June 8, 2023
The GDPR, also known as the EU General Data Protection Regulation or Datenschutz-Grundverordnung (GDPR), is a regulation that applies uniformly across the European Union. It regulates how companies and authorities should handle the personal data of their visitors, customers, or users. The GDPR has been in effect since May 25, 2018.
Prior to the GDPR, there were different regulations and standards regarding data protection within the EU. The GDPR was introduced to create a unified framework for data protection across the EU, aiming to avoid divergent regulations in different EU countries. It establishes a consistent level of data protection throughout the EU, while also safeguarding the free movement of data within the EU's internal market. In addition to the GDPR, Germany has its own supplementary data protection laws, such as the Federal Data Protection Act (BDSG-neu), the TMG, and the TKG, which further specify and complement the GDPR.
The GDPR has two application areas: material and territorial. The material scope determines whether personal data is processed either wholly or partially by automated means or stored in a filing system in non-automated processing. The territorial scope of the GDPR applies to the processing of personal data within the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place within the EU.
What's new?Unlike the previous EU Data Protection Directive, the provisions of the GDPR do not need to be separately transposed into national laws of member states. It applies equally to all countries. Only national laws, such as the BDSG-neu in Germany, need to be reviewed and potentially adjusted. Furthermore, according to the GDPR, companies from third countries are also affected if their data processing involves personal data of EU citizens.
The rights of data subjects have been expanded, allowing consent to be revoked at any time without providing reasons. Another difference is that companies must ensure that third parties are informed about the correction or erasure of incorrect or outdated data. In case of non-compliance with the GDPR, significantly higher fines can be imposed compared to the previous directive.
New data protection principles for software developers and web designersThe GDPR introduces two important principles for software designers and web designers: Privacy by Design and Privacy by Default.
Data protection can be complex, with numerous points to consider. The GDPR incorporates various important principles, which result in numerous tasks for companies to implement. The principles include:
In principle, the topic of data protection officers is relevant for all companies that deal with personal user and customer data.
The General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) require by law the appointment of a company data protection officer if one of the following conditions applies:
(1) As a rule, at least 20 persons are permanently employed with the automated processing of personal data in the company.
(2) The core activity of the company consists of carrying out processing operations which require extensive regular and systematic monitoring of data subjects.
(3) The core activity of the Company is the extensive processing of special categories of data.
(4) The company is required under the GDPR to conduct a so-called data protection impact assessment.
(5) Business processing of personal data for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.
According to the GDPR, the data protection officer has the following tasks: He is the first point of contact for inquiries from responsible authorities. In addition, he is obliged to inform companies about existing obligations under data protection law and to monitor their compliance with data protection laws. He also maintains the processing directory and advises and supports companies in carrying out the data protection impact assessment (Art. 35 GDPR).
The data protection officer is the contact person for management, employees as well as sales and marketing in all matters relating to the handling of user and customer data.
In principle, anyone can become a data protection officer. He or she must have the qualifications and expertise to perform his or her duties as stipulated by law. However, specific knowledge and training are not provided for - neither in the GDPR nor in the new BDSG. Nevertheless, it is useful if a certified data protection officer is appointed who can prove his data protection knowledge with a certificate (e.g., from TÜV). An external data protection officer from SECJUR can also be deployed - they observes all the principles of the GDPR at all times.
First and foremost, consent must be given: The consent of data subjects is the way to ensure lawful processing of personal data. First and foremost, it must be voluntary, determined, given in an informed manner, explicit and unambiguous. A consciousness of consent as well as a certain capacity for insight are furthermore also required. Processing of special categories of personal data.
Special category data includes: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. But also genetic data, biometric data uniquely identifying a natural person, health data or on a natural person's sex life or sexual orientation. These data require special protection. In principle, they may not be processed. Exception: the person has given express consent.Right of accessCompanies are obliged to send their customers information about the stored data upon request. This includes: Purpose of data processing, categories of personal data, recipients or categories of recipients of the data, transfers of personal data to a third country, planned storage period or criteria for determination and complaint.
Users may request that untrue data be corrected or supplemented accordingly.
The right to erasure occurs when the purpose for processing the data has ceased to exist, the user has revoked his or her consent, and a right to data processing did not exist.
EU citizens can demand that search engine operators such as Google stop displaying their search results under certain conditions. The GDPR enshrines this claim not only against Google, Bing and Co. but against any entity that processes personal data.
Data subjects also have the right to object to data processing for direct marketing and, under certain conditions, to restrict it.
Users can take their personal data to another provider or require a provider to transfer their personal data to another.Normally, a company has to implement all these points according to the GDPR. Instead of tackling this tediously and individually, you can simply use SECJUR's data protection as-a-service, which does it for you automatically.
A data breach is any breach of security. This unintentionally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure of personal data that has been transmitted, stored or otherwise processed. For example, this may be the case if hackers tap personal data as part of a cyber attack or if data carriers containing personal data are lost or stolen.
Data controllers are generally obligated to report a personal data breach to the competent data protection supervisory authority and also to notify affected individuals. However, there is an exception to this: notification to the data protection supervisory authority can be omitted if the incident is not expected to result in a risk to the rights and freedoms of natural persons.
The notification to the data protection supervisory authority must contain: a description of the nature of the breach, the name and contact details of the data protection officer, a description of the likely consequences of the breach, and a description of the proposed measures to remedy the breach. Responsible parties must report the breach within 72 hours of becoming aware of it.
Here, too, SECJUR is a great support, because SECJUR's data protection module automatically detects data protection incidents, which you can then discuss and resolve with SECJUR's team of experts and lawyers.
For this purpose, a data protection officer should be appointed within the company or an external data protection officer from SECJUR should be used.
With SECJUR's DCO (Digital Compliance Office), all GDPR guidelines and requirements can be easily monitored and complied with in an automated way.
The GDPR's catalog of fines provides for fines of up to 20 million euros. However, the supervisory authority may also impose fines of up to four percent of the annual global turnover achieved in the last financial year. The higher of the two values is decisive here.
The Internet giant Google has already been hit in the past. The French data protection authority CNIL imposed a fine of 50 million euros on Google, sanctioning an illegal setup process on the Android operating system. CNIL criticized the fact that users of the Android operating system cannot view important data protection information, or can only do so with difficulty. For example, it would be difficult for them to find out how long Google stores user data and how it processes it further.
A retail company shreds sensitive document such as applicant records after a rejected applicant communicates that his data should be destroyed (access control as part of technical organizational measures - TOM).
A corporate group implements access restrictions and a strict data security policy to ensure that only authorized employees have access to personnel files.
Marketing management checks very carefully that the newsletter to be sent to thousands of customers the next day does not contain any email addresses that have unsubscribed from the newsletter.
You can see how complex data protection and its tasks can be in everyday business life. Compliance with the GDPR is required by law. It is indispensable for a company with EU responsibilities to address and implement the numerous points of the GDPR when processing personal data.
Data protection benefits not only the general public, but also personal data in the company, which also wants to know that this data is in the safe hands of third parties. SECJUR also offers a data protection module in the Digital Compliance Office (DCO), our compliance platform, in accordance with GDPR standards - making compliance much easier for companies digitally. The big advantage of our data protection module: With this module, important requirements and laws are met automatically, data protection incidents can be investigated directly according to legal requirements, and you benefit from personal support from our experienced team of data protection experts and lawyers.
SECJUR stands for a world where companies are always compliant, but never have to think about compliance. With the Digital Compliance Office, companies automate time-consuming work steps and achieve compliance standards such as GDPR, ISO 27001 or TISAX® up to 50% faster.
Automate and streamline your compliance processes with our Digital Compliance Office
Everything you need to know about the product and billing.