The GDPR as a paradigm shift in corporate management
Dr. Dimitrios Karathanassis
In: ContraLegem 2021/1, S. 72ff.
- The GDPR as a new approach to data protection
- The GDPR requires major and far-reaching changes for companies. These changes go beyond data protection and affect the structures of companies and the way they operate.
After the new EU Data Protection Regulation (GDPR) came into force on 25 May 2018 , the first conclusions can now be drawn about the importance of this set of rules for (Swiss) companies two years later. Although an EU set of rules, the GDPR has undoubtedly caused additional costs for many Swiss companies, from clarifying individual issues to revising data protection declarations. However , it is already foreseeable after two years that the GDPR will increasingly lead to a paradigm shift in corporate management and corporate organization, and not only in terms of on data protection, but much more profoundly.
Data protection in the context of compliance
Today , data protection still falls primarily into the area of compliance, namely compliance understood as a collective term for all organizational measures and internal processes in a company for Prevention of legal violations and adequate response to them. In this sense, the focus of data protection for companies is on the task of maintaining the applicable data protection regulations and avoiding possible legal violations. In order to achieve this, various means are available, such as the collection of the legal basis, the appointment of a company data protection officer, the enactment of internal Instructions, the collection of data files including conformity assessment, the guarantee of data security and the training of employees. What all these measures have in common is that they represent preventive mechanisms that essentially seek to avoid violating data protection regulations. Ideally, they create a coherent internal set of rules that reflects the existing legal standards – often even exceeds them aggravating them – and thus for each individual Business conduct and transaction of the company concerned ensures that they comply with the law.
One could now be led by the assumption that the GDPR will only make additional efforts and burden the compliance departments of the companies concerned . That this is already the case and will continue to be the case is self-explanatory, because any additional legal requirement requires technical know-how and resources in order to be able to implement it in the end. . The GDPR is no exception.
However, although the GDPR enjoys a legal character, it mixes normative and regulatory elements. Normative elements, i.e. laws, – as postulated in the present case – classically provide a framework within which one acts in accordance with the law and outside which one no longer does. does. Regulation, on the other hand, goes further and requires certain behaviours and the implementation of concrete measures. The Federal Act on Data Protection (FADP) – prior to its current revision – must be understood primarily as a normative element which, since its entry into force in July 1993, has basically is a legally binding framework.
The GDPR, on the other hand, is a child of its time, in which the boundary between normative and regulatory elements is disappearing. In other words, it not only presents the companies concerned with a framework within which they can move in accordance with the law, but also explicitly provides instructions for certain types of behaviour and specific measures for undertakings. The GDPR can therefore be understood as a regulatory law. It can therefore be assumed that the GDPR will initiate the changes for data protection that the establishment of the Swiss Financial Market Supervisory Authority (FINMA) provided for financial institutions.
Impact of data protection on corporate structures
It goes without saying that general regulations – in addition to normative requirements – in the financial market sector already existed before 2009, but after the start of its activities, FINMA quickly developed into a comprehensive «Regulation factory». On the basis of its statutory mandate, it has issued and continues to issue supervisory notices, circulars, opinions and other publications, often without conclusive certainty for the Addressees, what normative significance these have, and thus exercises the regulation. The increasingly concrete instructions for certain behaviours and the measures to be taken slowly led to the fact that strategic corporate decisions were not only taken with regard to the normative Increasingly , and in some cases exclusively, they are viewed through the lens of regulatory requirements.
It makes a considerable difference whether financial intermediaries are required by the legislature, when entering into business relationships, to inform the contracting party on the basis of an evidentiary document [to ] (Art. 3 para. 1 Anti-Money Laundering Act, AMLA) or whether they are required by FINMA to develop criteria that indicate business relationships with increased risks (Art. 13 para. 1 Anti-Money Laundering Ordinance-FINMA, AMLO-FINMA) as well as criteria for identifying transactions with increased risks (Art. 14 para. 1 AMLO-FINMA) and not only the criteria (Art. 14 para. 2 AMLO-FINMA ) but also the means of clarification (Art . 16 AMLO-FINMA) and the timing of the clarification (Art. 17 AMLO-FINMA). In other words, it makes a difference whether it is forbidden to encourage money laundering or whether, in order to achieve this objective, financial intermediaries make a meticulous Catalogue of actions to be carried out.
In conjunction with the increasingly severe penalties that punish violations, compliance with regulatory requirements by companies’ legal and compliance departments has become more and more important. Foreground in strategic fundamental decisions. There have been questions about the countries in which investments are made and the origin of funds that are accepted and forwarded, but the regulatory costs and the The impending penalties, which are now attached to these questions, gives them a very relevant, often even existential, significance for the business activities of financial intermediaries.
In this sense, regulation goes beyond the legal framework, because it does not simply qualify individual actions of companies as legally compliant or violating it, but rather indirectly ( and sometimes even indirectly) determines the structures and functioning of those undertakings, in which it requires concrete measures to be implemented. A compliance department of a bank from the year 2020 is likely to have caused incomprehension among many banks in 1990.
As a result, (extensive) regulation goes beyond behavioral control and must therefore be understood as structural design. This means that now not only 74 the individual company actions, but also the structure of the company – beyond the company law provisions – as such must comply with and comply with regulatory requirements . The companies concerned thus implement regulatory requirements not only in the individual business activities or transactions, but also through a (sometimes fundamental) redesign of their structures. . Regulation and compliance with it are therefore not only ” a binding component of a good corporate organization”, but to a large extent specify the corporate organization itself.
A similar development is likely to occur now after the entry into force of the GDPR . The manifold obligations that the GDPR imposes on companies elevate data protection from the compliance department to the highest decision-making bodies of companies. The processing of personal data and the requirements of the GDPR are now linked to strategic questions, such as where a company invests or which lines of business it pursues Wants. As G. V. Müller already correctly noted in 2018 (“Data protection means protection of privacy”, NZZ of 25. January 2018), data protection , similar to compliance with FINMA’s regulatory requirements or compliance with environmental standards, will become an essential component of risk management by Company. The processing of personal data will therefore play an increasingly central role when it comes to business decisions. The data protection impact assessment provided for in Art. 35 GDPR makes e.g . It is clear that future issues and the delegation of responsibility must be taken into account in business decisions. The data protection by design and data protection by default required in Art. 25 GDPR in turn require measures that massively affect internal corporate structures and programs used. and give them a form that complies with the provisions of the GDPR. The appointment of a processor is not only shaped by Art. 28 para. 3 GDPR, in which the relevant contract contents are determined, not only characterize the contract design affected by it, but also for the most part. What an initial and probably rudimentary action plan for companies can look like is described by the Conference of Independent Data Protection Authorities of the Federal Government and the Länder in Germany in its Short Paper No. 8 Action Plan ” GDPR” for companies. It proposes measures such as the adaptation of the affected processes and structures, the determination of the legal basis and the purpose of data processing as well as the documentation of balancing of interests, which Implementation of information obligations, data subject rights and deletion concepts, adaptation of the data protection organization, appointment of a data protection officer, reaction mechanisms to data breaches , organization of Reporting obligations, the adaptation of service relationships, the development of documentation, the adaptation of IT security and the adaptation of works agreements.
75This list gives a first indication of the challenges that the companies concerned will face. The extent of the innovations cannot be conclusively estimated at present, but the scope of the GDPR, in its German version at least 78 pages long, can serve as a first indicator. These are not only costly, but also indirectly interfere with the primary business interests of those affected. If one also includes the reversal of the burden of proof, which is anchored in Art. 5 para. 2 GDPR and according to which there is now an accountability of the person responsible, “according to which he ensures compliance with the general principles (cf. Art. 5 para. 2 GDPR) “, it becomes clear that an adaptation of corporate structures will be unavoidable in order to meet these requirements. are sufficient.
As G. V. Müller rightly points out, the pharmaceutical and financial sectors, in which this change has already been introduced, are most likely to be prepared for this development. The main reason for this is the fact that the processing of personal data is increasingly being incorporated into the business processes of companies in these industries. Pharmaceutical companies, as well as banks, base a large part of their business on personal data and the possible handling of this is more a question of strategic orientation. of these companies as the mere compliance with data protection regulations. However , precisely because data, and especially personal data, is the “raw material of the future”, more and more companies from various industries are becoming more and more affected by the GDPR and others. Data protection legislation may be affected. Dealing with this will shape companies in a similar way to dealing with the original raw materials of market-based activity, labour and capital. If personal data is understood as valuable resources, compliance with its legal protection regulations is essential and has a direct effect on the handling and ultimately on the value of these resources. The GDPR, which is deeply intervening in regulatory terms, specifies the first structures that the companies concerned must incorporate in order to facilitate the entrepreneurial handling of to successfully manage these resources. The fact that the GDPR is not territorially limited and is mandatory for every participant in the European internal market also gives it a high degree of economic significance. .
The GDPR, that is undisputed, strengthens the protection of personal data. At the same time, however, it poses enormous challenges for the companies affected. The victims of the adjustments in business processes and corporate structures caused by the GDPR are then also the SMEs, which find it difficult to cope with the costs of these implementations. And that is what we are talking The advantages of a single European market with free access to it are clouded for SMEs by the GDPR. While the large corporations are more likely to cope with these adjustments and rely on the help of lawyers and consulting firms, SMEs are faced with the question of economic viability. Not infrequently, the European sales market is now likely to lose its attractiveness. The field, it must be said so clearly, is left to the big ones. The parallels to anti-money laundering legislation, which, through its regulatory requirements, have created many markets for small and medium-sized banks based purely on regulatory requirements . It is obvious that this has made economic reasons unattractive. Originally noble intentions, namely transparency and data protection, unintentionally alter into a competitive advantage for market- and financially strong companies.
Finally, it can be stated that data protection, as before also the money laundering regulations , as originally designed behavioral controls creep up to the core of the 76 economy and thus indirectly also endanger a liberal and non-competitive economy because they affect the multitude of corporate law structures. The differences in corporate law between a corporation and a partnership are becoming less important in view of the regulatory requirements that apply equally to all . Whether all this is in the sense of the inventor, of course, remains to be seen. No one doubts that the fight against money laundering and compliance with data protection are essential, but in the way in which these issues are addressed, the individual side effects cannot be ignored . Consumers are not served if their data can be kept secure, but only by a few companies with market power. In any case, the disadvantages of the then shrinking liberal competition cannot be corrected by data protection legislation designed in this way.