Home / Insight / GDPR

GDPR

General Data Protection Regulation

Go to International

The European General Data Protection Regulation (GDPR) has significantly increased the compliance requirements in relation to data protection law. With effect from 25 May 2018, companies throughout Europe and those that process the personal data of EU citizens had to rethink their handling of personal data and change their internal processes accordingly. Since then, processing of personal data within companies has had to comply with the GDPR.

CMS legal advice – mastering GDPR requirements in practice

The CMS data protection team offers clients legal advice on all aspects of the GDPR and related data protection issues. Since the start of 2016, when the countdown began for the GDPR’s entry into force, we have supported companies from across all sectors on a range of projects, both national and international, helping them to prepare for and implement the General Data Protection Regulation. We continue to provide them with dependable legal advice around the GDPR.

In all GDPR compliance matters, our experts on data protection law work closely with in-house legal departments, data protection officers and compliance officers, as well as IT security departments. Together, we ensure that GDPR-compliant data protection management is integrated effectively into all business processes, delivering outstanding compliance thanks to best-in-class legal advice on the GDPR.

GDPR – the next stage: looking ahead to the ePrivacy Regulation

Corporate data protection compliance could soon face even tougher requirements than those imposed by the GDPR, due to the upcoming implementation of the ePrivacy Regulation. It was originally intended to enter into force along with the GDPR, but was postponed several times due to a lack of consensus within the EU. A key aspect of the ePrivacy Regulation are its rules on online tracking.

Further information on the ePrivacy Regulation and registration for our free newsletter can be found here.

GDPR risk: fines for breaching data protection rules

While concerns about a huge wave of warning notices due to breaches of the GDPR have not been realised, the authorities have initiated several GDPR-related summary proceedings in recent months. This shows that any breach of GDPR data protection rules could have serious consequences for your company.

As part of our comprehensive legal advice on the GDPR, we alert companies to the possible risk of fines at a very early stage. We support them in establishing compliance with the GDPR in their operating procedures and processes and continuously monitoring compliance with the rules, with the aim of avoiding GDPR fines.

More information on the risk of fines and the schedule of fines for data protection infringements can be found in the CMS Enforcement Tracker. 

CMS Enforcement Tracker
GDPR En­force­ment Track­er Re­port 2021
The GDPR En­force­ment Track­er Re­port aims to provide you with valu­able in­sights...
Data Law Nav­ig­at­or | Ger­many

Feed

27/05/2021
GDPR En­force­ment Track­er Re­port
When the GDPR was already in force, but not yet ap­plic­able (and not a single fine had been im­posed yet), much at­ten­tion was paid to the for­mid­able fine frame­work. For many com­pany of­ficers, this caused fear: if I vi­ol­ate the GDPR, I have one foot in jail (or at least my or­gan­isa­tion has to pay EUR 20 mil­lion or 4% of its glob­al an­nu­al turnover, cal­cu­lated for the whole group, if the com­pany is part of one).We be­lieve that facts are bet­ter than fear.The con­tinu­ously up­dated list of pub­licly known GDPR fines in the GDPR En­force­ment Track­er is our 24/7 rem­edy against fear, while the an­nu­al En­force­ment Track­er Re­port is our deep dive and per­mits more in­sights in­to the world of GDPR fines. We are pleased that our ana­lys­is for this second edi­tion of the ET Re­port is based on a lar­ger over­all data set of more than 570 fine cases, 526 of which made it in­to the ed­it­or­i­al team's work­sheet.More in­ter­na­tion­al­We are even more pleased that more in­ter­na­tion­al col­leagues sup­por­ted us this time and provided de­tailed in­put on en­force­ment prac­tice, in par­tic­u­lar for EU mem­ber states in the new mem­ber state in­ter­views (Ed­it­or­'s note: the United King­dom re­mains part of the En­force­ment Track­er Re­port and the En­force­ment Track­er as the UK Gen­er­al Data Pro­tec­tion Reg­u­la­tion en­sures reg­u­lat­ory con­sist­ency re­gard­less of Brexit).Loc­al law and prac­tice mat­ter­After al­most three years of GDPR ap­plic­a­tion, we are not the only ones to have learned one thing: des­pite the GDPR's full har­mon­isa­tion ap­proach, hardly any oth­er area is shaped more by na­tion­al laws and of­fi­cial prac­tice than GDPR fines. This may be a reas­on why Spain still tops the list of coun­tries with the most fines this year.Ex­ec­ut­ive Sum­mary­As we are aware that pri­vacy pro­fes­sion­als are un­likely to have a peace­ful job in these chal­len­ging times, the second edi­tion kicks off with an ex­ec­ut­ive sum­mary for the quick read­er (in­clud­ing over­all takeaways, in ad­di­tion to sec­tor-spe­cif­ic ob­ser­va­tions). Hav­ing in­ten­tion­ally op­ted for an on­line-only pub­lic­a­tion, the ET Re­port's Ex­ec­Sum is the only part that you can con­veni­ently down­load (or even print out for bed­time read­ing without a di­git­al device).Num­bers & fig­ures and sec­tor ap­proach­We have put to­geth­er an over­all sum­mary of the ex­ist­ing fines in the "Num­bers and Fig­ures" sec­tion, fol­lowed by tried-and-tested ana­lys­is for the fol­low­ing busi­ness sec­tors:Fin­ance, in­sur­ance and con­sultingAc­com­mod­a­tion and hos­pit­al­ity­Health careIn­dustry and com­mer­ceR­eal es­tate­Media, tele­coms and broad­cast­ing­Pub­lic sec­tor and edu­ca­tion­Trans­port­a­tion and en­ergy­In­di­vidu­als and private as­so­ci­ations plus the over­arch­ing cat­egoryEm­ploy­mentY­our takeawaysThis in-depth ana­lys­is per­mits first con­clu­sions to be drawn as to which busi­ness sec­tors at­trac­ted par­tic­u­larly hefty fines. We also ana­lysed the DPAs' reas­on­ings for the fines. These as­pects to­geth­er al­low us to provide you with key takeaways for each busi­ness sec­tor. Apart from the law­ful­ness of each data pro­cessing op­er­a­tion, bol­ster­ing data se­cur­ity should re­main in the spot­light for every or­gan­isa­tion. There are already rel­ev­ant in­dic­a­tions in terms of data pro­tec­tion lit­ig­a­tion – in par­tic­u­lar, data sub­ject­s' claims for ma­ter­i­al or im­ma­ter­i­al dam­ages un­der Art. 82 of the GDPR are on the rise. This trend is un­likely to stop, be­ing in par­tic­u­lar sup­por­ted by col­lect­ive re­dress mech­an­isms and leg­al tech of­fer­ings that are already in­creas­ing the risks of and re­sources needed for data pro­tec­tion claims man­age­ment.Meth­od­o­logy­We do not re­sort to witch­craft nor do we have pref­er­en­tial ac­cess to GDPR fine in­form­a­tion (at least in most cases, but we are still work­ing on that…) when work­ing in the En­force­ment Track­er en­gine room and pre­par­ing the En­force­ment Track­er Re­port. In ad­di­tion to our ne­ces­sary fo­cus on pub­licly avail­able fines, there are some oth­er in­her­ent lim­its to the data be­hind this whole ex­er­cise. For the "small print", please see our more de­tailed re­marks on meth­od­o­logy. On a more gen­er­al level, al­though we have done our best to break down a com­plex top­ic in­to neat pieces, we have res­isted the tempta­tion to fol­low SEO re­com­mend­a­tions for the whole con­tent pack­age and would ask you to con­sider it a "long read" format if you de­cide to read it in full.What's next?The En­force­ment Track­er Re­port and the En­force­ment Track­er are a work in pro­gress. We highly ap­pre­ci­ate any form of feed­back (prefer­ably con­struct­ive…) and would like to thank every­body who has reached out over the last year. We re­ceived in­ter­est­ing ideas, in­form­a­tion about for­got­ten fines (hid­den deeply in re­mote corners of a sup­posedly com­pletely cap­tured world) and re­com­mend­a­tions for ad­di­tion­al fea­tures (our buck­et list is grow­ing stead­ily), as well as rel­ev­ant con­tri­bu­tions from stake­hold­ers out­side the EU – demon­strat­ing that the data pro­tec­tion land­scape is evolving rap­idly on a glob­al scale and in­ter­faces between na­tion­al/re­gion­al con­cepts are de­vel­op­ing even in the ab­sence of a glob­al data pro­tec­tion law. We have en­gaged with peers from the leg­al pro­fes­sion, pri­vacy pro­fes­sion­als with a more ad­vanced tech back­ground as well as re­search­ers from vari­ous dis­cip­lines. We strongly en­cour­age you to con­tin­ue en­ga­ging with us. And we apo­lo­gise in ad­vance if our feed­back may take some time; the data pro­tec­tion world is not a quiet one right now.Stay safe – and keep on fight­ing, Chris­ti­an Runte, Mi­chael Kamps, ed­it­ors and the en­force­ment track­ing and re­port­ing team
05/03/2021
Data pro­tec­tion and cy­ber­se­cur­ity laws in Ger­many
Data pro­tec­tion 1. Loc­al data pro­tec­tion laws and scope Data pro­cessing op­er­a­tions are gov­erned by the Fed­er­al Data Pro­tec­tion Act (Bundes­datens­chutzge­setz – BDSG) of 30 June 2017, as last amended...
Comparable
28/04/2020
Check­list M&A and GDPR
The scope of the EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) ex­tends to M&A trans­ac­tions. Sanc­tions for in­fringe­ments of data pro­tec­tion rules in­clude, amongst oth­ers, a fine of up to EUR 20 mil­lion...