Starting May 25, 2018, the new EU General Data Protection Regulation (GDPR) will come into force. Companies had two years to adapt their business processes to the new data protection regulations. Now the grace period is over. Startups, in particular, should keep this deadline on their radar. Rita Bottler, Data Protection Officer of the Chamber of Industry and Commerce for Munich and Upper Bavaria, explains how companies can prepare for the upcoming GDPR.
What types of data are protected by the GDPR?
All types of personal data (pD) are protected by the GDPR, regardless of the category of person involved, i.e. whether it is employee, customer or supplier data.
Because for the GDPR This also applies to all other data protection laws: These must always be observed when companies handle so-called "personal data." This refers to all information that can be directly or indirectly (e.g., via an identifier) related to a person (so-called "identified or identifiable natural person" or "data subject").
Examples of this are: name, address and contact details of customers, contractual partners or employees, examination grades, account details, data on a customer's purchasing behavior, location data, date of birth, creditworthiness data.
If data cannot be linked to a person (e.g. anonymized statistical data), data protection laws such as the GDPR do not need to be observed.
Accountability as a central duty
What principles must be observed when processing personal data according to the GDPR?
The GDPR sets out the so-called central obligation. accountability This means that companies must be able to demonstrate to supervisory authorities that they comply with all data protection requirements. This includes the following data protection principles:
- legality
-
- Processing of data on the basis of a legal basis (consent or legal authorization)
- Processing in good faith
- Purpose-bound and proportionate data processing, no use of covert techniques
- transparency
- No “secret” processing, ensuring the exercise of data subject rights
- earmarking
-
- Purpose specification, i.e. processing only for specified, explicit and legitimate purposes
- Purpose limitation in the narrow sense = prohibition of processing personal data in a manner incompatible with the purpose for which it was collected.
- Data minimization
- Restriction to what is appropriate, relevant and necessary for the purpose of the processing
- Accuracy of the data
-
- Prohibition of collecting or storing false data,
- Requirement to update data that has become incorrect and
- Requirement to delete or correct such data
- Memory limitation
-
- Specifies data economy in terms of time, i.e. storage periods must be limited to the “absolutely necessary minimum”.
- Regularly check whether the objectives have been achieved!
- Integrity and confidentiality
-
- Protecting the integrity of data
- Protection of data from unauthorized access/processing.
→ Guarantee through technical and organizational measures to protect data in accordance with the GDPR
How can startups implement the GDPR to avoid unpleasant surprises in May?
Startups should also consider from the outset
- how to design your business processes in compliance with data protection regulations and
- how to document this efficiently.
Accountability also requires a minimum level of documentation for small and medium-sized enterprises in order to demonstrate compliance with data protection regulations. This provides companies with a Data protection management system must ensure that their business processes comply with data protection regulations.
A data protection management system includes, among other things, maintaining a register of processing activities, contract management, processes for reporting data breaches and exercising the rights of data subjects, as well as training employees and their obligation to maintain confidentiality and a data security concept.
Of pitfalls and responsibility
In your opinion, what are the particular pitfalls for startup companies?
A particular pitfall would be if startups didn't take data protection seriously. Such a policy would certainly not be advisable for any startup these days. Data protection issues should be clarified during the start-up phase. Anyone who wants to develop products such as apps and software should follow the principle of "Data protection through technology/technical default settings" and manufacture data protection-compliant products. Properly implemented, data protection can also be a marketing advantage.
What should I pay attention to in terms of data protection when I commission other companies?
The contracted company must also be suitable from a data protection perspective. This applies especially to contracts for contract processing. Contracting companies have a duty to check this. They may only use processors that have implemented appropriate technical and organizational measures to protect the data and thus guarantee adequate data protection. Evidence of such guarantees can be provided, for example, by approved codes of conduct of the processor or certifications.
Who is responsible if data protection violations occur?
The Responsibility The company (the so-called responsible body) bears this responsibility. In this regard, the GDPR will expand the company's responsibility for data protection violations. As before, they will be held accountable for the actions of legal representatives or other management personnel within the company. In addition, according to the GDPR, they will also be held accountable in external relations with the data subject for the actions of an employee or an external agent.
New liability scenarios will also arise in data processing relationships. A data processor will be liable like a controller under the GDPR if it violates the client's instructions and processes the client's data for its own purposes or the purposes of third parties. Furthermore, special liability provisions for data processors in the event of data protection violations will be introduced, meaning that those affected will be able to assert claims for damages directly against them in the event of violations.
Further information on the EU General Data Protection Regulation
Where can I find further information and assistance on data protection?
Comprehensive information on the GDPR can be found on our homepage at https://www.ihk-muenchen.de/datenschutz/ and www.ihk-muenchen.de/datenschutz-kmu.
We will also be offering an information event on the GDPR for companies in the spring. We will publish the date on our website.
The website of the Bavarian State Office for Data Protection Supervision also provides numerous references to the GDPR (brief papers from the German Data Protection Conference and brief papers from the Bavarian State Office for Data Protection Supervision, as well as a sample data processing agreement). Furthermore, the Bavarian State Office for Data Protection Supervision offers on its website for an initial Self-assessment an online test for companies to.
The Bavarian State Office for Data Protection Supervision has published a useful guide entitled "First Aid for the General Data Protection Regulation for Companies and Associations – The Immediate Action Package" through Beck Verlag, which is available in bookstores for €5.50. It includes templates and checklists, among other things.
