The first draft of the regulation dates back to 2012; the new paragraphs were adopted in April 2016; the General Data Protection Regulation (GDPR) then came into force on May 25, 2018. The intention of the regulation is to put data protection on a congruent footing across Europe. It should effectively prevent the undermining of standards by individual member states.

The main new feature for users of online services is their 'right to be forgotten'. They now have the right to obtain information about the personal data stored and can request the deletion of data if storage appears to be "overdue", "unnecessary" or "unlawful". Furthermore, all data must be 'portable' from now on: Upon request, the customer of a service can ask for their data to be handed over in a structured form so that they can transfer it to another provider. In general, two principles apply to all data processing operations on the Internet, as well as in companies: 'Privacy by Design' and 'Privacy by Default' - this means that privacy protection must be taken into account when setting up a data processing operation, and the default settings must be set up to protect privacy.

If you cooperate with an external service provider for data processing, you can already rest assured at b.r.m. that we do not violate the new regulation when processing data on behalf of (AV). The aforementioned privacy principles are also strictly adhered to at all times. We have long since implemented the creation of a 'record of processing activities', which is required by the GDPR. Furthermore, all processing activities are fully documented. We are therefore your competent partner for all questions relating to the GDPR, if only because Harald Rossol, the Managing Director of b.r.m., also works as a recognized data protection officer . He is assisted by Senior Consultant Rainer Dedermann - this means that b.r.m. always has sufficient 'manpower'.

Advice and support in all matters relating to the new European General Data Protection Regulation (GDPR) for Bremen and the surrounding area runs completely smoothly with us at your side - from the technical and organizational measures (TOM) to the risk assessment and the directory of processing activities.

Incidentally, anyone who processes personal data online is affected by the GDPR, from small bloggers to global giants such as Facebook or Google. All characteristics such as name, gender, skin color, political views and sexual orientation, but also car license plates or clothing sizes, are considered 'personal'. As soon as data is collected, stored, modified, read or transmitted, this is considered 'processing'. In future, anyone operating a website must inform every visitor about what data they collect and store and for what purpose. Only the judiciary and law enforcement are exempt from this. Compliance with the GDPR will be monitored by the data protection authorities. The main establishment of an operator or company is decisive for jurisdiction.

Also not insignificant: in future, online data protection declarations must be 'generally understandable', i.e. they must not contain any 'legalese', which of course opens up a wide scope for interpretation. Another new feature is 'self-disclosure under data protection law': every company must provide a citizen with information within one month about what information about them is stored there, for what purpose and for how long.

The boundary between 'private' and 'commercial' is now more clearly defined. For example, if I post pictures of my vegetable garden, this remains uncritical. However, if I sell the Hollywood swing shown there, the website will fall under the General Data Protection Regulation in future. This also applies to 'affiliate offers', i.e. where the operator of a website links to another provider. Such plug-ins, whether under WordPress or Firefox, should be switched off by private operators until there is legal clarity.

In any case, it is essential to adapt the data protection declaration and the general terms and conditions on every website, otherwise you are just opening the door to 'warning lawyers'. If in doubt, simply ask our company data protection officers Harald Rossol and Rainer Dedermann.

The threat of financial penalties for infringements in particular caused a lot of concern. While the maximum fine was previously 300,000 euros, it can now be up to 20 million euros depending on the severity of the breach (Art. 83 GDPR). An extra rule, which is primarily aimed at the tech giants, also makes a fine of up to four percent of global turnover possible, and ultimately also access to private assets.

In the event of a data protection incident, a report must always be made to the competent data protection authority (reporting obligation), unless the data protection breach is unlikely to result in a risk for the data subject. In any case, please contact your data protection officer. The data subjects must also be notified if there could be a high risk to their rights and freedoms. A high risk exists, for example, if data from the "special categories" (Art. 9 GDPR), e.g. health data or political views, fall into unauthorized hands.

Of course, the GDPR still leaves some questions unanswered: What, for example, are 'legitimate interests' (Art. 6 para. 1 lit. f) GDPR) of a company? The regulation contains an abundance of such vague formulations, which must first be clarified by court decisions. The recitals provide guidance. National data protection law also had to be adapted to the GDPR by means of a new Federal Data Protection Act. On the other hand, there is now no way of escaping this regulation, for example by moving overseas. The framework is the same for everyone. The regulation applies to anyone who wants to collect or analyze data within the EU, regardless of its origin - so it also applies to Google or Facebook.

The Federal Data Protection Act (BDSG) supplements the GDPR with a number of so-called 'opening clauses'. This is the case, for example, in Section 26 BDSG, which deals with data processing for the purposes of the employment relationship. Here, the legislator has laid down more specific provisions.

If you have any questions about the new GDPR and a legally compliant IT service in the Hanseatic City of Bremen and the surrounding area, simply contact us. You are welcome to contact our data protection officers Harald Rossol and Rainer Dedermann directly.

The technical-organizational measures (TOMs)

The GDPR now makes a whole series of technical and organizational measures (TOMs) mandatory for every provider and processor of digital services. Not all of them are new; they are often provisions that already existed in national data protection laws. As a rule, these are always control measures that must also be documented and certified. Here are the ten most important TOMs now included in the GDPR specifications:

1. access control: Unauthorized persons must be kept away from all facilities used for data processing.

2. access control: It must be ensured that employees only have access to data that corresponds to their access authorization.

3. data carrier control: It must be ensured that data cannot be read, changed or even deleted without authorization.

4. transportation control: Personal data must also remain confidential and integer during the transmission or transportation of data carriers.

5. storage control: The provider must ensure that no data can be entered, changed or deleted without authorization.

6. user control: Any use of automated processing by unauthorized persons must be excluded.

7. transfer control: For all personal data, it must be ensured that it is only made available to those bodies that are authorized to have knowledge of it.

8. input control: It must also be ensured retrospectively that every user who entered or changed data can be permanently assigned.

9. order control: It must be ensured that data processed on behalf of the client is only processed in accordance with the client's instructions.

10. availability control: Personal data must be securely protected against destruction or loss.

In addition, there are some technical and organizational conditions that relate to the systemic properties of the devices used:

1. recoverability: In the event of a technical failure, it must be possible to reconstruct the data without errors.

2. reliability: All functions of a data processing system must always be available without interruption; any malfunctions that occur must be reported.

3. integrity: It must be ensured that data cannot be altered or damaged by technical malfunctions.

4. separability: The provider must ensure that data collected for different purposes can also be processed separately.

The certified data protection officers at b.r.m. will be happy to assist you with the implementation of the newly required technical and organizational measures (TOMs):

Rainer Dedermann & Harald Rossol

The two terms 'Privacy by Design' and 'Privacy by Default' are older than the new General Data Protection Regulation (GDPR). However, the law has given them a whole new meaning (Art. 25 GDPR).

'Privacy by design' means that the technical structure of a data processing system must be designed in such a way that data protection is already automatically integrated into the system. In other words, data protection must be a system property. This is done through the 'Technical and Organizational Measures' (TOM) when installing the computers and implementing their programs. This is the manufacturer's turn.

Specifically, however, the GDPR only mentions the obligation to pseudonymize (Art. 25, para. 1). This is then defined in more detail in Art. 4, para. 5. In all other points, however, the GDPR is extremely 'vague':
"...measures may include minimizing the processing of personal data, pseudonymizing personal data as quickly as possible, providing transparency regarding the functions and processing of personal data , enabling the data subject to monitor the processing of personal data and enabling the controller to create and improve security functions ..." (Recital 78).

'As quickly as possible', 'create transparency', 'minimize', 'enable' - all phrases that have so far created little more than a wide scope for interpretation.
In short, the rule of 'privacy by design' does not allow for a standardized answer; it depends on the respective data protection requirements. However, it is clear that the possible requirements of the GDPR must be taken into account when setting up a data processing system and when selecting and implementing the technology and software used.

Ask b.r.m. in Bremen. In addition to our resources in data protection through Harald Rossol and Rainer Dedermann, we also have extensive expertise in IT.

Where 'privacy by design' refers more to the technical structure of a data processing system, 'privacy by default' focuses on the configuration of the system, the 'default settings'. The General Data Protection Regulation (GDPR) requires 'user-friendly' default settings to be selected. Especially 'users' who are not very tech-savvy should be legally protected by 'privacy by default'.

The reason for this regulation was the 'privacy paradox': on the one hand, users have a need for comprehensive protection of personal data. On the other hand, many users are unable or unwilling to adjust the technical settings of a system accordingly. The provider side is now obliged by the GDPR to initially guarantee this protection on its part.

There are limits, of course: The GDPR speaks nebulously of the state of the art, implementation costs, the scope, circumstances and purpose of the processing. In any case, it is clear from the use of the plural in the word 'measures' alone that a single action is usually not sufficient here. A whole bundle of 'measures' is necessary in almost every case.

Incidentally, Article 25 (3) GDPR gives every provider the opportunity to be certified. Certification within the meaning of Art. 42 GDPR creates legal certainty here - for example through the certified external data protection officer Harald Rossol at b.r.m. in Bremen.
If you have any questions, simply contact us at ...

What exactly is personal data anyway? Anyone who has been following the General Data Protection Regulation in the media or who has received the 101st newsletter with the new data protection information is bound to have asked themselves this question.

According to Art. 4 No. 1 GDPR, personal data is all information that can be clearly assigned either directly or indirectly (by means of assignment to an identifier) to a person, the so-called "data subject".

This really means all data that can be assigned to a natural person in any respect. The term "personal" not only refers to the name, date of birth or address, but also the IP address, the license plate number and even the dress size.

Personal data relating to the...

• racial or ethical origin,
• political opinions or trade union membership,
• religious or ideological conviction,
• health, sexual life and sexual orientation, and
• genetic and biometric data as well as criminal data

This data enjoys special protection in accordance with Art. 9 (1) GDPR.

Stricter protective measures should be implemented when processing personal data from these "special categories". Does your company in Bremen or the surrounding area process sensitive data? No? You are probably mistaken, as the mere fact that religion is listed in the personnel file constitutes sensitive data.

If you have any further questions, please do not hesitate to contact our data protection team...

b.r.m. offers companies the services of an external company data protection officer.

In Germany, the tasks and activities of an internal or external data protection officer are governed by Articles 38 and 39 of the General Data Protection Regulation (GDPR) and Sections 6 and 7 of the Federal Data Protection Act (BDSG new). There are also state regulations. The data protection officer is responsible for monitoring compliance with the GDPR, the BDSG and other laws (Telemedia Act (TMG) or Telecommunications Act (TKG)). The data protection officer always acts independently and without instructions.

All companies and associations that are not public bodies must appoint a data protection officer as soon as at least ten people are permanently involved in the automated processing of personal data or the bodies process personal data on a commercial basis for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research. 'Automated' is any processing that uses electronic data processing equipment (e.g. PCs) for business purposes. A data protection officer should also be appointed if a data protection impact assessment needs to be carried out. The data protection officer either originates 'internally' from the organization or must be appointed 'externally' and must be reported to the competent supervisory authority. There are no longer any deadlines since the GDPR, so the data protection officer should be notified as soon as possible in order to avoid possible penalties.

Not just anyone can become a data protection officer. He or she must fulfill three main criteria:

1. professional qualification and expertise in the field of data protection law

2. expertise in the field of data protection practice

3. ability to perform the tasks specified in Art. 39 GDPR.

Of course, a data protection officer should also be able to maintain discretion and have a certain talent for conflict resolution and organization.

Anyone who is unable to fulfill the function of a data protection officer 'from on-board resources' is welcome to use us and our experience 'externally' from b.r.m.. If you have any questions, please contact our company data protection officers Harald Rossol and Senior Consultant Rainer Dedermann .