GDPR - The SECJUR Guide to the General Data Protection Regulation

What is GDPR?

‍

The GDPR, also known as the EU General Data Protection Regulation or Datenschutz-Grundverordnung (GDPR), is a regulation that applies uniformly across the European Union. It regulates how companies and authorities should handle the personal data of their visitors, customers, or users. The GDPR has been in effect since May 25, 2018.

‍

Why is the GDPR important?

‍

Prior to the GDPR, there were different regulations and standards regarding data protection within the EU. The GDPR was introduced to create a unified framework for data protection across the EU, aiming to avoid divergent regulations in different EU countries. It establishes a consistent level of data protection throughout the EU, while also safeguarding the free movement of data within the EU's internal market. In addition to the GDPR, Germany has its own supplementary data protection laws, such as the Federal Data Protection Act (BDSG-neu), the TMG, and the TKG, which further specify and complement the GDPR.

‍

The scope of the GDPR

‍

The GDPR has two application areas: material and territorial. The material scope determines whether personal data is processed either wholly or partially by automated means or stored in a filing system in non-automated processing. The territorial scope of the GDPR applies to the processing of personal data within the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place within the EU.

‍

What's new?Unlike the previous EU Data Protection Directive, the provisions of the GDPR do not need to be separately transposed into national laws of member states. It applies equally to all countries. Only national laws, such as the BDSG-neu in Germany, need to be reviewed and potentially adjusted. Furthermore, according to the GDPR, companies from third countries are also affected if their data processing involves personal data of EU citizens.

‍

The rights of data subjects have been expanded, allowing consent to be revoked at any time without providing reasons. Another difference is that companies must ensure that third parties are informed about the correction or erasure of incorrect or outdated data. In case of non-compliance with the GDPR, significantly higher fines can be imposed compared to the previous directive.

‍

New data protection principles for software developers and web designersThe GDPR introduces two important principles for software designers and web designers: Privacy by Design and Privacy by Default.

• Privacy by Design means that new technologies and services must be developed with a focus on privacy from the outset.
• Privacy by Design includes technical measures that consider data protection throughout the development process.
• Examples of Privacy by Design include automatic pseudonymization.
• Privacy by Default means that the most privacy-friendly option should be preselected in the settings of newly created programs or accounts.

‍

Principles of the GDPR

‍

Data protection can be complex, with numerous points to consider. The GDPR incorporates various important principles, which result in numerous tasks for companies to implement. The principles include:

‍

1. Transparency: Individuals must always be aware of the purpose and reasons for the processing of their personal data. Secretive processing is not permitted.
2. Purpose limitation: The purpose of data processing must be determined before collecting the data, and subsequent changes to the purpose are not allowed. It must be ensured that the collected data is not used for purposes other than originally intended.
3. Data minimization: Only the necessary data for the specific processing purpose should be collected
4. Accuracy: Personal data must not only be accurate and up to date, but must also come from reliable sources. Inaccurate or outdated data must be deleted or corrected immediately.
5. Storage limitation: Personal data must be deleted when it is no longer needed. Unless deletion conflicts with statutory retention obligations. As long as the retention period runs, the data will not be deleted, but will be blocked for further use. The following applies: deleted data is the safest data. The storage period must be limited to the absolutely necessary minimum.
6. Integrity and confidentiality: Personal data must be kept secure and confidential. Unauthorized persons must not have access to them and must not be able to use the data or the devices with which they are processed.
7. Accountability: A company must be able to demonstrate to supervisory authorities that it complies with all the requirements of the GDPR. Therefore, the legal, technical and organizational measures taken to ensure data protection must be documented in detail. This means that relevant documents, receipts and other materials are systematically stored and archived in written or electronic form so that they are immediately available in the event of an emergency.

‍

Who needs a data protection officer?‍

‍

In principle, the topic of data protection officers is relevant for all companies that deal with personal user and customer data.

‍

The General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) require by law the appointment of a company data protection officer if one of the following conditions applies:

‍

(1) As a rule, at least 20 persons are permanently employed with the automated processing of personal data in the company.

‍

(2) The core activity of the company consists of carrying out processing operations which require extensive regular and systematic monitoring of data subjects.

‍

(3) The core activity of the Company is the extensive processing of special categories of data.

‍

(4) The company is required under the GDPR to conduct a so-called data protection impact assessment.

‍

(5) Business processing of personal data for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.‍

‍

‍
What are the tasks of a data protection officer?

‍

According to the GDPR, the data protection officer has the following tasks: He is the first point of contact for inquiries from responsible authorities. In addition, he is obliged to inform companies about existing obligations under data protection law and to monitor their compliance with data protection laws. He also maintains the processing directory and advises and supports companies in carrying out the data protection impact assessment (Art. 35 GDPR).

‍

The data protection officer is the contact person for management, employees as well as sales and marketing in all matters relating to the handling of user and customer data.‍

‍

What qualifications does a data protection officer have?

‍

In principle, anyone can become a data protection officer. He or she must have the qualifications and expertise to perform his or her duties as stipulated by law. However, specific knowledge and training are not provided for - neither in the GDPR nor in the new BDSG. Nevertheless, it is useful if a certified data protection officer is appointed who can prove his data protection knowledge with a certificate (e.g., from TÜV). An external data protection officer from SECJUR can also be deployed - they observes all the principles of the GDPR at all times.

‍

Why is the processing of personal data so complex?‍

‍

First and foremost, consent must be given: The consent of data subjects is the way to ensure lawful processing of personal data. First and foremost, it must be voluntary, determined, given in an informed manner, explicit and unambiguous. A consciousness of consent as well as a certain capacity for insight are furthermore also required.‍ Processing of special categories of personal data‍.

Special category data includes: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. But also genetic data, biometric data uniquely identifying a natural person, health data or on a natural person's sex life or sexual orientation. These data require special protection. In principle, they may not be processed. Exception: the person has given express consent.‍Right of access‍Companies are obliged to send their customers information about the stored data upon request. This includes: Purpose of data processing, categories of personal data, recipients or categories of recipients of the data, transfers of personal data to a third country, planned storage period or criteria for determination and complaint.‍

‍

Right to rectification

‍

Users may request that untrue data be corrected or supplemented accordingly.

‍

Right to deletion‍

‍

The right to erasure occurs when the purpose for processing the data has ceased to exist, the user has revoked his or her consent, and a right to data processing did not exist.‍

‍

Right to restriction of processing

‍

EU citizens can demand that search engine operators such as Google stop displaying their search results under certain conditions. The GDPR enshrines this claim not only against Google, Bing and Co. but against any entity that processes personal data.‍

‍

Right of objection‍

‍

Data subjects also have the right to object to data processing for direct marketing and, under certain conditions, to restrict it.‍

‍

Right to data portability‍

‍

Users can take their personal data to another provider or require a provider to transfer their personal data to another.Normally, a company has to implement all these points according to the GDPR. Instead of tackling this tediously and individually, you can simply use SECJUR's data protection as-a-service, which does it for you automatically.

‍

GDPR emergency: What are data breaches?

‍

A data breach is any breach of security. This unintentionally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure of personal data that has been transmitted, stored or otherwise processed. For example, this may be the case if hackers tap personal data as part of a cyber attack or if data carriers containing personal data are lost or stolen.‍

‍

Obligation to notify data breaches‍

‍

Data controllers are generally obligated to report a personal data breach to the competent data protection supervisory authority and also to notify affected individuals. However, there is an exception to this: notification to the data protection supervisory authority can be omitted if the incident is not expected to result in a risk to the rights and freedoms of natural persons.

‍

How to deal with data privacy violations?‍

‍

The notification to the data protection supervisory authority must contain: a description of the nature of the breach, the name and contact details of the data protection officer, a description of the likely consequences of the breach, and a description of the proposed measures to remedy the breach. Responsible parties must report the breach within 72 hours of becoming aware of it.

‍

Here, too, SECJUR is a great support, because SECJUR's data protection module automatically detects data protection incidents, which you can then discuss and resolve with SECJUR's team of experts and lawyers.

‍

What is a data privacy statement?‍

‍

A privacy policy addresses the processing of information and data by an organization. This includes personal data such as name, address, e-mail address, IP address. The data protection declaration must be distinguished from consent in data protection. Here, it is a matter of the data subject allowing the processing of his or her personal data because the law does not permit the data processing.‍

‍

What must be included in a data privacy statement?‍

‍

The content depends on how exactly companies handle users' personal data. In the general part of the statement, users should be informed about what the privacy policy is. In addition, it must be stated who is responsible for the statement and who the data protection officer is. In the special part of the privacy statement, it must be made clear for what purpose and on what legal basis the data is processed. Users must also be informed about the rights. In addition, the following must be included in the statement: information on data processing, data transfer to others and necessity.‍

‍

How do you create a privacy statement?‍

‍

There are various samples or templates for a privacy policy. The disadvantage of this, however, is that it cannot be used to create a statement specifically geared to a website. Instead, you can simply use SECJUR's Data Protection as a Service, which does this for you automatically.This is what the GDPR looks like in everyday business lifeCompanies must ensure that personal data is protected when they process it. This is done by implementing suitable technical organizational measures (TOM). These are various precautions that must be taken by persons responsible in the company. These include: the availability of personal data and its encryption. Also important is the permanent assurance of the confidentiality, integrity, availability and resilience of the systems, as well as procedures for regular review, assessment and evaluation of the effectiveness of the TOM.

‍

For this purpose, a data protection officer should be appointed within the company or an external data protection officer from SECJUR should be used.

With SECJUR's DCO (Digital Compliance Office), all GDPR guidelines and requirements can be easily monitored and complied with in an automated way.

‍

Sanctions for violations of the GDPR

‍

The GDPR's catalog of fines provides for fines of up to 20 million euros. However, the supervisory authority may also impose fines of up to four percent of the annual global turnover achieved in the last financial year. The higher of the two values is decisive here.

‍

Real-world examples of fines and sanctions

The Internet giant Google has already been hit in the past. The French data protection authority CNIL imposed a fine of 50 million euros on Google, sanctioning an illegal setup process on the Android operating system. CNIL criticized the fact that users of the Android operating system cannot view important data protection information, or can only do so with difficulty. For example, it would be difficult for them to find out how long Google stores user data and how it processes it further.

‍

4 GDPR examples from everyday business life

‍

1. Privacy policy:

‍

Having a privacy policy on the website of an online store that uses external tools such as Google Analytics.

‍

2. Answering and carrying out a deletion request according to GDPR:

‍

A retail company shreds sensitive document such as applicant records after a rejected applicant communicates that his data should be destroyed (access control as part of technical organizational measures - TOM).

‍

3. Access restrictions:

‍

A corporate group implements access restrictions and a strict data security policy to ensure that only authorized employees have access to personnel files.
‍

4. Respecting unsubscriptions: 

‍

Marketing management checks very carefully that the newsletter to be sent to thousands of customers the next day does not contain any email addresses that have unsubscribed from the newsletter.

‍

‍

Summary on the GDPR‍

‍

You can see how complex data protection and its tasks can be in everyday business life. Compliance with the GDPR is required by law. It is indispensable for a company with EU responsibilities to address and implement the numerous points of the GDPR when processing personal data.

‍

‍

GDPR can be so simple - with data protection-as-a-service in SECJUR's DCO

‍

Data protection benefits not only the general public, but also personal data in the company, which also wants to know that this data is in the safe hands of third parties. SECJUR also offers a data protection module in the Digital Compliance Office (DCO), our compliance platform, in accordance with GDPR standards - making compliance much easier for companies digitally. The big advantage of our data protection module: With this module, important requirements and laws are met automatically, data protection incidents can be investigated directly according to legal requirements, and you benefit from personal support from our experienced team of data protection experts and lawyers.

‍

‍