GDPR: now what? First Experiences in Germany

GDPR came into force on May 25th, 2018. At the same time, the new German Data Protection Law, which specifies the opening clauses of GDPR, came into force.

Besides some curious discussions (such as whether doorbell signs can be labelled by the landlord without the consent of the tenant), there are also tangible results from the first weeks of GDPR. For example, one German supervisory authority has issued guidelines for small businesses and associations to help them implement GDPR. Other authorities describe a model (Standard Data Protection Model) that allows for systematic verification of compliance with statutory requirements relating to the handling of personal data and their appropriate implementation. In addition, the supervisory authorities provided short information to many topics of GDPR.

The distribution of privacy information according to Article 13/14 GDPR meant that companies were overwhelmed with objections and access requests. Interestingly, there are few requests regarding data portability.

In the meantime, the supervisory authorities also gave notice of unannounced audits in connection with the implementation of GDPR. In addition, authorities circulate initial questionnaires to query companies about privacy compliance. Since many companies still do not comply with the new EU data protection rules, the supervisory authorities have already issued penalty notices.

Understandably, there are still few GDPR judgments due to the short time span. The existent judgments deal mainly with the possibility of warning letters regarding GDPR violations. However, there is no uniform case law yet apparent. In summary, it can be stated that GDPR is practiced in Germany and that companies work on compliance. The supervisory authorities are keeping a close eye on the issue.


Franziska Ladiges, SKW Schwarz Rechtsanwälte


Read more:

GDPR in France

GDPR in Italy

GDPR in Canada