Ready for the GDPR from the perspective of website operators
With the entry into force of the European Data Protection Regulation (EU-GDPR) on 25 May 2018, the fear of warnings and fines has increased significantly, especially for small and medium-sized enterprises (SMEs). However, only time will show the actual impact on website operators and SMEs. Risks can be minimised though if one knows the new legal basis and is able to react to it at short notice if necessary.
The most important thing to know is that the GDPR affects everyone, including you! Whether privately or professionally, everyone has to do in some way with personal data and should therefore familiar with the Europe-wide almost uniform data protection rules, at least in broad terms. The good news is: Since large parts of the GDPR are based on the strict German data protection law, you will probably already know some regulations.
Our recommendation to website operators is to pay particular attention to the principle of data minimisation. In this context, we have reduced the scope of collecting and processing personal data to an absolute minimum as well. Moreover, we completely disclaim the use of external analytical tools. However, if you cannot refrain from gathering certain data and integrating external services, you should bear the following in mind:
Data minimisation: Only personal data may be collected which are absolutely necessary for the purpose. For instance, to register for a newsletter, only a valid email address is absolutely necessary, that means neither name nor date of birth or the like are required.
Purpose limitation: The purpose for the collection, storage and processing of personal data must have been previously clearly defined and may not be changed or extended without separate consent.
Prohibition with permission: Personal data may not be collected, stored and processed unless there is a clear legal basis or consent of the person concerned.
Data transfer: Personal data may never be shared with third persons or passed on to third parties without explicit permission. A particular challenge for website operators is the integration of non-European services such as Google Analytics.
Order processing: You should conclude an "order data processing contract" with any external service provider who comes into contact with the personal data you have collected from your customers with obliges each external provider to treat these data in accordance with DSGVO as well.
Encryption: In the case of web forms, logins, contact forms or shop orders, personal data must be transmitted with SSL encryption (https: //).
Documentation and accountability: As a website operator, you are obliged to record processes which are connected to personal data in directories and to provide them on request to regulatory agencies.
Obligation to inform and report: As a website operator, you are generally obliged to provide free information about stored personal data. In addition, you must report the loss of personal information to supervisory bodies immediately in order to minimise or avoid fines. Non-compliance with the new data protection rules will also be fined.
Data Protection Officer: If your company has at least ten employees who are permanently involved in the processing of personal data, you must appoint a data protection officer who oversees all operations and acts as connector between operator and supervisory authority.
With these briefly summarised key regulations, we would like to support you in their implementation and hope that we could give you a good introduction and overview. For questions and suggestions, we are always happy to help and wish you all the best and success for your website! [Source: Kompac't 1/2018].