TÜV NORD Bildung

EU General Data Protection Regulation: Time for organizations to change over to the new EU data protection rules

The new EU General Data Protection Regulation (EU-GDPR) specifies harmonized EU-wide rules as to how companies and official bodies are allowed to process personal data.

Hamburg: The new EU General Data Protection Regulation (EU-GDPR) specifies harmonized EU-wide rules as to how companies and official bodies are allowed to process personal data. “Organizations should get to know the new requirements now, as in future they will have to provide information to their clients more fully and in a way which is easier to understand”, says Melanie Braunschweig from TÜV NORD Akademie.

The new General Data Protection Regulation has been passed by the EU Parliament and will be published shortly. Then a two-year transition period will begin for all private and public organizations which process personal data. The Regulation will supersede the many different rules and regulations which currently apply in the 28 individual member states. In Germany, the new Regulation will replace the current EC Data Protection Directive and large parts of the Federal Data Protection Act.

“The changeover means that organizations have to explain to their clients even more clearly what data are collected or already held. The data must in future also be made available in an easily legible form and a commonly-used format – which may mean that data processing systems have to be newly designed. This is why it makes sense to start the changeover now”, explains Melanie Braunschweig, Product Manager for Data Protection at TÜV NORD Akademie.

What further changes will the new Regulation involve?


  • Only data that are really necessary in order to provide a service will be collected.
  • Customer data may only be processed and used if the customer can expect this based on the business relationship with the particular company or organization, but may not be processed or used by an “uninvolved” third party.
  • The data protection authorities will liaise with each other throughout Europe. Organizations will only have to deal with the Supervisory Authority in their main country of registration.
  • Affected persons will be granted extended rights in relation to their national authorities in the area of complaints and legal protection.
  • Organizations will have to take account of a stricter framework in the case of reportable incidents, in other words they will have to report data leaks more quickly. In future, penalties of up to four per cent of worldwide turnover can be imposed for infringements.
  • New risk and impact assessments will replace the preliminary checks that were previously required prior to the processing of sensitive data.
  • Strict rules will apply to transfer of data to authorities of third countries.
  • A flexibility clause allows EU States to set individual rules: Germany will retain the requirement for a data protection officer.

TÜV NORD Akademie is offering a seminar on the subject of the changeover to the EU General Data Protection Regulation (Datenschutz: Umstellung auf die EU-Grundverordnung (EU-DSGVO)) which will inform organizations on what they will have to change and adapt as regards their data protection systems, how to make the changes, and the priorities to be observed. Additional information is available at

Annika Burchard Corporate Communications