The European General Data Protection Regulation (GDPR) has come into effect on 25 May 2018. Due to its broad scope and its implications for the processing of personal data inside and outside of the EU, the GDPR has drawn attention on a global level.

Since the GDPR has come into effect only recently, there are still many questions about the implementation and enforcement of the new rules. While some concerns turn out to be unfounded, a thorough investigation of the GDPR is imperative for companies around the globe doing business with Europe. This newsletter addresses frequent questions and misconceptions about the GDPR with a focus on Japanese companies doing business with Germany.

1. Consent is the cornerstone of data processing
Consent is only one of the lawful bases to process personal data under the GDPR and does not relieve the controller or processor from following the other principles of the GDPR, such as transparency, fairness, proportionality and accountability. Although consent will continue to have major importance, processing based on consent faces a number of challenges in practice:

• Free choice: Consent must be freely given, specific, informed and unambiguous (Art. 4 no. 11 GDPR). Freely given means that the data subject must have a real choice and must not face any negative consequences for withholding his/her consent.
  • Bundling/Tying: The GDPR makes it clear that “bundling” (linking consent to the acceptance of other terms & conditions) and “tying” (linking consent to the provision of goods or services) is considered highly undesirable. This can be a problem for businesses which offer goods or services that are “paid” with personal data, such as certain smartphone applications and games.
  • Employees: Consent might not be freely given where there is an imbalance of power or dependency, such as in an employer/employee (or applicant) relationship. It is therefore problematic for employers to rely on consent to process personal data of employees, except in those cases where not giving consent will have no adverse consequences at all for the employees and is sought for the provision of a legal or economic benefit for the employee or where joint interests are pursued
• Sufficient information: Consent must be informed and specific, i.e. in relation to one or more predetermined purposes. This means that general “catch-all” consents are typically invalid.
• Withdrawal: The data subject may withdraw the consent at any time. This means that the controller and processor must be prepared to cease all processing immediately, unless there is another lawful basis.