The German Data Protection Authorities (German DPAs) released a "Report on the Experience Gained in the Implementation of the GDPR", which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report.
Under Article 97 of the EU General Data Protection Regulation (GDPR), the EU Commission is required to submit an evaluation and review report on the implementation of the GDPR by May 25, 2020 - so two years after the GDPR became applicable. The German DPAs want to share their experience to contribute to this process and have thus published the Report. The German DPAs opine that the GDPR's regulatory concept and objectives have largely proved successful and that the heavy GDPR fines are a driver for developing broad-based awareness of data protection. However, they also acknowledge that some uncertainty remains when it comes to GDPR implementation and that there still is a need for guidance from the supervisory authorities.
Key GDPR issues identified in the Report
The German DPAs have identified nine key issues associated with GDPR implementation and provided the following suggestions for improvement in the Report:
Making life easier and practicability
The German DPAs reiterate that the GDPR must be suitable for everyday use. In particular, they raise the following three issues:
Information obligations (Article 13 GDPR) during data collection by telephone
The German DPAs consider it "unrealistic" to provide comprehensive information in accordance with Article 13 GDPR in case of a verbal or telephone contact. They refer to complaints by data subjects about information overload in this regard. Suggested solution: It should be sufficient to implement a layered, risk-based approach, telling the data subjects where they can find further relevant information. Right to a copy of personal data (Article 15(3) GDPR)
The German DPAs acknowledge the heated debate surrounding the scope of the right to a copy of personal data under Article 15(3) GDPR. Suggested solution: The scope of the right to a copy of personal should be clarified, e.g., by supervisory authorities. Duty to communicate details of data protection officers to supervisory authorities (Article 37(7) GDPR)
The German DPAs note that the duty to communicate the contact details of data protection officers to the supervisory authorities under...