Data Protection – GDPR

Requirements under the General Data Protection Regulation

Introduction

The so-called General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It literally had to be observed ‘overnight’ in all member states of the European Union. The GDPR has practical significance for virtually all companies. Data protection supervisory authorities are empowered to impose substantial fines, which can amount to up to 4% of a company’s global annual turnover. A detailed examination of the requirements now imposed on companies is necessary. There are already various proceedings in which not only supervisory measures and fines are threatened in case of violations, but especially warnings from competitors or warning associations. This article aims to provide an initial orientation on which issues can be particularly critical and urgently need to be addressed.

Overview of the Regulations

The regulation is anchored in personal data. This includes all information that relates to either identified natural persons or identifiable natural persons, whereby identification occurs through a combination of information. Both groups of persons are referred to as so-called data subjects. It is always about the protection of so-called ‘natural’ persons, i.e., humans, not the protection of so-called legal entities, such as corporations like GmbH or AG.

The reference term is the ‘processing of personal data’, regardless of whether it is done in a fully or partially automated or non-automated manner. The processor is referred to as the so-called controller. The concept of processing includes the collection, storage, modification, transmission, linking, and deletion of personal data.

Data processing is subject to a prohibition with reservation of permission. Permission exists if one of the bases for lawfulness mentioned in the regulation is present (alternatively):
• the consent of the informed data subject for a specific case;
• processing for contract fulfillment;
• processing to protect the legitimate interests of the controller or a third party, while the interests of the data subject do not predominate.

The consent must be given for a specific case and is only effective after the controller has clearly and comprehensibly informed about the concrete purpose of the processing. The possibility of revoking consent must also be pointed out. Finally, the consent by the data subject must be given at least with a clearly confirming action.

The provision of personal data for the purposes of contract fulfillment is also not subject to any of the form requirements generally recognized in legal transactions. The use of personal data or the demand for this data is lawful if it is necessary for the fulfillment of a contract.

The concept of ‘processing to protect the legitimate interests of the controller’ will gain significant importance. Most data processing will probably have to be based on this rather vague concept. This involves processing data for direct marketing, market research, or analysis of customer data. The ‘reasonable expectations of a data subject’ should be considered.

In addition to the aforementioned three prerequisites for the lawfulness of processing, further principles must be observed, not all of which have been newly introduced by the GDPR. To mention are:
• purpose limitation;
• accuracy of data;
• necessity of storage.

The purposes for processing personal data must be established in advance, regardless of whether the processing is based on consent, for contract fulfillment, or due to legitimate interests. The definition of the reason must be done by the controller. Ensuring the accuracy of the data must be done with reasonable effort. This also applies to the willingness to change data within a reasonable time upon request of the data subject. The necessity of storing data ceases when data is no longer needed for the purpose and there are no other retention regulations. In such cases, the data must either be deleted or at least modified so that any personal reference is removed. However, compliance with these aforementioned principles is not sufficient to meet the new requirements of the GDPR. The obligation to maintain a register is introduced, in which essential processing steps must be listed. There is a prescribed minimum content for this register. However, this minimum content does not yet cover the information for which companies are accountable to supervisory authorities. In the future, controllers must be able to provide accountability beyond the minimum content of the registers to be maintained at any time. In case of doubt, it must be proven by submitting written documentation which personal data is processed on which legal basis, for what purpose, and how long it still needs to be stored. In particular, the respective legal basis is not included in the minimum content.

Few exemptions from the register obligation:

The record of processing activities must be maintained by the controllers of almost all companies and institutions. An exemption only applies if the processing occurs only occasionally and no special data categories such as health or religious data are processed. However, as soon as a person, company, institution, etc. employs staff, data in the mentioned categories is processed, for example, to determine sick days.
The record remains internal and is not to be kept publicly. The records are to be kept regularly in German, although it is optional whether this is done in writing or electronically. The records must always be up-to-date. Updates should be carried out while retaining the previous version.

Minimum content:

In the mandatory part of the record, the individual processing activities, their respective purposes, and further content, which results from Art. 30 Para. 1 GDPR, are to be recorded in a descriptive manner.

Extended record:
It is strongly recommended to expand the minimum content and additionally name the legal bases contained in the GDPR for each processing step, note the deletion periods, and include other accountability-relevant content in order to be able to easily answer any inquiries from supervisory authorities.

Data Processing Agreement:
In the area of data processing agreements, it remains the case under the GDPR that written contracts must exist with the data processor. However, these now need to be adapted to possible changes due to the new legal situation.

Employee Obligation:
Since processing is often done by employees, it is necessary to oblige employees in writing (for verifiability) to process the personal data entrusted to them and accessible to them in compliance with the law and according to instructions. It should be noted that employees may only process data on the instruction of the controller. This should be included accordingly in the obligation.

Data Protection Officer:
Companies in which at least ten persons are employed to automatically process personal data (i.e., have computer/network/IT access) must appoint a Data Protection Officer (internal or external) for their company. It should be noted that this not only applies to personnel accounting, but to every employee who, for example, is in email contact with customers. In addition, entrepreneurs or companies below this threshold must also appoint a Data Protection Officer if data and its processing represent the core of the company’s activities.

Data Subject Rights:
Rights of data subjects existed before. The only really new data subject right is the right to data portability. It regulates the claim that the data subject receives the personal data concerning them, which they have provided to a controller, in a common format or can have it transferred to another controller. A customer can request that the data they have provided to an online shop, for example, be transferred to another online shop.

The data subject must be informed that they can object to data processing at any time. This is particularly relevant if the controller bases the right to data processing on a balance of interests. In principle, the data subject must justify their objection. However, this does not apply to advertising measures, and this should also be pointed out.

IT Security:
IT security was also a keyword known before the GDPR. The issues surrounding protection against hacker attacks, encryption of electronic communication, stability and recovery of data remain current.

The topic now requires in-depth attention and timely action from all companies. A transition period is not provided. Inspections by supervisory authorities are facilitated, particularly due to the mandatory registers with minimum content. Websites must provide intensive instruction on all data collection during the visit to the website. This requires far more comprehensive instructions compared to the past, preferably under a separate “Data Protection” button.

Summary of To-Dos:

In summary, it can be stated that three areas need to be urgently addressed by every company:
1. Setting up the record(s) of processing activities
2. Checking the necessity of a Data Protection Officer
3. Adapting the instructions on the websites.
4. Considerations regarding data subject rights

Processing in detail may raise questions. As a competent partner, we are at your side with advice and support.