their expectations to the #pco19. Today in the interview: Dr Carlo Piltz, Salary Partner, Team Leader Cybersecurity & Data Protection at reuschlaw Legal Consultants
More than one year ago, the General Data Protection Regulation came into effect. What do you think are the major barriers when it comes to the implementing in the companies?
For companies, the comprehensive documentation and accountability obligations certainly play an important role. The expenditure arises rather on the factual level. For example, when companies have to find out internally which department does what exactly with data. Only after this task has been ticked off accountability obligations can be fulfilled.
A further relevant component in the implementation of the GDPR is certainly the fulfilment of the rights of the data subjects. Both, legal questions as well as the procedural organization of the fulfillment of concerning rights, play a role here. For example, it is still unclear how far the right of access actually extends and what exactly a "copy" of the data represents. In addition, companies must always keep an eye on the new deadlines when dealing with enquiries from data subjects. In principle, the data subject must receive an answer within one month.
Which further questions regarding the GDPR do you frequently have to deal with in your daily work with clients?
Basically, the range of questions here really goes from A to Z. In part, it is about fundamental issues, such as the question of how valid consent can be obtained on the basis of the requirements of the GDPR. On the other hand, it is also a question of fulfilling the rights of data subjects, in particular the question of the depth and scope of the information to be provided pursuant to Articles 12 and 13 GDPR.
At the moment, of course, the decisions of the European Court of Justice also raises more and more questions regarding cooperation between companies and the legal classification of the various roles in terms of data protection. In practice, I think it is fair to say that the legal figure of joint controllership is on the advance.
In your opinion: Which sectors still have the greatest need to catch up concerning the implementation of the GDPR?
From my experience, I could not name a sector that is particularly good or particularly bad. Of course, there is often a certain sensitivity for the subject in the media and online economy, as they tend to "make money with data". But even there, certainly still negative examples exist. In my experience, one should also not be under the illusion that economic sectors with access to particularly sensitive data, such as the health sector, are on average better positioned than other economic sectors.
I think the difference you can see is mostly in the sensitivity to the issue of data protection and then also the willingness to address this issue in the respective company.
Where do you currently see the greatest dangers for companies which did not design their process GDPR-compliant?
The dangers are manifold. Of course, everyone would currently point to the risk of a fine. But I always point out to companies that there are other potential sanctions available for the authorities. Much more serious than a fine for many companies is the risk that an authority would prohibit data processing by administrative act or oblige the company to delete data.
But beside the official supervisory measures, one may not leave out of consideration that also data subjects can make claims for damages according to the GDPR, if provisions of GDPR are violated and a damage is the consequence for the data subject. I think that we will see a larger number of such claims for damages in the future.
As far as the risk of warnings from competitors is concerned, I cannot claim from my experience that this is currently the greatest risk. That may also be connected with the fact that there is basically no company which acts completely GDPR-compliant.
Which insights do you hope to gain at this year's Bitkom Privacy Conference?
I am very much looking forward to discussions with participants from the various fields of activity in data protection law: business, consulting, public sector, government and of course the supervisory authorities. In my opinion, we can all learn from each other at the present time and benefit from discussions, even if we have different views on certain issues. I am sure that the current rulings of the European Court of Justice on data protection law will also provide sufficient material for discussion.
Thank you, Dr Carlo Piltz!
Find out more about the #pco19