[jo909]

EDIT: I seem to be wrong. This is a hybrid of a EU regulation that needs to be implemented into local law, and "EU law" that has direct application everywhere. Also there are specific rules on how much stronger the member states can make their local rules. I'm leaving my error in the text below.

That is not technically correct, and the difference matters.

The EU regulation forces it's members to implement their own local laws in alignment to the EU regulation. The EU regulation can get a member state into trouble if not implemented in time or correctly. They describe a set of "baseline" data protection laws for the whole EU, but the members can still have stronger local rules. Only the local law is what can get a resident company in trouble.

Germany has (had for a long time) very strong data protection laws that are still going to be stronger than the EU regulation.

[lucideer]

Your comment is not strictly "wrong", as you say, it's just that the law is changing. The new regulation comes in* on May 25th. Your comment correctly describes the current system, which is being replaced.

* By "comes in", I mean begins being enforced. There's been a 2 year grace period as advance notice.