Annual Data Protection Conference

The annual data protection conference (45th DAFTA) of the Gesellschaft für Datenschutz und Datensicherheit (GDD) e.V. took place on 18.11.2021.

This year, the conference, which was once again held digitally due to the pandemic, was once again able to convince with its diverse selection of topics and thus provide all participants with added value in the office, home office or on the sofa at home.

Also digitally, DAFTA was able to boast a large number of participants and lecturers from the “Who’s Who” of the data protection world, who spoke on the currently most important data protection topics:

The DAFTA was characterized by three current and practice-relevant topics. The new Telecommunications Telemedia Data Protection Act (TTDSG), which came into force on 01.12.2021, was a topic that played an equally important role on the agenda as the unstoppable implementation issues regarding the ECJ’s “Schrems II” decision. Another topic at this year’s DAFTA was the developments in connection with data protection claims for damages under Article 82 of the GDPR.

Rolf Bender from the BMWi therefore informed the participants about the history of the TTDSG, essential new regulations of the TTDSG and the fact that not only telecommunications providers, but almost every company or public body is affected by the implementation of the TTDSG.

Dr. Stefan Brink, LfDI Baden-Württemberg, spoke about implementation issues of the Schrems II decision. Brink considered a new agreement between the EU and the USA to be the only resilient solution to the challenges of Schrems-II, as the industry could not afford transfer impact assessments. This is because the requirement for supplementary checks and measures for data exports – as is well known, even after the publication of the new EU standard contractual clauses – does not cease to apply. 

Steffen Weiß, GDD, also showed the participants in an exciting contribution that in countries with data protection laws there are basically a large number of transfer restrictions for data to be observed and that companies are therefore instructed to conclude agreements or to organize their data flows and data exports accordingly and to secure them at an early stage.

It was also debated whether damages for a DS-GVO violation would have to exceed a materiality threshold. It was clarified, however, that the GDPR does not recognize such a threshold. The question of a so-called materiality threshold for GDPR damage claims will nevertheless only be conclusively clarified by the ECJ, as this question has been submitted to the ECJ for a decision (decision of January 14, 2021, 1 BvR 2853/19). In general, however, it still applies that the affected party must prove the damage (burden of proof) in a resilient manner.

Clemens Dörner, 2B Advice GmbH, also presented a paper on the topic of transfer impact assertion in the provider forum, in which he showed the audience the crucial clues from the perspective of 2B Advice as to how data controllers can mitigate their data protection risk and thus the risk of data protection breaches when using new technologies. Risk arises especially when companies migrate technologies to the cloud or adopt new technologies such as video surveillance. He pointed out that it is imperative that companies conduct an appropriate privacy risk assessment when deploying new technologies. Among other things, attendees were shown when a risk assessment should be conducted and what types of risk assessments are appropriate for different scenarios (e.g., PIA, CMIA, DTIA or DSFA).