GDPR
Personal data play an increasingly important role for companies. They are an important economic asset and are collected and processed on a daily basis to carry out internal and external business processes. For this reason, data protection regulations have been tightened to protect persons from whom they are collected and processed. Today data flows do not stop at national borders. That is why the European Union has seen itself responsible for creating new laws and directives – the general data protection regulation (“GDPR”). And because of its wide scope, it doesn’t only apply to companies based in the EU. It also establishes a program of obligations for companies operating in the internal (EU) market. A violation of data protection obligations can be punished with fines of several million Euros.
Checklist – The most important data protection obligations:
1. The privacy policy
In general, the obligation to provide information in the data protection declaration will become more extensive with the new GDPR. If you already have existing explanations, they should at least be checked, if not even restated.
We will be happy to check your data protection declaration, update it or completely rewrite it. This is specifically tailored to the specific requirements of your website.
2. Collection of personal data (tracking)
In future, it will generally be prohibited to collect personal data. There are some exceptions to this, but these are handled very restrictively. For example, if you use „Google Analytics“ analysis software, you should make the data collected anonymous in any case. Particular attention should be paid to the IP address of the respective user. Google Analytics allows you to make them anonymous. Furthermore, you must inform visitors about the use of Google Analytics and/or other tracking tools in the data protection declaration and point out how it works. The types of data collected in each case must be listed. The user must also be offered the possibility of an opt-out. He must thus have the opportunity to object to his tracking.
We can also help you here. We check, analyse and create instructions to make your website legally secure. If you are unable to manage your website yourself, we will be happy to put you in touch with a suitable service provider.
3. Cookies
At the moment it is still sufficient if you point out to the user according to § 15 Abs. 3 Telemediengesetz that you use cookies. This can be done, for example, with a cookie hint with a link to the data protection declaration.
However, a new EU e-privacy regulation is expected to come into force in 2019, replacing the current directive. It can be assumed that this new regulation will be significantly more restrictive towards entrepreneurs.
4. A data protection officer
If you have a company with more than 9 employees who are permanently involved in the processing of data, you are regularly obliged to appoint a data protection officer. The same applies if you have a company with more than 20 employees. Then, however, it is independent of whether they have to do with data processing or not. Furthermore, there are many areas of application and exceptions in which you are also obliged to appoint a data protection officer (doctors, dentists, etc.).
As far as possible on the basis of a company’s budget and resources, compliance with the requirements of the GDPR can be ensured and monitored by means of a data protection management system. This is an internal compliance system which checks the fulfilment of data protection and security-related obligations.
Companies to which the GDPR applies although they have no establishment in the EU must appoint a representative in the EU. This should serve as a contact point for affected persons and supervisory authorities. If you need advice or help, we are at your disposal as lawyers.