Skip to main content
Machen Sie jetzt den
DSGVO Quick-Check!

Data protection in dialogue with Axel Voss – SuP presents 10 proposals for modernising data protection law

zurück zur Übersicht

The Digital Omnibus shows that the question of how to modernise the GDPR in a practical way is increasingly being discussed at the political level.

Against this backdrop, our colleagues exchanged views with Axel Voss, Member of the European Parliament and digital policy expert. The discussion focused on how European data protection law can be further developed without weakening the level of protection for data subjects – while at the same time creating space for innovation, digitalisation and responsible data use by controllers.

As a law firm, we are following this discussion not only from the perspective of the application of law. Based on our consulting practice, we have developed ten theses on the modernisation of data protection law and are contributing these to the discourse as discussion points.

The aim is to constructively contribute practical experience from mandates to create added value for society.

Dialogue with decision-makers is a central part of our self-image: sustainable further development of European data law can only succeed through open, objective exchange between practitioners, politicians and society.

We are continuing this dialogue.

 

10 theses on the modernisation of data protection law

1. Thesis: Less state – more self-regulation

The state-oriented system of strong supervisory authorities under Chapters 6 and 7 of the GDPR is not effective enough and involves disproportionately high costs. From an economic point of view, a shift away from state supervision towards market-based self-regulation is necessary. To ensure this, proven self-regulation mechanisms must be retained, e.g. a register of processing activities including technical and organisational measures, risk assessments, data protection impact assessments and data protection officers.

2. Thesis: Risk-oriented tiered model

The applicability of specific provisions of data protection law (e.g. appointment of data protection officers, maintenance of a record of processing activities) should not depend on the size of the company (e.g. number of employees or turnover), but should follow a risk-based tiered model depending on the sensitivity of the business processes.

3. Thesis: Prevention of abuse of data subject rights

The abusive exercise of data subject rights should be made more difficult, for example by requiring proof of legitimate interest, justifying cost-bearing obligations or restricting excessive requests for information by data subjects. This applies in particular to the right to obtain copies.

4. Thesis: Restructuring of the reporting system

The obligation to report data protection breaches to supervisory authorities should be limited to cases with a very high risk for the data subjects. However, the obligation to report to data subjects in cases of high risk should be retained.

5. Thesis: Strengthening the existing contractual system

The contractual law system of data protection law (e.g. contract processing, joint responsibility, confidentiality obligations) should be retained and expanded, as this allows for the creation of needs-based and effective framework conditions for individual cases. For example, the concept of commissioned processing could be extended to services where the service provider has its own discretion, including with regard to the purposes of processing. The possibilities for delegating data protection obligations within the framework of joint responsibility contracts could also be expanded.

6. Thesis: Higher qualifications for DPOs

Appropriate, legally defined minimum requirements should be set for the professional and personal qualifications of data protection officers. In practice, a lack of knowledge and personal qualifications often leads either to unfounded assumptions of prohibition or to professional resignation on the part of those responsible.

In addition, the qualification of data protection officers promotes the quality of their work and effective self-monitoring by those responsible.

7. Thesis: Liability of the DPO

Abolition of privileged employee liability for independently working data protection officers. Establishment of liability on the part of the data protection officer for consulting errors and failure to perform statutory duties.

8. Thesis: Strengthening self-regulatory instruments

The use of data protection rules of conduct and certification options should be expanded and promoted through further privileges with regard to legal requirements, e.g. data subject rights and documentation and accountability obligations.

Introduction of an out-of-court arbitration procedure with the appointment of an ombudsperson.

9. Thesis: More effective enforcement

Private autonomy should be strengthened through more effective legal protection with improved judicial enforceability by extending the reversal of the burden of proof in accordance with Art. 82(3) GDPR to the existence of adequate data protection management.

10. Thesis: Strengthening competition

Mutual competition law claims by market participants due to data protection violations should be extended by recognising them as market-protecting.

Furthermore, data protection standards should be taken into account in tenders.

Services
Data Protection

for Authorities

International Data Protection

Data Privacy Framework

Artificial Intelligence

Telecommunications Data Protection

Telemedia & Digital Services

Health Data Protection

Financial and Banking Data Protection

Ecclesiastical Data Protection

Concepts

Expertise

Individuality

Engagement

Law Firm

Team

Locations

Career

Philosophy

Legal Notice

Privacy Policies

Adenauerallee 136
D-53113 Bonn
Phone: +49 (0) 228-227 226-0
Mail: info@scheja-partners.de