GDPR (The General Data Protection Regulation)

This regulation was adopted on 14 April 2016, and became enforceable at the beginning 25 May 2018.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation passed into EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also covers the transfer of data outside the European Union.

The regulation can be briefly summarised as follwows:

  • It is designed to give control to individuals over their personal data
  • Data protection principles must be put into place; including technical and organisational measures
  • Business processes must be designed with the GDPR principles and safeguards in place
  • The highest possible settings regarding data privacy must be provided for as a "default setting"
  • Private data my not be disclosed or processed without the prior consent of the individual to whom the data refers
  • This consent may be withdrawn at any time
  • Any organisation (private or public), whose core acitivity invololves processing data must have a Data Protection Officer (DPO) employed, who manages GDPR compliance
  • GDPR is binding and applicable

Given the above it is not surprising that it is a difficult subject to tackle, to implement and to regulate.  Many SMEs are struggling; it is primarily the big multinationals, who have implemented it in full.  The clock is ticking, however, and there now exist many reports and different levels of anlysis highlighting the fact that all is not well.

With this as a background the German regulatory authorities have decided to become more active in creating a more transparent and structured framework regarding the regulation and possible penalties in cases of non-compliance, which has consequences for business at home in Germany but also in The European Union. Please read the articles below.


On June 22nd 2019 the Berlin Data Protection Authority presented a draft regarding the setting of penalties and sanctions at the German Data Protect Authority (DSK) conference.  The proposals were welcomed and accepted by a majority vote.  The objective is to ensure a structured, easy to understand and transparent setting of fines and penalties (following the regulation Art. 83 EU General Data Protection Regulation (GDPR)).


The new framework will take into account the key learnings and the practical experience gained by the independent data protection supervisory authorities of the German federal and state governments.

On September 17, 2019, the conference published a press release on the fines model, making it clear that the new framework is not yet ready, however, it can be seen as warning shot at those organisations, which are yet to implement GDPR properly.  The press release from September 17th, 2019 did state, however, that the fine model will be initially used in regulatory proceedings against companies to test it’s for its practicality and accuracy.

It is becoming clear than many countries within the European Union are having difficulties with GDPR.  It is planned to coordinate and to ultimately harmonise the process and approaches to setting fines, to this end the findings and newly developed framework have been passed onto the EU for consideration.


The Federal Regions in Germany have still some work to do: it cannot be ignored that the different regions in Germany have had differing approaches and they will have to find common ground regarding the new framework proposal.  What is clear, however, is that the ball has been set in motion and sooner rather than later a common structure will be agreed upon, both within in the whole of Germany but also at a European level.  Some Federal States have already started to use the new framework.

Companies operate across borders and it makes sense to harmonise the approaches to non-compliance of GDPR.  The DSK plans to discuss the next steps at their next conference in Trier on November 6th-7th.

The above information is partially taken from the following article (in German):

Please select the next link to read an interesting article, which appeared in FORBES Magazine (Jul 10, 2018):

Further reading below again from FORBES (Aug 15, 2018):

Another interesting article, this time from McKinsey (July 2019):


Should you need advice and support regarding GDPR please do not hesitate to contact us here at ENFINA-Security.