GDPR: the clock is ticking!

This post is also available in: frFrançais (French)

On 25 May 2018, the General Data Protection Regulation (GDPR) must be applied in all EU member states. However, until now, only Austria and Germany countries have adopted a law implementing this regulation. Now is the time to review this regulation, recall its principal contributions and its main weaknesses, and to return to the “Computer, Privacy & Data Protection” (CPDP) conference attended by AEDH in late January and during which the GDPR was often addressed.

The main changes that the GDPR will entail are:

The major point, which is that GDPR now has an international scope. The regulation will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU.

In case of data breach, the GDPR may result in a fine of up to 20 million euros or 4% of the annual global turnover, whichever is the greater[1].

Regarding the data subjects’ right, one of the major strengths of this new regulation is consent. The conditions of consent have been strengthened, and the latter must be requested in an intelligible and easily accessible form, and it must be as easy to withdraw consent as to give it[2]. The data subjects will also benefit from:

A breach notification. This will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”[3].

The Right to Access, which is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller shall provide a copy of the personal data, free of charge, in an electronic format. This change strengthens data transparency and empowerment of data subjects[4].
The Right to be Forgotten, when the data pertaining to citizens are no longer relevant to the original purpose for processing, or when a data subject withdraws consent, the citizens in question have the right to request the erasure of their data[5].

Data Portability, which is the right for the individual to receive the personal data concerning them, which they have previously provided and have the right to transmit that data to another controller[6].

Companies will have new responsibilities such as:

to abide by the “Privacy by design” principle, which is the inclusion of data protection from the outset of the design of a system, rather than as an addition[7].

the creation of A Data Protection Officer (DPO) post:  DPO appointment will be mandatory only for controllers and processors whose core activities consist in processing operations which require regular and systematic monitoring of data subjects or of special categories of data or data relating to criminal convictions and offences[8].

Thus, the GDPR has an international character and gives consent and the data subject a central role. However, the GDPR contains a major weakness, which was criticized during the CPDP 2018 in which AEDH took part; these are some flexibilities which leave considerable room for manoeuvre to the member states. In particular, the GDPR has been described in particular as a “co-regulation”. It consists in mandatory provisions that member states must apply, but also in options, allowing member states to create their own provisions, which is the outcome of a strong lobbying campaign by industry. The GDPR allows member states to introduce exemptions in certain situations, thus undermining the GDPR’s primary purpose, which was the harmonization of data protection laws in the EU. A more detailed analysis of the GDPR flexibilities was undertaken by EDRi[9].

Faced with these criticisms, a representative of the commission replied by insisting that these opening clauses can be used in certain areas only and on the condition of never falling below the required level of protection, and on the strict role that the supervisory authorities will exercise.


Regarding the application of the GDPR, as mentioned above, to date only Germany and Austria have adopted the laws necessary for its application, which worries AEDH insofar as the deadline of application of the regulation is very close. How did these two countries make use of the ‘opening clauses’?


The opening clauses relate to, for example, the lawfulness of the processing, the obligation to appoint a data protection officer, the rules on supervisory authorities and the processing of data in specific situations[10]. While Austria has opted for a ‘minimalist’ approach to the use of these opening clauses, and has generally applied only the mandatory opening clauses, Germany made use of these clauses in “a way that could occupy the courts in the future”,[11] according to IAPP. More specifically, Germany has limited the rights of data subjects, including the breach notification, the right to access to data and the right to be forgotten[12].

To conclude, AEDH regrets that such a margin of manoeuvre has been left to the member states in that “the excessive use of opening clauses by national legislators will hinder harmonization (…)”[13]. AEDH hopes that monitoring by the authorities in charge will be strict and hopes that the other EU countries quickly adopt the national laws necessary for the application of the GDPR.


[1] GDPR Key Changes, 2018

[2] GDPR Key Changes, 2018

[3] GDPR Key Changes, 2018

[4] GDPR Key Changes, 2018

[5] GDPR Key Changes, 2018

[6] GDPR Key Changes, 2018

[7] GDPR Key Changes, 2018

[8] GDPR Key Changes, 2018

[9] Proceed with caution : Flexibilities in the General Data Protection Regulation –