Services
Solutions for
The EU Data Act is part of the two-part European data strategy and was agreed upon by EU government negotiators and the European Parliament at the end of June. Only formal adoption in plenary is still pending. But what will change in the exchange of data for consumers and companies?
One of the most frequently asked questions will be answered in more detail with the help of the EU Data Act. Today, more and more devices are collecting user data. From cars, toothbrushes and Alexa to wind turbines linked to the weather forecast, not only is data being collected, but more and more data is being networked. Data use, access and even the sale of data have been inadequately regulated.
Data is at the heart of the digital economy, because from search engines to industrial plants, large machines or household appliances, the data generated has a very high economic value. However, to date, it can hardly be exploited and is in the hands of a few large companies. As some may imagine, the image of a typical data-collecting company has great potential to add value if only it is properly regulated. And this is where the EU
Data Act comes in. Who does the Data Act apply to?
The Data Act is intended to give consumers and companies more control over their data and ensure that it can be put to better economic use. In exceptional cases, such as environmental disasters, governments are to be able to access data from the private sector.
“This data law can fundamentally change the situation and ensure that there is easier access to the almost infinite amounts of data available. We estimate that an additional 270 billion euros can be generated in this way by 2028,” said Pilar del Castillo Vera (EPP/Spain), who led the negotiations for the Parliament.
More rights for consumers: The rules on using data generated by Internet of Things (IoT) devices are intended to create more fairness. For example, car owners will be able to decide for themselves in the future whether the insurance company can analyze their own data or not. Consumers will also be given more rights if their data is passed on illegally by a cloud provider.
Regulation on use: The law will allow companies to use the data in a legally compliant manner for the further development of products, and basic consumers will also be able to turn the data collected by their devices into money.
More competition: Simplified transferability of data to and between service providers will mean that more (and also smaller) players will participate in the data economy, contributing to the market economy and developing innovations. According to the EU Commission, 80 percent of the industrial data generated is not used today, despite the enormous potential for growth and innovation. This could change with the data law.
No strengthening of data power: The transfer and receipt of data to companies such as Meta or Google, on the other hand, is ruled out to limit the data power of the large technology corporations and strengthen small businesses and SMEs.
The EU Data Act is also expected to provide access to relevant data for aftermarket services, making repair and maintenance offers cheaper and extending the life of connected products. One concern is that the Act could oblige companies to share secrets, making European firms less competitive.
In the case of trade secrets, the data owner may prohibit the user from freely disclosing the data and agree on measures to maintain the confidentiality of the data. However, the transferred data may not be used to develop products that compete with those of the data owner. On the other hand, the development of competing services should probably be permitted.
Following a political agreement between the Parliament and EU government negotiators on 28.06.2023, the Data Act is now subject to formal approval. Once approved, it will enter into force 20 days after publication of the Official Journal and will become effective after 20 months.
The Data Act is a pillar of the legislation adopted by the EU Commission and will be clarified in interaction with the Data Act and applicable horizontal and sectoral legislation, such as the Data Governance Act and the General Data Protection Regulation (GDPR).
Feel free to email or call us if we can assist you with your data protection needs. From Legal as a Service to external data protection officer, we are there for you. You can also find more information on our website.
The Supply Chain Due Process Act, passed in June 2021 and in force since January 2023, aims to improve the international human rights situation. It establishes prohibitions on child labor, slavery, forced labor, labor and health violations, inadequate payment of wages, disregard for the right to form trade unions or employee representatives, denial of access to food and water, and unlawful deprivation of land and livelihoods.
Supply chains encompass the entire path of a service or product from raw material to consumer. They illustrate the global interconnectedness of the economy, as products often pass through numerous stations before reaching the end customer.
Different minimum standards may apply through international cooperation, and serious human rights violations may become part of the supply chain. The law requires companies to monitor and address their supply chains for human rights violations.
The law is primarily aimed at direct suppliers and the company’s own business unit. However, risk analyses must also be carried out for indirect suppliers and preventive and remedial measures must be taken if there is concrete knowledge of possible violations of human rights or environmental obligations.
This can significantly extend the due diligence obligations. In addition, a clause ensures that the due diligence obligation cannot be circumvented by intermediaries.
The Supply Chain Duty of Care Act seeks safe conditions for people in supply chains, companies and consumers. It aims to protect against child labor, fair wages, environmental protection and safe working conditions. In addition, consumers should have assurance that products are made with fair manufacturing practices in mind.
The law has affected German companies with more than 3,000 employees and at least one location in Germany since January 2023. The obligations apply to the company’s business operations, contractual partners, and indirect suppliers.
Since January 2024, companies with over 1,000 employees must also fulfill comprehensive due diligence obligations. In the coming years, there is likely to be a comparable law at EU level that will apply to companies of all sizes.
Note: Group companies are included in the number of employees of the parent company, as are temporary workers whose assignment lasts more than six months.
Large companies will have to conduct risk analyses and take preventive measures with regard to their contractors and suppliers. As a result, the companies concerned will also require their smaller suppliers to take appropriate measures.
The law calls on companies to pay attention to whether their suppliers can meet “human rights-related expectations” when selecting them. Smaller companies should also pay attention to compliance with due diligence requirements to avoid contractual penalties. In addition, larger companies also increasingly expect “smaller companies” to implement these legal requirements as part of their selection process.
Companies that fail to comply with their obligations can be fined up to 8 million euros or up to 2 percent of global annual sales. There is also the possibility of being excluded from public procurement. BAFA monitors company reports, investigates complaints and has wide-ranging monitoring powers.
In the event of violations, it can impose periodic penalty payments and require companies to fulfill their obligations. In the event of damage in other countries, the law of the country concerned applies and not the German Supply Chain Sourcing Obligations Act.
The Supply Chain Due Diligence Act is an urgent appeal to companies to assume their corporate responsibility and actively take measures to prevent human rights violations along their supply chains. It opens up the opportunity to make the world a bit fairer and more sustainable. By fulfilling their due diligence obligations, companies help to combat inhumane working conditions, environmental destruction and exploitation.
The supply chain due diligence law also has an impact on consumers and consumers. More and more people are attaching importance to ethical and sustainable products whose production respects human rights.
The law will assure consumers that the products they buy have been produced with respect to human rights standards. Companies that neglect their supply chain due diligence could face a loss of image and a decline in demand.
The Supply Chain Duty of Care Act is an important compliance issue with high liability risks. Companies should deal with the innovations and carefully check their company’s current status.
With HWData as your contact for compliance topics, we support you in the legally compliant implementation of the law, the digital documentation and the revision of your contracts with suppliers and business partners.
Compliance measures often come up short in companies. The privacy policy is updated once a year if things are going well, but that’s not enough. Avoid compliance risks with our compliance management software.
Website compliance refers to the observance of laws, regulations and standards relating to a website’s design, content and operation. It includes compliance with legal requirements relating to data protection, accessibility, copyright, consumer protection, and other relevant regulations that apply to a company’s online operations.
If you use a new tool or want to learn new information about the cookies, then the compliance must be updated accordingly. However, most entrepreneurs do not think about having the privacy policy updated at every step they take, or they may not even be aware that an update would be necessary.
When are changes necessary?
The GDPR can, therefore, not be a static document but is a continuous process of compliance and data protection monitoring. Companies should regularly review their data protection measures, train employees and actively monitor data protection or hire an external company to ensure that the GDPR is implemented effectively.
The necessary frequency of updating a GDPR can vary from company to company and depends on various factors. Aspects such as the type of data processing, the size of the company and the applicable data protection laws should be taken into account.
As a general rule of thumb, compliance should be reviewed monthly and updated as needed. An annual review is therefore no longer sufficient to ensure that they are up to date and comply with all rules.
In this context, a three-year retention period (ยง 11 para. 5 HinSchG) applies for equating with the regular statute of limitations of civil law. To ensure that compliance issues do not take up too much time and money, we have developed compliance software that can be used to solve compliance management challenges comprehensively.
Advantages of an external compliance management system:
Our software scans your website every month to check for possible changes; this way, our clients don’t have to inform us about every change, but the site is scanned automatically every month, so we can make necessary changes.
You get a comprehensive compliance management system from a single source and can focus on other business management tasks while we take care of compliance.
Why is good website compliance important?
Compliance due diligence refers to thoroughly reviewing and evaluating a company’s compliance practices and risks, particularly in the context of potential investments, acquisitions or business relationships.
Why is compliance management so important for this purpose?
The website can provide insights into the company’s business practices, ethical standards and compliance with laws and regulations to identify and assess potential compliance risks. This is particularly relevant in the context of investors, acquisitions or business relationships.
Compliance Management Systems are the future as they provide an effective and efficient solution to manage the growing compliance demands in organizations. Here are some reasons why you should invest in a Compliance Management System (CMS) right now:
In summary, compliance management systems can be seen as forward-looking solutions for managing compliance effectively and minimizing risks. They offer companies the opportunity to keep pace with the growing compliance requirements, increase efficiency, identify risks at an early stage, ensure transparency and continuously develop further.
By using compliance management systems, companies can strengthen their compliance strategies and increase their competitiveness in an increasingly regulated business environment. Let us ensure that your company’s compliance rules are adhered to.
HWData is your contact for Legal as a service. From working as an external data protection officer to support with the help of our compliance management system, we give you a helping hand wherever you need it.
The Whistleblower Protection Act implements an EU directive that regulates the protection of persons who have obtained information about wrongdoing or violations in the course of their professional activities and pass this information on to the internal or external reporting office.
Employees are often the first to notice abuses. They can be uncovered, investigated, prosecuted and prevented by providing concrete information. This explicitly involves violations of European Union law.
Whistleblowers assume responsibility for society, which is why they must be protected from the disadvantages they could face as a result of their report. This protection of whistleblowers is also intended to prevent deterrence through fear.
Basically, “whistleblowing” or a whistleblower means an employee who reports grievances (actual or alleged) regarding occupational health and safety in the company to his or her employer or a third party.
The law will apply to companies and organizations in the public and private sectors with 50 or more employees or annual sales of more than 10 million euros.
Whistleblowers only harm companies if they go directly to the public or the media. Through an internal reporting office, the company is protected, compliance is helped and possible wrongdoings can be uncovered.
Since observations are transmitted directly to the responsible department in the company, grievances can be identified and rectified at an early stage. Major damage to the company’s reputation can be avoided because the risk of scandals is reduced.
Benefits at a glance:
The law will apply to companies and organizations in the public and private sectors with 50 or more employees or annual sales of more than 10 million euros.
The Whistleblower Protection Act focuses on better protection of whistleblowers (Whistleblower Protection Act, HinSchG). The aim is to protect persons who report observed violations in connection with their professional activities and to regulate the reporting of violations and their investigation by companies more transparently.
A three-year retention period (Section 11 (5) HinSchG) applies for equal treatment under civil law’s regular statute of limitations.
The Occupational Health and Safety Act in Germany defines “whistleblowing” as a “right of complaint” in Section 17, as well as how to deal with complaints. The primacy of “internal whistleblowing” states that, only if the employer fails to act on a whistleblowing complaint from an employee about a grievance, the employee may turn to the competent supervisory authority.
Occupational health and safety also involve “double action” because the employer must fulfill the occupational health and safety obligations, and the occupational health and safety authorities must ensure that these are complied with and implemented.
Each report is checked for plausibility and validity, and the necessary investigations must be carried out under strict confidentiality or anonymity.
The information received is processed fairly and quickly, followed by the derivation and implementation of measures to prevent similar misconduct in the future.
What are typical reports?
The Whistleblower Protection Act will come into force three months after its promulgation in the Federal Law Gazette. The exact date of entry into force is not yet known.
The law states that anonymous reports must be processed, so the possibility of anonymous communication between the person making the report and the reporting office must also be guaranteed.
Strictly speaking, the obligations in the law to implement anonymous reports will not take effect until January 01, 2025 (Section 42 (2) HinSchG), according to the transitional provision, in order to revise the whistleblower protection systems accordingly.
Our tip: It is advisable to make the internal reporting office as attractive as possible and to enable anonymous reports directly in order to avoid reports to external reporting offices and thus authorities.
An extended claim for damages arises. With the new law, whistleblowers who suffer reprisals now also have a claim to compensation for immaterial damages and no longer just financial damages.
In concrete terms, this means that in individual cases, compensation for pain and suffering can also be claimed for immaterial damages. This is particularly relevant in cases of mobbing or discrimination, when the damage to legal assets is usually difficult to prove (Section 37 (1) HinSchG).
Avoid tips to authorities and external reporting bodies through an attractive whistleblower system in your company. HWData already supports you with a whistleblower system software to establish a secure communication channel in your corporation.
We offer our clients the establishment and operation of the legally required internal whistleblower system and the comprehensive support of all resulting processes and reports.
Our all-in-one tech approach ensures that there is no additional work for you in terms of hosting, maintenance or the issue of data security. In cooperation with the HWLP Legal-Tech approach of our partner company, you also benefit from automated processes in the context of creating and adapting the necessary legal documentation and contracts.
Feel free to email or call us if we can assist you with your data protection or whistleblower system needs. From Legal as a Service to external data protection officer, we are there for you. You can also find more information on our website.
