Who operates a website should also be familiar with the General Data Protection Regulation and the essential provisions.
Since May 25th, 2018 the General Data Protection Regulation is in force and therefore legally binding for all EU countries. The regulation refers to the protection of personal data and its basic treatment.
According to this, personal data:
processed lawfully, in good faith and in a comprehensible manner,
- collected for specified, explicit and legitimate purposes,
be proportionate to the purpose, substantial and limited to what is necessary,
be accurate and, if necessary, up to date
stored for a limited time only as long as necessary, and
processed in such a way as to ensure adequate security.
These principles clarify the conditions under which personal data must be handled in the future. The requirements have been extended to include a comprehensive internal documentation obligation, an obligation to provide information to the persons concerned and the rights of the persons concerned.
In comparison with national law, the amount of fines for violations of the law has increased enormously. For example, the fine framework amounts to up to 20 million euros or, in the case of a company, up to 4% of the total annual turnover achieved worldwide in the previous year, in the case of particularly serious offences listed under Art. 83 (5) GDPR.
The GDPR applies
for companies or institutions established in the EU, or
for EU-based consumers, or
for businesses that collect data from EU resident consumers.
The amended provisions can be summarised in these points:
This includes all data with a reference to a person or through which a reference to a person can be derived:
– name, address
– IP address
– email address
– tracking on websites
– contributions in social media
– physical, physiological or genetic information
– medical data
– bank details
– cultural identity
An email address must be a personal email address (e.g. email@example.com), a company email (e.g. firstname.lastname@example.org) does not fall under this criterion. Similarly, website tracking or integrated social media can be used to record movement data or similar data (e.g. GPS data) when visiting a website and draw conclusions about the person.
Upon receipt of the data, the person concerned must be informed immediately, comprehensively and in a simple, understandable language. The basis for this is the data protection policy and should include the following:
– the legal basis on which the data will be collected
– what happens to the data
– duration of storage
– Contact information of the company
– Information on responsibility for data protection, e.g. data protection officer
– Rights of the data subject: Information, rectification, cancellation, opposition.
– Right to data disclosure and transferability
Additional information on the website in the privacy protection policy:
– Data processing on the website (service provider, hoster)
– How to manage customer/order data
– Why are tracking, cookies or social media used?
– Integration of a newsletter or contact form
– Concluded order processing contract with the hoster
The information shall be provided immediately, but not later than within one month . The legal justification should explain to the user why a tracking mechanism such as the integration of Facebook on the homepage or the integration of a YouTube video is used. A “legitimate interest” is a possible justification.
The lawfulness of the data processing is explained in Art. 6 and 7 GDPR. The conditions under which personal data may be processed are defined there.
1) Personal permission, formal requirements of consent:
– separate and comprehensive
– voluntary (no prohibition of coupling)
– notice of revocation
2) Legal Permission (GDPR )
– “legitimate interest” – Art. 6 para. 1f)
3) Required data (for contract fulfillment, taxes and accounting)
The use of the obtained data is initially subject to the prohibition with permission reservation. This means that the use of the data is strictly prohibited, unless you have given your consent. These consents are subject to certain formal requirements and are regulated by law or are necessary, for example, for the conclusion of a contract. Such consent must be voluntary and must not be linked to any other conditions, e.g. subscription to a newsletter (prohibition of coupling).
Effective consent requires the following criteria according to Art. 7 GDPR:
– separate obtaining
– verbally, electronically, in writing
– reference to right of withdrawal
The consent may not be hidden in the text or in the general terms and conditions, it must be obtained explicitly. For example, via a form with a signature or a checkbox on the homepage within a form on which data is transmitted. Comprehensive means here the specification how, which and for what purpose data are used. The consent is form-free. For reasons of proof, however, written form is advisable. In addition the reference to the revocation is compelling in connection with the consent.
The obligation to keep a register of processing activities (VVT) is defined in Art. 30 GDPR. It thus fulfils the required comprehensive documentation and transparency obligations. Furthermore, it serves the data supervisory authorities for control purposes in accordance with recital 82: “to prove compliance with this Regulation”. The criteria are:
– 250 or more employees or
– processing of special categories of data in accordance with Art. 9 para. 1 GDPR or
– the processing does not take place only occasionally.
Small entrepreneurs are excluded. Since the criterion of not only occasional processing is not further defined, it can be assumed that a register is to be kept for regular processing. It is therefore advisable from legal sources, even if the micro-entrepreneur limit applies, to keep a register for regular data processing. Special categories of data include sensitive or risky data such as health data. Pursuant to Art. 30 para. 4 GDPR, the register must be submitted to the authorities upon request. The company management, not the data protection officer, is responsible for maintaining the data processing directory, since the management ultimately also decides on the processing of personal data as part of the company’s business activities.
Order processing or order data processing involves outsourced work or services within which personal data is processed. For example these are
– an agency that carries out advertising activities
– an external newsletter provider
– a web hosting agency
– external maintenance contracts (IT service providers)
In this case, the company must conclude an order processing contract with the order processor. The processor shall ensure that the transferred data is handled responsibly and securely. In this case, the processor is obliged to maintain a record of the company’s instructions for this purpose in the form of a so-called Data Processing Register (AVVZ). A written form is not required for the AVV, which can also be concluded online.
The rights to information of the person concerned are noted in Art. 15 GDPR:
– which data are stored
– for what purposes
– the origin of the data, if not collected by yourself
– to whom these were transmitted
– planned storage period
– notice of opposition and rectification
– automated profiling, if necessary (profiling)
The form in which these rights are granted is not regulated. In practice, it is advisable to choose the form in which the request was made. A request by email can be answered by email. The processing should follow as soon as possible, at the latest 1 month after receipt of the request. With appropriate complexity can be extended by further 2 months. This information must be made available free of charge. However, further enquiries may be invoiced in accordance with Art. 12 para. 5 and Art. 15 (3) GDPR.
The criteria when a data protection officer is to be appointed are newly defined in the BDSG, § 38 BDSG in addition to Art. 37 GDPR:
– if at least 10 persons are engaged in the automated processing of personal data. (§38 BDSG) or
– if the data are sensitive or risky data according to Art. 9 or Art. 10 (e.g. health sector or single exchange, call centre).
Companies that process data according to the data category pursuant to Art. 9 GDPR are obliged to additionally carry out a data protection impact assessment (DSFA) pursuant to Art. 35 GDPR. The data processing is subjected to a risk assessment with a final statement of the DPO. Which processing activities are affected by this can be found in the so-called positive lists or mandatory lists for the DSFA from the respective state data protection officer.