EU General Data Protection Regulation

Published papers of the BayLDA regarding the GDPR:

Publication regarding Art. 32 GDPR - Security of processing

Art. 42 GDPR - Certification

Video Surveillance - current and future state

Right to erasure (right to be forgotten) - Art. 17 GDPR

Records of processing activities - Art. 30 GDPR

Special categories of personal data - Art. 9 GDPR

Sanctions in the GDPR

Data Breach Notification - Art. 33 and 34 GDPR

Consents regarding to the GDPR

Processing in the GDPR

International Data Transfers

Processing of personal data for advertising

One stop shop

Mutual assistance

Child's consent

Right of access by the data subject

Code of Conduct - Art. 40 GDPR

Privacy Impact Assessment (PIA) - Art. 35 GDPR

Ansbach, 21.03.2017

Privacy Impact Assessment (PIA) - Art. 35 GDPR

The method of a privacy impact assessment (PIA) is not a new one in the international comparison - for the German data protection environment, however, the topic is new and has to be analysed. For this purpose, the BayLDA has summarized the essential conditions about PIA in a new paper, and in particular addressed the issue of "privacy risk".


Ansbach, 27.02.2017

Code of Conduct - Art. 40 GDPR

In the past not many branches gave themselves Codes of Conduct to reach more legal certainty in data protection. The GDPR now provides more incentives to drawing up Codes of Conduct. In its new paper the Bavarian Data Protection Authority gives a brief summary of the provisions on Codes of Conduct in the GDPR.


Ansbach, 21.02.2017

Right of access by the data subject

The right of access by the data subject to stored data by a data controller remains a central data protection right in the GDPR, as it already is in German national law § 34 BDSG. It remains to be seen as to which additional exceptions will be made within the German adaptation of the GDPR into national law and as to whether or not those exceptions will stand up before the watchful eyes of the Court of Justice of the European Union.


Ansbach, 20.01.2017

Child's consent

Art. 8 GDPR regulates which obligations have to be considered if the processing of the personal data of a child is based on a consent. However, the future will show how frequently such cases will occur and how to deal with it. You can find a summary of this legal issue in the following document.


Ansbach, 20.01.2017

Mutual assistance

Die DS-GVO enthält eine Reihe von Verfahren für die Zusammenarbeit der Aufsichtsbehörden bei Datenverarbeitungen, von denen mehrere Mitgliedstaaten betroffen sind. Interessant wird sein, wie die konkrete Ausgetaltung im Alltag der Aufsichtsbehörden aussehen wird. Die Rahmenbedingungen hierzu haben wir in einem kurzem Papier festgehalten.


Ansbach, 12.12.2016

One stop shop

The GDPR introduces the concept of the one stop shop for so-called cross-border processings of personal data. This means that in the case of a cross-border processing the so-called lead supervisory authority will be the sole point of contact for the data controller or the data processor. As a positive consequence, businesses will not need to contact different data protection supervisory authorities at the same time regarding a certain cross-border data processing.


Ansbach, 21.11.2016

Processing of personal data for advertising

The GDPR does not include the detailed regulations of the BDSG for the processing of personal data for advertising purposes. In future, the legal basis for the assessment of the admissibility of advertising will be - apart from consent - a weighing of interests according to Article 6 para. 1 letter f GDPR. The BayLDA has published a further short paper, which can be downloaded below.


Ansbach, 03.11.2016

International Data Transfers

The GDPR provides more flexibility for data transmissions in non-EU countries. In future, codes of conduct (CoC) and certification mechanisms can be a basis for such data transfers. However, the problem of data access by foreign authorities needs further clarification. The new short paper on this topic can be downloaded below.


Ansbach, 26.10.2016

Processing in the GDPR

The GDPR contains a regulation for processing of personal data. However, the GDPR states more responsibilities and obligations on the processors. BayLDA summarizes important conditions of processing regarding the GDPR in a new short paper, which can be downloaded below.


Ansbach, 24.10.2016

Consents regarding to the GDPR

Regarding to the GDPR, consents can be further a condition for the legality of processing of personal data. The BayLDA has published a short paper about the differences between consents under the BDSG and consents under the GDPR. The paper can be downloaded below.


Ansbach, 19.09.2016

Data Breach Notification - Art. 33 and 34 GDPR

If sensitive data of a company get lost, the impact is mostly hard to calculate. A loss of confidence among customers can be the consequence, but also a brand damage or even large financial losses, which influence the annual result. As is generally known an active and comprehensive cooperation with the data protection authority helps not only to minimize the damage of a data breach, but also is useful to inform the data subject in an appropriate way. The new requirements to the reporting of data breaches of the GDPR were summarized in a short of the BayLDA. The document can be downloaded below.


Ansbach, 01.09.2016

Sanctions in the GDPR

The GDPR provisions regarding administrative fines demonstrate the legislator's intention to enable consequent and, as the case may be, severe sanctioning of data protection infringements. According to the law, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines up to 20 million EUR or 4% of the total worldwide turnover. This clearly signalizes to businesses and other entities that putting up with possible data protection infringements is not supposed to pay off. A brief paper issued by the Bavarian Data Protection Authority gives an overview of the basic principles of the future sanction regime under the GDPR.The document can be downloaded below.


Ansbach, 17.08.2016

Special categories of personal data - Art. 9 GDPR

The GDPR also knows categories which have a special need of protection. Especially Art. 9 GDPR gives particular rules for those special categories of personal data. There are a lot of provisions which are already established. But in some points noticeable changes are recognizable. The Bavarian Data Protection Authority gives a short overview of the new rules: which areas remain widely unchanged and in which cases controllers need to adapt their processes to the GDPR. An important modification could be the data protection impact assessment and the extended definition. The paper can be downloaded below.


Ansbach, 02.08.2016

Records of processing activities - Art. 30 GDPR

Regarding to Art. 30 GPDR, each controller and controller's representative, shall maintain a record of processing activities under its responsibility. The German Data Protection Authorities have already established a working group, which aims to develop a structured template for such record of processing activities. However, the template will be published approximately in Summer 2017. Now, the BayLDA already publishes a new short paper about the new requirements. The document can be downloaded below.
(Info: The paper has been updated on 17.08.2016)


Ansbach, 19.07.2016

Right to erasure (right to be forgotten) - Art. 17 GDPR

The GDPR regulates in Art. 17 the right to erasure (the right to be forgotten). Despite the special importance of this topic for the Internet the wording of the article shows that this is not just a regulation for the online sector - it is generally applied to all data processing operations.

How the requirements of Art . 17 GPPR have to be implemented in practice is not described directly in the GDPR. For this reason, it will be very important that the European Data Protection Board provides guidelines, recommendations and best practices for this purpose.


Ansbach, 06.07.2016

Video Surveillance - current and future state

However, in the GDPR a detailed legal regulation of video surveillance does not exist. Therefore, many privacy interested people ask the question how to deal with current regulation of video surveillance through the BDSG. The BayLDA has taken up this issue and published a new short paper that shows the current state of discussion in BayLDA. The document can be downloaded below.


Ansbach, 22.06.2016

Art. 42 GDPR - Certification

The BayLDA has published another short paper regarding the GDPR. This publication focuses on the subject of "certification", especially on the process for a certification from the perspective of a DPA.

For this purpose, the BayLDA examines the requirements for such a certification. Thereby, the BayLDA shows also the potential that future certifications for data protection might have. The new document can be downloaded below.


Ansbach, 10.06.2016

Publication regarding Art. 32 GDPR - Security of processing

The GDPR will become effective on 25th May 2018 after the transition period of two years. The supervisory authorities are currently discussing the new requirements for data protection on the European scale. Therefore, the BayLDA participates in working groups that meet this challenge particularly in Germany.

In the meantime, the BayLDA introduces some topics of the GDPR that are discussed in the Bavarian data protection authority. Therefore, the BayLDA publishes periodically (planned: twice a month) a short paper to one of these topics. However, the BayLDA points out that these papers are not binding opinions, but present interpretations and opinions to the GPDR.

As the first release for this purpose the BayLDA focuses on Art. 32 GPDR and the importance of IT security.


Ansbach, 04.05.2016

GDPR published in the Official Journal of the European Union

Now it is there, the General Data Protection Regulation (GDPR). It was released today in the Official Journal of the European Union and comes 20 days after publication into effect, that means on 25th May 2016. After a transitional period of two years, the GDPR will be applicable on 25th May 2018.
Below you can navigate directly to the page of the Official Journal of the European Union to read all details of the official documents in the different languages.


Ansbach, 11.04.2016

Final version of the EU-GDPR in German available

The European Council has published the revised versions of the Data Protection Regulation (GDPR) in the official languages. According to the current plan, the approval of the reform package in the plenary of the European Parliament is going to take place on April 27, 2016 (after appropriate prior involvement in the LIBE committee on 20./21.4.2016). After the drawing on May 11, 2016, the text would be published in the Official Journal. The GDPR will then be applicable approximately early June 2018 (after the 2-year transitional period). The German text can be downloaded below.


Ansbach, 05.02.2016

Trilog results published in German

On 16 December 2015 via the so-called Trilogue proceeding the relevant legislative bodies, the European Parliament, the European Council and the European Commission reached an agreement on a final text of the General Data Protection Regulation. This text needs to be translated into 22 official languages and consolidated and structured. By the meeting of the Ministers of Justice and Ministers of the Interior on the 21st of April the text will be formally adopted and sent to the European Parliament for approval. The new rules will be published via the Official Journal of the European Union and become applicable two years thereafter.

The official german translation of the not yet consolidated text can be downloaded here.


Ansbach, 05.01.2016

The General Data Protection Regulation is about to being published: Enhanced synopsis of the BayLDA

On the 25th of January 2012, the European Commission published the "Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)".

The relevant legislative bodies, the European Parliament and the Council of the European Council did agree with the European Commission via the so-called Trilogue proceeding on a final draft in December 2015. This text needs to be translated into 22 official languages, before it can be published via the Official Journal of the European Union. After publication, there will be a two-year transition period before the regulation will take effect. Now, the BayLDA enhanced the existing synopsis. This synopsis should give you an update on the current state of play, as well as documenting the starting and the end point of the Trilogue proceeding. After publication of the official German version of the General Data Protection Regulation, we plan to incorporate it as well by once again enhancing the synopsis.

The enhanced synopsis can be downloaded via this website.


Ansbach, 23.06.2015

The Data Protection Race is getting towards the finish line

Negotiations regarding the European General Data Protection Regulation are about to be concluded. On the 24th of June 2015, the European Commission, the European Parliament and the European Council have started the so called "Trilogue". The goal of this Trilogue is to conclude negotiations. The Bavarian State Authority on Data Protection for the Private Sector (BayLDA) has complied a synopsis of all three published proposals.

On the 25th of January 2012, the European Commission published a proposal on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). This proposal can only be enacted if the European Parliament and the European Council agree. The European Parliament adopted its point of view on the 12th of March 2014. On the 15th of June 2015, the European Council adopted its position. Now, the Trilogue discussions are starting with the goal to enact a new Data Protection Regulation in Europe. This regulation would be applicable without any implementation by the Member State.

The Bavarian State Authority on Data Protection for the Private Sector (BayLDA) has complied a synopsis of all three published proposals. Therefore, interested citizens are able to see the scope of the negotiations in a transparent manner. This synopsis can be downloaded via the following button.


Ansbach, 08.09.2014

New Data Protection Regulation in Europe

At the moment, there is a discussion about reshaping Data Protection Laws without the attention of the general public. The Bavarian State Authority on Data Protection for the Private Sector (BayLDA) has compiled the documents, available in German, the proposal by the European Commission and the proposals for modification by the European Parliament, into a synopsis. This synopsis can be downloaded by interested citizens.

Simplifying the European legislative procedure in order to adopt a regulation or directive, the following steps are necessary. The European Commission publishes a proposal. Each legislative body, the European Parliament and the European Council (the Council of every Member State's government), need to adopt their own opinion regarding this proposal. After concluding the discussions within each legislative body, negotiations start among all three entities, European Commission, European Parliament and European Council. This is called "Trilogue". If these negotiations are concluded and a common approach is agreed upon, the legal act can be enacted by publshing it within the Official Journal of the European Union.

In Germany, the legislative procedure is not continued after a legislative session has ended (principle of discontinuity). On the contrary, the European legislative procedure does not follow this principle. Even after the election of a new European Parliament, negotiations are continuing steadily.

Regulations, as a type of European Law, are legally binding without further implemtation by Member States. Therefore, if a European regulation is dealing with an issue, legal provisions within a Member State dealing with the same issue don't apply anymore. Even if the wording of the Member State's legal provision is a copy of the European regulation's wording.

On the 25th of January 2012, the European Commission published a proposal on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). During the first reading, the European Parliament publsihed its opinion and adopted its own proposals for modification on the 12th of March 2014. Since January 2012, the European Council is discussing the proposal by the European Commission. This discussion is extremely intense because Data Protection and Data Security laws are governing almost all areas of law. Many questions are relating to finding a common ground in order to find a compromise among the different legal cultures of each Member State, i.e. video surveillance, address trading, credit agencies and data protection within governmental agencies.

Data Protection Authorities in Germany as well as in Europe are following these discussions closely. Furthermore, they engage with regard to these discussions. In order to provide interested citizens an easy access to these proposals, the BayLDA has compiled a synopsis. The proposals by the European Commission and the European Parlament can be compared using our document.