The European General Data Protection Regulation (GDPR) continues to meet with criticism in the German economy. This is the result of a representative survey commissioned by the digital association Bitkom among companies with 20 or more employees in Germany, which was published in Berlin on Tuesday. Even in the fifth year since the data protection requirements came into force, there is still considerable legal uncertainty regarding the exact requirements of the GDPR, according to 78% of the companies surveyed. The implementation of the regulation has never been fully completed due to new guidelines, for example, criticized 88%.

A good two thirds (68%) of companies are of the opinion that strict data protection makes digitalization more difficult, said Susanne Dehmel, member of the Bitkom Executive Board. 61% believe that data protection is overdone in Germany. Despite this, the majority of companies have implemented the GDPR. 22% claim to have fully implemented the GDPR, 40% "to a large extent". A third admit that they have only "partially" adapted to the regulation.

The deficits in implementation are no longer so often due to a lack of specialist staff. A year ago, a third of companies complained about a lack of qualified employees. This figure fell to 24% in the current survey. There are also signs of a slight easing in terms of the financial resources required: in 2021, 37% cited "lack of financial resources" as one of the biggest challenges in implementing the GDPR; in the current survey, this figure fell to 32%.

In the survey, companies continued to emphasize the importance of a legal basis for international data transfers. 60% practice the transfer of personal data to countries outside the EU. Not transferring this data would have serious consequences. 60% of companies say that they would then no longer be able to maintain global security support, while 57% state that they would no longer be able to offer certain products and services if data transfers were stopped. In this case, 55% fear competitive disadvantages compared to companies from non-EU countries.

Data transfers to countries outside the EU are on shaky legal ground because the European Court of Justice has declared agreements for the transfer of data from Europe across the Atlantic to be invalid in two rulings. In June 2020, the ECJ overturned the "Privacy Shield" on the grounds that the level of data protection in the USA did not meet EU standards. In particular, the judges criticized the far-reaching possibilities for US intelligence services to access European data. The ECJ had already overturned the "Safe Harbor" transatlantic data protection agreement in October 2015 on similar grounds.