Anniversary: 2 years GDPR

On May 25, 2018, the GDPR came into force and caused a lot of dust in some companies. The excitement was great back then, but it has now subsided. Many detailed questions that were still open in 2018 have been clarified. Other problems are still waiting for a clear positioning by the supervisory authorities or a court decision. We look back on the past 2 years and highlight some highlights in data protection.

Video surveillance

The specification of the requirements for data protection-compliant video surveillance by the European Data Protection Committee with the guidelines of 10.07.2019 was gratifying. E.g. Those responsible should now be able to see more easily how to design their signs in a legally secure manner or what needs to be observed when storing them. The guidelines also show that many video surveillance operators have taken the issue too lightly, and that the requirements for video surveillance in compliance with data protection regulations require thorough and careful examination.

You can also find a direct link to the guidelines in our video surveillance blog article.

Shared responsibility

When the GDPR was introduced, it was not yet entirely clear what exactly shared responsibility means and when it actually exists. Court rulings have now made it clearer what matters when it comes to shared responsibility. The much-noticed judgment of the ECJ of June 5, 2018 – C-210/16 on Facebook fan pages should be known. According to this ruling, operators of company pages on Facebook are jointly responsible with Facebook. The ECJ then became more specific a year later in its judgment of July 29, 2019 – C 40/17, when it dealt with the consequences of joint responsibility for plugins.

For many responsible persons, it may also arise at one point or another that an order processing contract is not the right choice, but a contract for joint responsibility is to be concluded.

Are you still not sure when there is joint responsibility and what you have to consider? Read more here.

Cookies, Tracking and Consents

The use of tools on websites such as: B. to evaluate user behavior by website operators. The cookie banners show creative diversity. There are several decisions of the courts (e.g. ECJ ruling of October 1, 2019, Az. C-673/17): Tracking is only permitted with real consent by the user! Nevertheless, many website operators still find it difficult to make their website data protection compliant. In their decisions, the courts have given little consideration to the practicability of obtaining consent. Privacy statements are now generally available on most websites and are easy to find. When it comes to their content, however, many operators still have difficulties in obtaining consent in accordance with GDPR.

If you need help here, please do not hesitate to contact us.


The fines imposed had been followed most closely. While in the first year of the introduction of the GDPR the supervisory authorities still granted many responsible persons a grace period and rather warned and admonished them, the patience was not so great in the second year. The front runner in Germany so far is Deutsche Wohnen SE, which received a fine of € 14.5 million from the Berlin supervisory authority for its “data cemetery” (alias archive system) (not legally binding).

Before that, Delivery Hero was far behind, with a fine of € 195,000 for inadmissible advertising e-mails and inadequate deletion of customer data in first place in Germany.

Now in second place in Germany is 1 & 1 of Telecom with 10,000,000 € due to the lack of protection of customer data through adequate technical and organizational measures.

The record holder within the EU is Google. The decision in the amount of € 50 million was imposed by the French supervisory authority due to insufficient compliance with the information obligations for the Android operating system.

Otherwise, however, it was also evident that the supervisory authorities act with a sense of proportion against those responsible.

Even today, many do not know how the amount of the fine is determined. Our blog article and video provide information on this.

Certification according to GDPR

When the GDPR was introduced, it was welcomed that it legally provides for data protection certification. However, even two years later, no company has been accredited as a certification body. Corresponding applications can already be submitted, but the criteria that are defined by the supervisory authorities have not yet been finalized at European level. Please note the “Requirements for accreditation according to Art. 43 Para. 3 GDPR i. V. m. DIN EN ISO / IEC 17065 “of the data protection conference of 08/28/2018. The possibility under the GDPR would therefore be provided by law, but there is still no Europe-wide coordination on the concrete implementation and design of the data protection criteria.

We have already thought about this ourselves. We are happy to check your company or individual areas of it for GDPR compliance. You can find out more on our performance page on audits. We are happy to be there for you personally.


Overall, the GDPR has given data protection a major boom. This was also shown by the fact that at the beginning of the corona crisis, despite the will to fight the virus, the question quickly arose what data protection would be like. Employers in particular were initially unsure how to deal with the health data of their employees.

The quick and clear positioning of the supervisory authorities with the “press release of the conference of the independent data protection supervisory authorities of the federal and state governments on March 13, 2020” was therefore to be welcomed. This has made it easier for many responsible persons to assess whether and which data they are allowed to process to implement protective measures. The guidelines for the ULD’s home office, for example, should be positively emphasized. Here the supervisory authorities showed themselves to be pragmatic. At the same time, however, they also pointed out the limits of data protection law. In doing so, they clearly opposed a weakening of data protection in favor of infection protection measures. This enabled those responsible to recognize that data protection is not an obstacle to short-term and effective infection control measures. Conversely, the Infection Protection Act does not negate data protection either.

In this context, we continue to provide free home office guidelines for employers and employees.

Criticism and weaknesses

Critics described the GDPR as too theoretical and impractical. When the GDPR came into force in May 2018, it was difficult for many responsible parties to recognize the limits and possibilities of what is legally permissible. Even data protection officers were initially overwhelmed in some places. It was complained that large companies that could spend more budget on data protection were preferred to overburdened smaller companies. The situation was not improved by the fact that the supervisory authorities had too few staff to proactively respond to questions and fully enforce the GDPR. However, this is a mistake that cannot be blamed on the GDPR, but stems from the financial and organizational structure of the supervisory authorities, to whose demands the politicians have not yet adequately responded to despite improvements in some areas.

Worldwide reception of the GDPR

The GDPR has established the EU as a global leader in data protection. The EU has thus set international standards for data protection and other states are basing their legislation on the EU-wide regulations. However, it is often difficult to transfer data outside the EU to third countries. Especially when it comes to the USA, many responsible parties find it difficult to understand that this is an unsafe third country from the GDPR point of view and that data may only be transmitted under special conditions.

The question of the admissibility of data transmission to Great Britain after Brexit will be exciting. In the absence of an exit contract, it remains open which regulations will apply in the future.


The GDPR was a milestone in data protection. It sets the new rules within the EU and is a global benchmark for data protection. Whereas in the past data protection was mostly dismissed as negligible with a shrug of the shoulders, those responsible now know (also thanks to high fines) that they must take data protection seriously and implement it. Many initial ambiguities have been cleared up in the last two years, in part also through decisions of the courts. Although these sometimes turned out to be difficult to implement in practice, the supervisory authorities have tried all the more to provide practical assistance. Therefore, the supervisory authorities will now increasingly impose fines if they discover violations.

Responsible companies are well advised to get support if they are uncertain. Our team of lawyers, data protection and IT security officers will be happy to help you. Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!