Important insights for German companies from the EU Commission's second GDPR report
> August 2024
Art. 97 GDPR requires the European Commission to publish every four years a report in which it evaluates the application of GDPR. Primarily, this is a review of the enforcement by supervisory authorities. Nonetheless, there are relevant conclusions to be drawn for companies as well. On 25. July 2024, the Commission published the second of these reports.... The Commission continues to view GDPR as a cornerstone for further sector-specific regulation in the digital landscape. It emphasizes that such regulations, like the recently enacted AI Act, in no way override GDPR, but that each piece of legislation must be complied with individually. Consequently, it is pushing that the long-standing negotiations on the proposal for a regulation concerning the respect for private life and the protection of personal data in electronic communications (see here), which is to replace the current Directive 2002/58/EC, shall finally be brought to a conclusion.
As regards international data flows, the Commission points out that a first review of the EU-US Data Privacy Framework is due this summer and that the expiry clause of the adequacy decision for the UK will end in 2025 as well. The latter would only be extended if the level of protection in the UK would continue to prove adequate. As a result, it cannot be ruled out that data transfers to third countries could face difficulties in the future, particularly regarding the USA. The Commission also urges those member states that have not yet signed and ratified the modernised Convention 108+ of the Council of Europe (see here) to do so as soon as possible so that it can enter into force. In the area of data protection, Convention 108+ is the only legally binding multilateral legal instrument and could sustainably promote international data traffic.
The report also focuses on small and medium-sized enterprises (SMEs). Supporting them in complying with GDPR is essential for achieving the objectives of GDPR, the Commission emphasizes. To a certain extent, SMEs could already relieve themselves of compliance efforts by only having to keep simplified records based on the templates provided by supervisory authorities if they only carry out low-risk processing operations. In addition, the use of standard contractual clauses would offer an easy-to-implement compliance instrument, provided that the contractual partner agrees to conclude them, which is rarely the case with larger providers.
At the same time, the Commission acknowledges that different authorities interpreting important terms and principles of the GDPR in varying ways creates significant challenges for controllers. According to the Commission, this is particularly true for the question of whether data subjects' access requests are unfounded or excessive if they are submitted in especially large numbers or for purposes unrelated to privacy. In this context, the Commission encourages supervisory authorities to increasingly support SMEs in future by providing "tailor-made guidance and tools" as well as actively seeking dialog on GDPR compliance.
However, it remains to be seen as to what extent this goal will actually be achieved in Germany. After all, the report shows that German supervisory authorities are already well occupied. They initiated by far the most investigations at their own initiative and imposed the most fines. In 2022, they also issued the most corrective measures. Besides, the willingness to work cooperatively with controllers varies greatly from authority to authority.