Annual data protection conference

On November 18, 2021, the annual data protection conference (45th DAFTA) of the Gesellschaft für Data protection and Data security (GDD) e.V. took place.

This year, the symposium, which was once again held digitally due to the pandemic, once again impressed with its diverse selection of topics and thus provided added value for all participants in the office, Home office or to the sofa at home.

DAFTA also featured a large number of digital participants and lecturers from the "Who's Who" of the data protection world, who spoke on the most important data protection topics of the moment:

The DAFTA was characterized by three current and practice-relevant topics. The new Telecommunications Telemedia Data Protection Act (TTDSG), which came into force on 01.12.2021, was a topic that played just as big a role on the agenda as the ongoing implementation issues regarding the "Schrems II" decision of the ECJ. Another topic at this year's DAFTA was the developments in connection with claims for damages under data protection law in accordance with Art. 82 GDPR.

The history of the TTDSG, the main new provisions of the TTDSG and the fact that not only telecommunications providers, but almost every company and every public body is affected by the implementation of the TTDSG, Rolf Bender from the BMWi informed the participants.

Dr. Stefan Brink, LfDI Baden-Württemberg, commented on implementation issues relating to the Schrems II decision. Brink considered a new agreement between the EU and the USA to be the only reliable solution to the challenges posed by Schrems II, as the economy could not afford transfer impact assessments. This is because the requirement for additional checks and measures for data exports will not disappear - even after the publication of the new EU standard contractual clauses.

Steffen Weiß, GDD, also showed the participants in an exciting presentation that in countries with data protection laws, a large number of transfer restrictions for data must be observed and that companies are therefore instructed to conclude agreements or organize their data flows and data exports accordingly and secure them at an early stage.

It was also debated whether compensation for damages due to a GDPR breach must exceed a materiality threshold. However, it was clarified that the GDPR does not have such a threshold. The question of a so-called materiality threshold for GDPR claims for damages will nevertheless only be conclusively clarified by the ECJ, as this question has been referred to the ECJ for a decision (decision of January 14, 2021, 1 BvR 2853/19). In general, however, the following still applies Affected parties must provide reliable evidence of the damage (burden of proof).

Clemens Dörner, 2B Advice GmbH, also gave a presentation in the provider forum on the topic of transfer impact assertion, in which he showed the audience the key points of reference from the perspective of 2B Advice as to how Responsible persons can reduce their data protection risk and thus the risk of data protection breaches when using new technologies. A risk arises in particular when companies integrate technologies into the Cloud migrate or use new technologies such as Video surveillance introduce. He pointed out that companies should always carry out an appropriate risk assessment for data protection when using new technologies. Among other things, the participants were shown when a risk assessment should be carried out and which types of risk assessments are suitable for different scenarios (e.g. PIA, CMIA, DTIA or DPIA).

The 45th DAFTA thus showed its participants that the uncertainties between jurisdiction, data protection supervision and the legislature pose a not inconsiderable economic challenge for companies.

As became clear towards the end of the DAFTA, in addition to data protection law, the IT Security Act will increasingly be added to the challenges facing companies in the future, currently only with regard to critical infrastructures. In order to mitigate these challenges and develop opportunities for competitive advantages, data protection and information security must be professionalized in the areas of technology, organization, strategy and law within the company.

As a reliable partner, we are therefore happy to support you in the professionalization of data protection. We are already looking forward to the next DAFTA and hope to see you again soon.