08/2018 – GDPR for Consumers: Power to the People
The GDPR can mean a lot of work for companies which have not yet dealt with the topic of data protection and might therefore be perceived as disadvantageous. However, this should not be the case because those working with personal data have a certain responsibility to protect them. Therefore, we advise website operators to be as economical as possible in collecting, storing and processing such data. Please see in this regard also the summary of key points for handling personal data (07/2018).
For consumers, the standardisation of European data protection directives is in any case a great benefit and success. One thing is of particular importance to this end: Customers must be informed in more detail how their personal data are used and they have the right to object to this use at any time. To provide a precise idea about which rights consumers will exactly have in the future and how they can benefit from the GDPR, the following summary provides an overview of the most important innovations and what they mean for you.
Scope: The GDPR applies to all EU citizens whose rights it strengthens. Companies are from now on obliged to provide information about which personal data they collect, process and store for what purposes and how long. This also applies to any company which is not based in the EU as soon as they direct offers to European consumers. Thus, it applies to major US companies such as Google, Facebook and Co. as well.
Privacy by default: Essentially, only those personal data should be collected and processed which are absolutely necessary! This means also that companies are required to take care of data protection-friendly default settings. For example, when placing an order via a web shop, the name and delivery address are indispensable. The phone number is for instance not necessary to process the order and should therefore not be mandatory. In addition, companies may of course offer their customers to subscribe to their newsletter by activating a corresponding op-in box. This box should, however, not be pre-activated. Also regarding apps, for example, the microphone or access to photos etc. may not be enabled automatically.
Answer/information obligation: Companies have to inform consumers on request about their rights. In addition, they must provide any information about what data they have currently stored, for which purpose, for how long, as well as if and to whom they will be given. Such requests must be processed free of charge within four weeks.
Data Degradation & Right to Forget: Consumers have the right to request the immediate and complete deletion of stored personal data at any time. This right excludes for instance billing information which must be stored under German law for 10 years. Likewise, companies are obliged to destroy personal data immediately after the expiry of such deadlines or if the purpose of the storage has ceased to exist.
Data Copy & Data Portability: Companies must provide their customers on request with an electronic copy of their personal data, for instance as PDF. Moreover, they should for example in the event of terminating a contract provide the consumer with his/her data in a common electronic format in order to facilitate his/her migration to another provider.
Supervisory authorities: Customers have principally the right to address the responsible supervisory authority for any data protection concerns or doubts.
Although some of the provisions and wording of the new EU data protection directives are not yet fully defined, the GDPR is overall a big step in the right direction, finally allowing consumers extensive rights which are fully justified. Please do not hesitate to contact us if you have any questions, we will be happy to help. [Source: Kompac't 1/2018]
07/2018 – Ready for the GDPR from the perspective of website operators
With the entry into force of the European Data Protection Regulation (EU-GDPR) on 25 May 2018, the fear of warnings and fines has increased significantly, especially for small and medium-sized enterprises (SMEs). However, only time will show the actual impact on website operators and SMEs. Risks can be minimised though if one knows the new legal basis and is able to react to it at short notice if necessary.
The most important thing to know is that the GDPR affects everyone, including you! Whether privately or professionally, everyone has to do in some way with personal data and should therefore familiar with the Europe-wide almost uniform data protection rules, at least in broad terms. The good news is: Since large parts of the GDPR are based on the strict German data protection law, you will probably already know some regulations.
Our recommendation to website operators is to pay particular attention to the principle of data minimisation. In this context, we have reduced the scope of collecting and processing personal data to an absolute minimum as well. Moreover, we completely disclaim the use of external analytical tools. However, if you cannot refrain from gathering certain data and integrating external services, you should bear the following in mind:
Data minimisation: Only personal data may be collected which are absolutely necessary for the purpose. For instance, to register for a newsletter, only a valid email address is absolutely necessary, that means neither name nor date of birth or the like are required.
Purpose limitation: The purpose for the collection, storage and processing of personal data must have been previously clearly defined and may not be changed or extended without separate consent.
Prohibition with permission: Personal data may not be collected, stored and processed unless there is a clear legal basis or consent of the person concerned.
Data transfer: Personal data may never be shared with third persons or passed on to third parties without explicit permission. A particular challenge for website operators is the integration of non-European services such as Google Analytics.
Order processing: You should conclude an "order data processing contract" with any external service provider who comes into contact with the personal data you have collected from your customers with obliges each external provider to treat these data in accordance with DSGVO as well.
Encryption: In the case of web forms, logins, contact forms or shop orders, personal data must be transmitted with SSL encryption (https: //).
Documentation and accountability: As a website operator, you are obliged to record processes which are connected to personal data in directories and to provide them on request to regulatory agencies.
Obligation to inform and report: As a website operator, you are generally obliged to provide free information about stored personal data. In addition, you must report the loss of personal information to supervisory bodies immediately in order to minimise or avoid fines. Non-compliance with the new data protection rules will also be fined.
Data Protection Officer: If your company has at least ten employees who are permanently involved in the processing of personal data, you must appoint a data protection officer who oversees all operations and acts as connector between operator and supervisory authority.
With these briefly summarised key regulations, we would like to support you in their implementation and hope that we could give you a good introduction and overview. For questions and suggestions, we are always happy to help and wish you all the best and success for your website! [Source: Kompac't 1/2018].
04/2018 – Our proposal regarding the DSGVO: Data minimisation comes first!
Instead, the behaviour of users visiting our website is analysed completely anonymised and exclusively internally by ourselves with the open source web tracking tool Piwik. This means, in contrast to the use of Google Analytics, that collected data is never transferred to and/or used by any third party. In this way, we can also guarantee that all data is stored exclusively on servers in Germany and thus never transferred to any country with possibly questionable data protection regulations.
12/2017 – 2018 will be all about IT security and the implementation of the EU GDPR
According to the latest report IT security and privacy 2017 of the National Initiative for Information and Internet Security (‘Nationale Initiative für Informations- und Internet-Sicherheit e.V.’ NIFIS), protecting and securing data is and will remain the most important issue for the German economy. As a result, the sensitivity to this topic will continue to grow inexorably. For the report, 100 executives and specialists from the IT industry were interviewed and their results evaluated.
Multiple answers were possible to assess the trends of the future. 95 percent of the respondents believe that increasing awareness will determine 2018. 94 percent of them see the protection against hacker attacks as trend-setting. The implementation of the EU General Data Protection Regulation (GDPR) will determine the next year according to 92 percent of the respondents.
Many of the data protection principles and concepts of the GDPR largely correspond to the previously valid EU data protection directive 95/46/EC. Their regulations were implemented in Germany with the German Federal Data Protection Act (‘Bundesdatenschutzgesetz’ BDSG). The provisions of the BDSG for companies are largely replaced by the provisions of the GDPR.
Since the new provision is an EU law, it is directly valid in all Member States and does not have to be implemented at the national level. Following the transitional period settled on 25 May 2016, the EU GDPR will apply two years after its entry into force, so that it will apply to everyone as of 25 May 2018. As a result, developers, programmers and above all software architects will have to rethink security and privacy by design.
[Sources: http://www.nifis.de/uploads/media/NIFIS-PI1612AD-Trends-2017-Datenschutz.pdf, https://www.finanzen.net/nachricht/aktien/trendstudie-2018-steht-ganz-im-zeichen-der-it-sicherheit-5790188, http://www.nifis.de/veroeffentlichungen/news/article/studie-ausg/ – further information: https://dsgvo-gesetz.de/]