GDPR for Consumers: Power to the People
The GDPR can mean a lot of work for companies which have not yet dealt with the topic of data protection and might therefore be perceived as disadvantageous. However, this should not be the case because those working with personal data have a certain responsibility to protect them. Therefore, we advise website operators to be as economical as possible in collecting, storing and processing such data. Please see in this regard also the summary of key points for handling personal data (07/2018).
For consumers, the standardisation of European data protection directives is in any case a great benefit and success. One thing is of particular importance to this end: Customers must be informed in more detail how their personal data are used and they have the right to object to this use at any time. To provide a precise idea about which rights consumers will exactly have in the future and how they can benefit from the GDPR, the following summary provides an overview of the most important innovations and what they mean for you.
Scope: The GDPR applies to all EU citizens whose rights it strengthens. Companies are from now on obliged to provide information about which personal data they collect, process and store for what purposes and how long. This also applies to any company which is not based in the EU as soon as they direct offers to European consumers. Thus, it applies to major US companies such as Google, Facebook and Co. as well.
Privacy by default: Essentially, only those personal data should be collected and processed which are absolutely necessary! This means also that companies are required to take care of data protection-friendly default settings. For example, when placing an order via a web shop, the name and delivery address are indispensable. The phone number is for instance not necessary to process the order and should therefore not be mandatory. In addition, companies may of course offer their customers to subscribe to their newsletter by activating a corresponding op-in box. This box should, however, not be pre-activated. Also regarding apps, for example, the microphone or access to photos etc. may not be enabled automatically.
Answer/information obligation: Companies have to inform consumers on request about their rights. In addition, they must provide any information about what data they have currently stored, for which purpose, for how long, as well as if and to whom they will be given. Such requests must be processed free of charge within four weeks.
Data Degradation & Right to Forget: Consumers have the right to request the immediate and complete deletion of stored personal data at any time. This right excludes for instance billing information which must be stored under German law for 10 years. Likewise, companies are obliged to destroy personal data immediately after the expiry of such deadlines or if the purpose of the storage has ceased to exist.
Data Copy & Data Portability: Companies must provide their customers on request with an electronic copy of their personal data, for instance as PDF. Moreover, they should for example in the event of terminating a contract provide the consumer with his/her data in a common electronic format in order to facilitate his/her migration to another provider.
Supervisory authorities: Customers have principally the right to address the responsible supervisory authority for any data protection concerns or doubts.
Although some of the provisions and wording of the new EU data protection directives are not yet fully defined, the GDPR is overall a big step in the right direction, finally allowing consumers extensive rights which are fully justified. Please do not hesitate to contact us if you have any questions, we will be happy to help. [Source: Kompac't 1/2018]