The GDPR as a paradigm shift in corporate management

Dr. Dimitrios Karathanassis 

In: ContraLegem 2021/1, S. 72ff. 

• The GDPR as a new approach to data protection 
• The GDPR requires major and far-reaching changes for companies.  These changes go   beyond data protection and affect the structures of companies and the way  they operate.  

After the new EU Data Protection Regulation (GDPR) came into force  on 25 May 2018  ,  the  first conclusions can  now  be  drawn about the importance of  this set of rules for (Swiss) companies two  years later.  Although an EU set of rules,  the GDPR has undoubtedly caused additional costs for many Swiss companies, from clarifying  individual issues to  revising data protection declarations.   However  , it   is already foreseeable after two years that the GDPR  will increasingly lead to a paradigm shift in corporate management and corporate organization,  and not only in  terms of  on data protection, but much more profoundly. 

Data protection in the context of compliance 

Today   , data protection still falls primarily into the area of compliance, namely  compliance understood as a  collective term for all organizational measures and internal processes in a company for   Prevention of legal violations and adequate  response to them. In this sense,  the focus of data protection  for companies is on the task of  maintaining the applicable data protection regulations and   avoiding possible legal violations. In order to achieve this,  various means  are available, such as  the collection of the legal basis, the appointment of  a company data protection officer,  the  enactment of  internal  Instructions, the collection of data files including conformity assessment,  the guarantee of data security and the training   of  employees. What all these measures have in common  is that they represent preventive mechanisms that  essentially seek to avoid violating data protection regulations.  Ideally, they create  a coherent internal set of rules that  reflects the existing legal standards – often even exceeds them  aggravating them – and thus for each individual   Business conduct and transaction of the  company concerned ensures that  they comply with the  law. 

One could now  be  led by the assumption that the GDPR will only make additional efforts and burden  the compliance departments of  the companies concerned  . That this  is already the  case and will continue to be the case  is self-explanatory, because any additional legal requirement requires technical know-how and resources in  order to  be  able  to implement it in the end. . The GDPR is  no exception. 

However, although the GDPR  enjoys a legal character,  it mixes  normative and regulatory elements. Normative elements, i.e. laws,   –  as  postulated in the present case  – classically provide a framework within which one acts in accordance with the law and outside which  one  no longer  does.   does.  Regulation,  on the other hand, goes further and requires certain behaviours and the implementation of concrete measures. The Federal Act on Data Protection (FADP)  – prior to  its current revision – must  be understood primarily as a normative element  which,  since its entry into force in July 1993, has basically   is a  legally binding framework.  

The GDPR, on the other hand, is  a child  of its time, in which the boundary between normative and regulatory elements is disappearing.   In other words,   it not only presents   the companies concerned  with  a framework within which they can move in  accordance with the law, but also explicitly provides  instructions for  certain types of behaviour and specific measures  for undertakings.   The GDPR  can therefore be understood as a regulatory law. It can therefore be  assumed  that the GDPR  will initiate the changes for data protection that the  establishment of  the  Swiss Financial Market Supervisory Authority (FINMA)  provided for financial institutions. 

Impact of data protection on corporate structures 

It goes  without saying  that general regulations – in addition to normative requirements – in the  financial market sector already  existed  before 2009, but after the start of  its activities,  FINMA quickly  developed into a comprehensive   «Regulation factory».  On the basis of its statutory mandate,  it  has issued and continues to issue supervisory notices, circulars, opinions and other publications, often without conclusive certainty  for the    Addressees, what normative significance these have, and  thus exercises the regulation.   The  increasingly concrete instructions for certain behaviours and  the  measures to be taken  slowly led  to the fact that strategic corporate decisions were not   only taken with regard to   the normative Increasingly  ,    and in some cases  exclusively,  they  are viewed through the lens of regulatory requirements. 

  It makes a considerable difference whether financial intermediaries are required  by the  legislature, when entering into business relationships,  to inform the contracting party on the basis of  an evidentiary document [to  ]  (Art. 3 para. 1 Anti-Money Laundering Act, AMLA) or whether they are required  by FINMA  to develop criteria that  indicate business relationships with increased risks  (Art. 13 para. 1   Anti-Money Laundering Ordinance-FINMA, AMLO-FINMA) as well as criteria  for identifying transactions with increased risks (Art. 14 para. 1 AMLO-FINMA) and  not only the criteria (Art. 14 para. 2   AMLO-FINMA  )    but  also the means of clarification (Art  . 16  AMLO-FINMA) and the timing of the clarification (Art. 17  AMLO-FINMA).  In other words,  it makes a  difference whether it is forbidden to  encourage money laundering or whether,  in  order to achieve this objective, financial intermediaries make a  meticulous  Catalogue of actions  to be carried out. 

In conjunction  with   the  increasingly severe penalties that  punish violations,  compliance  with regulatory requirements by companies‘ legal and compliance departments has become more and more important. Foreground in strategic fundamental decisions.    There have been questions about the countries in which investments are made  and  the  origin of funds that are accepted and forwarded, but the regulatory costs  and   the   The impending penalties, which are  now attached to  these questions, gives them a very relevant,  often even existential,  significance  for the business activities of financial intermediaries.  

 In this sense, regulation goes beyond the legal framework, because it does  not simply qualify individual actions of companies  as legally compliant or violating it,  but rather indirectly (  and  sometimes even indirectly) determines the structures and functioning of  those undertakings, in which it requires concrete measures to be implemented. A compliance department of  a bank from the year 2020 is likely to have caused incomprehension among many banks in  1990. 

  As a result, (extensive) regulation goes beyond behavioral control  and must therefore be understood as structural design. This means  that  now not only 74  the individual company actions, but also the structure of the company – beyond the   company law provisions  – as such    must comply with and  comply with regulatory  requirements  . The  companies concerned thus implement  regulatory requirements not only in the individual business activities or transactions, but also through a (sometimes fundamental) redesign of their structures. .  Regulation and compliance with it are    therefore not only “  a  binding component of a good corporate organization“, but to a  large extent  specify the corporate organization itself.  

A similar  development  is likely    to occur now after the entry into force  of the GDPR   . The manifold  obligations  that the GDPR   imposes  on  companies elevate  data protection  from the compliance department  to the highest    decision-making  bodies  of companies. The processing of personal data  and the requirements   of   the GDPR   are now linked  to  strategic  questions, such as    where a  company  invests  or  which lines   of  business   it pursues    Wants. As G. V. Müller already correctly  noted  in 2018   („Data protection   means  protection  of privacy“, NZZ of  25.  January  2018),   data protection    , similar  to compliance with  FINMA’s regulatory  requirements  or compliance with  environmental standards, will become an  essential  component  of risk management   by  Company. The processing  of personal data  will  therefore play   an  increasingly  central  role when  it   comes to business  decisions. The   data protection impact assessment provided for in Art. 35 GDPR   makes e.g .   It is clear that  future  issues  and the delegation of responsibility  must  be  taken into account  in business  decisions. The  data     protection by design  and   data  protection by   default required in Art. 25 GDPR in  turn require   measures that   massively      affect internal corporate structures and programs used. and  give  them  a  form  that complies with the provisions  of the GDPR. The appointment  of a  processor  is  not only shaped by   Art. 28 para. 3 GDPR, in which the relevant contract   contents  are  determined, not   only  characterize  the   contract design  affected by it,  but also  for   the most part. What an  initial and probably  rudimentary  action plan  for companies  can   look like is described   by the Conference of Independent  Data Protection Authorities  of  the Federal  Government and the Länder in Germany in its       Short Paper  No. 8  Action Plan “ GDPR“ for companies. It  proposes    measures  such as the adaptation of the affected  processes and structures, the determination of the legal basis  and  the purpose of data processing as   well as  the   documentation        of balancing of interests, which  Implementation of information obligations, data subject rights  and deletion concepts, adaptation of the data protection organization, appointment of a data   protection officer, reaction mechanisms to  data breaches   , organization       of    Reporting obligations, the adaptation of service relationships, the development of documentation,  the adaptation of   IT security  and the adaptation    of works agreements.       

75This list gives a first indication of the challenges  that  the  companies concerned will  face. The extent of the innovations cannot be  conclusively estimated at  present, but the scope  of the  GDPR, in its German version at least 78 pages long, can serve as a first indicator.   These are not only costly, but also indirectly interfere with the primary business interests of those affected.  If  one  also includes the reversal of the burden of proof, which is anchored in Art. 5 para. 2 GDPR  and  according to which  there is now an   accountability of  the person responsible, „according to which he ensures compliance with the  general principles (cf. Art. 5 para. 2 GDPR)   „, it becomes clear that an adaptation of corporate structures will be  unavoidable in order to  meet these requirements.  are sufficient. 

 As G. V. Müller   rightly points out,  the pharmaceutical and financial sectors, in which  this  change has  already been introduced,  are most likely to be prepared for this development.  The main reason for this   is the fact that the processing of personal data is  increasingly being incorporated into  the business processes of companies in these industries.    Pharmaceutical companies, as well as  banks, base a    large part  of their business on personal data and the possible handling of this is more a question of strategic orientation.   of these companies as the mere compliance  with data protection regulations.   However  , precisely because data,  and  especially personal data, is the „raw material of the future“,  more and more companies   from various industries are becoming more   and more affected by the GDPR and others.   Data protection legislation  may be affected. Dealing  with this will  shape companies in a similar way to dealing  with the original raw materials of market-based activity,  labour and capital.   If personal data is understood as valuable resources, compliance with its legal protection regulations is  essential and  has a direct effect on the handling and  ultimately  on the value of these resources.  The GDPR,  which is deeply  intervening in regulatory terms, specifies the first structures   that the companies concerned  must incorporate  in order to facilitate the entrepreneurial handling  of  to successfully manage these  resources.  The fact that the  GDPR  is  not territorially limited  and  is mandatory  for every participant in the European internal market also gives it a high degree of  economic significance. . 

The GDPR, that is undisputed, strengthens the protection of personal data.  At the same time,  however, it poses enormous challenges for the  companies affected.  The victims of the  adjustments in business processes and corporate structures caused by the   GDPR  are  then also the  SMEs, which find       it difficult to cope with the costs of these implementations. And that is what we are talking The advantages of a single  European market with free access to it are clouded for SMEs by the GDPR.  While the large corporations are  more likely to  cope with these adjustments and  rely on the help of lawyers and consulting firms,  SMEs  are faced with   the question of    economic  viability.  Not infrequently,  the European sales market is now likely to lose its attractiveness. The field, it must be said so clearly, is left to the big ones. The parallels to anti-money laundering legislation, which,  through its regulatory requirements,  have  created many markets for small and medium-sized banks based purely  on regulatory requirements  .  It is  obvious that this has  made economic  reasons unattractive.  Originally  noble intentions, namely transparency and data protection,  unintentionally alter  into a competitive advantage for market- and financially strong companies.  

Finally,  it  can be stated that data protection, as before also   the money laundering regulations  ,   as originally designed behavioral controls creep up to the  core of the 76 economy  and thus indirectly also   endanger a liberal and non-competitive economy  because they affect the multitude of  corporate law structures. The  differences in corporate law between a  corporation and  a partnership are becoming less important in view of the  regulatory requirements that apply equally to all  . Whether all this  is in the  sense of the inventor, of course, remains  to be seen.   No one doubts that the  fight against money laundering and  compliance  with data protection are  essential, but in the way  in which these issues are addressed,  the    individual side effects  cannot be ignored  . Consumers are not served if  their data  can be kept secure, but only by a few companies with market power. In  any case,  the disadvantages of the  then  shrinking liberal competition cannot be corrected by data protection legislation designed in  this way.