21. May 18

General Data Protection Regulation (GDPR) must be implemented by May 25, 2018

Businesses need to keep May 25, 2018 in mind. This is the day when the EU General Data Protection Regulation, GDPR for short, officially comes into force.

Following a two-year transitional period, the GDPR will come into full force and effect on May 25, 2018, thereby replacing an EU directive dating back to 1995. The GDPR is meant to create a uniform standard for data protection within Europe and provide consumers with greater protection in the digital age. The GDPR shall have precedence over national law. Notwithstanding this, we at the commercial law firm GRP Rainer Rechtsanwälte note that the European Regulation leaves many details open and provides for a certain amount of leeway for national rules and regulations.

In principle, the GDRP applies to all businesses within the EU that gather, record and process personal data. It concerns not only customer or client data, but also data pertaining to company employees. Businesses will now be subject to extensive information and documentation obligations. The more sensitive the data collected is, the stricter the data protection rules are.

For businesses, the implementation of the GDPR means more stringent requirements relating to data protection compliance, especially considering that violations of the Regulation can be severely punished. Fines of up to 20 million euros or up to 4 per cent of worldwide annual turnover can be imposed. Moreover, violations of the GDPR may also be penalized as violations of competition law.

Businesses need to communicate what personal data is being gathered and for what purpose. Personal data refers to information such as name and address, contact details, birthday, IP addresses etc. In short, all data that is likely to allow a person to be identified. This data cannot be collected without consent and has to be processed for a specific purpose or purposes in a transparent and comprehensible manner. Additionally, those concerned have the “right to be forgotten”, i.e. the data must be deleted once the purpose has been achieved. To ensure that data is protected, appropriate technical precautions need to be taken.

The GDPR entails complex changes to data protection law which businesses and employers need to be prepared for. Should violations of the GDPR occur, one should also anticipate formal warnings. To prevent this from happening, it is necessary to obtain expert legal advice or even appoint an external data protection officer.

For more informations:


Do you have any questions?
Make an appointment at one of our locations in Cologne, Berlin, Dusseldorf, Frankfurt, Hamburg, Munich or Stuttgart! For International inquiries, please contact us at our offices in London or Singapore!