As of May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC, also known as the GDPR, is in force in all Member States of the European Union.

Regulation (EU) 2016/679 provides for a number of opening clauses for the national legislator. At the same time, it contains concrete regulatory mandates addressed to the member states. Subsequently, it was also necessary to review the area-specific data protection law for compatibility with Regulation (EU) 2016/679 and, where necessary, to adapt it.

Such an adjustment, in which, among other things, more than 150 laws are adjusted, albeit in some cases only very slightly, was passed by the Bundestag yesterday.

The bill adapts the existing sector-specific data protection regulations of the federal government to the requirements of European Union law with the following main areas of regulation:
– Adaptation of definitions;
– Adjustment of referrals;
– Adaptation (or, in some cases, creation) of legal bases for data processing;
– Regulations on the rights of data subjects;
– Adjustments due to directly applicable requirements of Regulation (EU) 2016/679 on technical and organizational measures, on commissioned processing, on data transfer to third countries or to international organizations, and on damages and fines.

Probably most relevant for many companies, among other things, is the fact that a data protection officer is now only necessary if more than 20 or more employees are generally involved in the automated processing of data.