The EU General Data Protection Regulation (EU GDPR) was published in the Official Journal of the European Union and entered into force 20 days after publication on 25 May 2016. The EU GDPR became directly effective on 25 May 2018 after a transition period of two years.

With 99 articles and 173 recitals, the EU GDPR is significantly more comprehensive than the previous German Federal Data Protection Act and other national data protection laws.

The most urgent goal of the European data protection reform was to strongly standardize data protection law within Europe. In addition, data protection law was to be modernized to provide answers to questions arising from digitalization and globalization.

Under the General Data Protection Regulation, the extended control/audit powers are flanked by an expansion of the framework of fines (Art. 83 GDPR). Thus, fines of up to 4% of a company’s global annual turnover, or 20 million euros, are permissible for certain legal violations, with the higher value applying in each case.

In the area of business, the new regulations lead to harmonization and the creation of a level playing field for all companies on the European market.

Those who have already installed a data protection management or a data protection organization and who have implemented the corresponding regulations and measures, e.g.

• keeping procedure directories
• data protection and security concepts
• measures for IT security

can make the necessary adjustments with less effort.

The principles of the new Europe-wide regulations for handling personal data include the following

• lawfulness
• proportionality
• transparency (accountability and verification obligations)
• purpose limitation
• data economy
• guarantee of data security

sowie eine unabhängige Aufsicht und wirksame Sanktionierung.

as well as independent supervision and effective sanctions.

The introduction of the General Data Protection Regulation goes hand in hand with a deliberate strengthening of data subjects’ rights. “Effective protection of personal data throughout the Union requires the strengthening and precise definition of the rights of data subjects” is therefore explicitly stated in Recital (erwGr) No. 11. The main pillars of the new data subject rights are, in addition to the stricter liability regime and the newly introduced individual claims, above all the expanded transparency obligations in data processing.

The new Trade Secrets Act came into force in Germany on 26 April 2019. It safeguards important business information and affects large companies as well as SMEs. But beware: information is only protected by the law if companies act!

With the Trade Secrets Act, the German legislator has implemented the EU’s so-called Know-How Protection Directive. Through this new set of regulations, there is now an independent law for the protection of trade secrets.

In addition to the EU GDPR, the law brings with it new obligations for companies. It is about protection against the disclosure of trade secrets to unauthorized third parties. Important business information is to be safeguarded, regardless of whether it contains personal data.

The Trade Secrets Act serves to protect trade secrets from unauthorized acquisition, use and disclosure. To this end, trade secret owners are provided with rights to information, injunctive relief and claims for damages against infringers.

This means that information of a certain economic value that is not generally known or readily accessible is protected. This can include all information of which one does not want anyone outside the company to gain knowledge. Examples are recipes, customer lists or discount scales. The term “secret” is relatively broad.

Of central importance here, however, is that only information that is protected by appropriate safeguards is protected by law! This represents a significant change to the previous handling.