Chapter XI
Final provisions
Authors: Gerrit Hornung and Indra Spiecker gen. Döhmann
- Directive 95/46/EC is repealed with effect from 25 May 2018.
- References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.
I. Preliminary note
Art. 94 deals with the consequences for the DPD of the entry into force of the GDPR and, together with Art. 99, guarantees a seamless transition between the two potentially competing legal acts. Specifically, this relates to the repeal of the previously applicable DPD under para. 1 (→ mn. 2 et seq.) and the continued validity of previous references to the DPD under para. 2 (→ mn. 9 et seq.). The provision has not undergone any changes in the course of the European legislative process compared to Art. 88 COM-P. As an aid to interpretation, rec. 171 should be taken into account, which refers in particular to the continued validity of consent granted under the transposition laws for the DPD (→ mn. 6). Art. 59 JHA Directive contains a parallel provision repealing the JHA Framework Decision with effect from 6 May 2018 (para. 1) and making references to it as references to the JHA Directive (para. 2). Regulation 45/2001/EC for the EU institutions was not repealed; it was replaced by Regulation 2018/1725/EU in a separate legislative procedure (→ Introduction mn. 176 et seq.).
II.Repeal of the DPD (para. 1)
-
General remarks
The DPD was repealed as of 25 May 2018. Until that date, it continued to apply without any restriction.[1] The GDPR started to apply according to Art. 99 para. 1 as of 25 May 2018. It thus directly replaced the GDPR; a legal gap did not arise.[2]
Since the GDPR already entered into force on 24 May 2016 according to Art. 99 para. 1 (→ Art. 99 mn. 2),[3] a two-year transition period was created during which the DPD continued to apply unchanged. This transitional period allowed data controllers and processors to bring data processing operations continuing beyond 25 May 2018 into conformity with the requirements of the GDPR (rec. 171 sentence 2). In addition, they were given the opportunity to adapt their data processing procedures to the new legal regime at an early stage.
At the same time, the transition period gave the Member States a sufficient period of time to adapt their national legislation to the requirements of the GDPR and to make use of the opening clauses contained therein. If Member State regulation is lacking after the GDPR came into force, only the GDPR applies; the previous national law can only continue to apply to the extent that it is now in line with the opening clauses. Despite the transition period, a number of Member States have only developed legislative activities at a later date.[4]
-
Consequences for previously lawful data processing operations
With the repeal of the DPD, the question arises how lawful data processing carried out or started under it are to be assessed under the GDPR.[5] There is no explicit regulation on this in Art. 94. For data processing that was completed on 24 May 2018, the legality under the DPD remains valid. Apart from the fact that the legal basis for this processing rests in the respective national law and is therefore not directly covered by Art. 94 and the GDPR as a whole, the repeal of the GDPR took place ex nunc, not ex tunc. For data processing continuing beyond 25 May 2018, e.g. in the case of ongoing storage, the following applies: Previously lawful data processing on the legal basis of the respective national law implementing the DPD remains lawful up to and including 24 May 2018. As of 25 May 2018, any data processing must meet the requirements of the GDPR.[6] The legislator created the transition period of two years specifically for this purpose (→ mn. 3); this intention is also apparent from rec. 171 sentence 2. Therefore, from a compliance perspective, data controllers and processors had no choice but to double-check the permissibility of data processing during the transition period: on the basis of the DPD applicable until 24 May 2018 as well as in anticipation and for risk assessment on the basis of the GDPR applicable as of 25 May 2018. The assessment according to the GDPR – especially under the aspects of the obligations from Art. 5 para. 2 and Art. 24 para. 1 sentence 1, the increased information duties according to Art. 12 et seq. or the privacy impact assessment according to Art. 35 – could have led to the necessity to alter the operational modes of data processing as of 25 May 2018. This could have been the case even if the legal basis of the processing continued (e.g. consent) or remained identical (e.g. a national law that continued to apply under an opening clause). The review may have therefore led to a situation where data processing after 25 May 2018 had to be ended, at least until the processings had been adapted, or permanently because a legal basis had ceased to exist; there was and is no protection of legitimate expectations or grandfathering, precisely because of the implementation of the transitional period.
[…]
[1] Schild in BeckOK DatenschutzR DS‑GVO Art. 94 mn. 1; Piltz, K&R 2016, 557 (560).
[2] Moore in Kuner et al. Art. 94, pp. 1291 et seq.
[3] Ehmann in Ehmann/Selmayr Art. 99 mn. 3; Kühling/Raab in Kühling/Buchner Art. 94 mn. 2.
[4] Cf. On the status in the Member States Spiecker gen. Döhmann/Bretthauer, Dokumentation zum Datenschutz, Chapter D.
[5] Cf. also Piltz in Gola/Heckmann Art. 94 Rn. 5 et seq.; Sydow in Sydow/Marsch Art. 94 mn. 2 et seq.
[6] Cf. also Sydow in Sydow/Marsch Art. 94 mn. 8.