Unde­re­sti­ma­ted risks: the signi­fi­can­ce of the GDPR for pro­duct development

Ana­log pro­ducts seem to be a thing of the past. In any case, the­re is a mas­si­ve trend towards digi­tal pro­ducts and IoT devices and, for many manu­fac­tu­r­ers, this means retoo­ling pro­duc­tion with a grea­ter focus on digi­tal tech­no­lo­gies. But when­ever a manu­fac­tu­rer deve­lo­ps a pro­duct which is desi­gned to pro­cess data for users, that pro­duct must con­form to the pre­sent legal frame­work for digi­tal pro­ducts, in terms of IT secu­ri­ty and data pro­tec­tion. Con­tra­ry to wide­spread opi­ni­on, manu­fac­tu­r­ers do need to adhe­re to the requi­re­ments of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) if their pro­ducts will be used to pro­cess per­so­nal data, i.e. infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral person.

I.    The GDPR from the view­point of manufacturers

In theo­ry, the GDPR appli­es only to con­trol­lers, i.e. tho­se who deter­mi­ne the pur­po­ses and means for the pro­ces­sing of per­so­nal data. The role of manu­fac­tu­r­ers, on the other hand, is typi­cal­ly limi­t­ed to sup­p­ly­ing the pro­duct to con­su­mers: in many cases, manu­fac­tu­r­ers do not pro­cess data on their own.  Accor­din­gly, the GDPR does not impo­se requi­re­ments on manu­fac­tu­r­ers direct­ly, but only “encou­ra­ges” them “to take into account the right to data pro­tec­tion when deve­lo­ping and desig­ning such pro­ducts, ser­vices and appli­ca­ti­ons and, with due regard to the sta­te of the art, to make sure that con­trol­lers and pro­ces­sors are able to ful­fil their data pro­tec­tion obli­ga­ti­ons” (Reci­tal 78 to the GDPR).

The idea behind this is simp­le: the GDPR does not have to requi­re manu­fac­tu­r­ers to com­ply, becau­se the mar­ket will regu­la­te them on its own: users will ulti­m­ate­ly deci­de against a pro­duct if using it means that they, as con­trol­lers, will be unable to adhe­re to data pro­tec­tion requi­re­ments. This crea­tes an indi­rect “requi­re­ment” for manu­fac­tu­r­ers to design their pro­ducts in such a way that users will be able to adhe­re to the requi­re­ments of the GDPR when pro­ces­sing data in the future. In the event that manu­fac­tu­r­ers are invol­ved in the future ope­ra­ti­on of digi­tal pro­ducts as well, the requi­re­ments of the GDPR will also fre­quent­ly app­ly to them direct­ly. This may be the case, for exam­p­le, if the manu­fac­tu­rer ope­ra­tes back-end sys­tems or plat­forms for IoT devices whe­re per­so­nal data is pro­ces­sed. It is the­r­e­fo­re in the manufacturer’s own inte­rest to adhe­re to the GDPR in such a case, begin­ning in the pro­duct deve­lo­p­ment phase.

II.    Requi­re­ment to design pro­ducts which can be used in con­for­mance with data pro­tec­tion requirements

Manu­fac­tu­r­ers who fail to adhe­re to data pro­tec­tion requi­re­ments for their pro­ducts do not neces­s­a­ri­ly face pen­al­ties under the GDPR. But this does not mean that they should­n’t heed the requi­re­ments of data pro­tec­tion law; after all, such vio­la­ti­ons may trig­ger lia­bi­li­ty in accordance with the laws gover­ning con­tracts of sale and con­tracts for works and ser­vices. If the manu­fac­tu­rer knows that its pro­duct will be used to pro­cess per­so­nal data and fails to adhe­re to the legal requi­re­ments so as to enable the pro­duct to be used in con­for­mance with data pro­tec­tion law, such a fail­ure may con­sti­tu­te a defect in the pro­duct and result in lia­bi­li­ty for the manu­fac­tu­rer. Moreo­ver, we can­not rule out the risk of manufacturer’s lia­bi­li­ty in accordance with § 823(1) of the Civil Code in con­junc­tion with the right to pri­va­cy, e.g. pur­su­ant to Artic­le 8 of the EU Char­ter of Fun­da­men­tal Rights and Artic­le 16 of the TFEU, the fun­da­men­tal right to infor­ma­tio­nal self-determination and the gene­ral right of pri­va­cy. The­r­e­fo­re, manu­fac­tu­r­ers should abso­lut­e­ly adhe­re to the requi­red data pro­tec­tion and cyber­se­cu­ri­ty stan­dards and fami­lia­ri­ze them­sel­ves with the legi­ti­ma­te secu­ri­ty expec­ta­ti­ons of the expec­ted user group. In par­ti­cu­lar, manu­fac­tu­r­ers should per­form a cri­ti­cal assess­ment as to the lawful­ness of any trans­fers of per­so­nal data to non-EU count­ries, par­ti­cu­lar­ly the US, given the pre­sent chal­lenges asso­cia­ted with data trans­fers to third count­ries ari­sing from the ECJ’s “Schrems II” ruling and the ongo­ing inves­ti­ga­ti­ons by data pro­tec­tion aut­ho­ri­ties.

III.    Stra­te­gic implementation

Stra­te­gic imple­men­ta­ti­on of the­se requi­re­ments at the ear­liest pos­si­ble date redu­ces the risks for manu­fac­tu­r­ers enorm­ously. A sui­ta­ble manage­ment sys­tem will allow you to iden­ti­fy appli­ca­ble regu­la­ti­ons, deri­ve spe­ci­fic requi­re­ments and then imple­ment them in your deve­lo­p­ment and manu­fac­tu­ring pro­cess. We would be glad to help you in this regard.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.