What exactly is personal data anyway? Anyone who has been following the General Data Protection Regulation in the media or who has received the 101st newsletter with the new data protection information is bound to have asked themselves this question.

According to Art. 4 No. 1 GDPR, personal data is all information that can be clearly assigned either directly or indirectly (by means of assignment to an identifier) to a person, the so-called "data subject".

This really means all data that can be assigned to a natural person in any respect. The term "personal" not only refers to the name, date of birth or address, but also the IP address, the license plate number and even the dress size.

Personal data relating to the...

• racial or ethical origin,
• political opinions or trade union membership,
• religious or ideological conviction,
• health, sexual life and sexual orientation, and
• genetic and biometric data as well as criminal data

This data enjoys special protection in accordance with Art. 9 (1) GDPR.

Stricter protective measures should be implemented when processing personal data from these "special categories". Does your company in Bremen or the surrounding area process sensitive data? No? You are probably mistaken, as the mere fact that religion is listed in the personnel file constitutes sensitive data.

If you have any further questions, please do not hesitate to contact our data protection team...

b.r.m. offers companies the services of an external company data protection officer.

In Germany, the tasks and activities of an internal or external data protection officer are governed by Articles 38 and 39 of the General Data Protection Regulation (GDPR) and Sections 6 and 7 of the Federal Data Protection Act (BDSG new). There are also state regulations. The data protection officer is responsible for monitoring compliance with the GDPR, the BDSG and other laws (Telemedia Act (TMG) or Telecommunications Act (TKG)). The data protection officer always acts independently and without instructions.

All companies and associations that are not public bodies must appoint a data protection officer as soon as at least ten people are permanently involved in the automated processing of personal data or the bodies process personal data on a commercial basis for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research. 'Automated' is any processing that uses electronic data processing equipment (e.g. PCs) for business purposes. A data protection officer should also be appointed if a data protection impact assessment needs to be carried out. The data protection officer either originates 'internally' from the organization or must be appointed 'externally' and must be reported to the competent supervisory authority. There are no longer any deadlines since the GDPR, so the data protection officer should be notified as soon as possible in order to avoid possible penalties.

Not just anyone can become a data protection officer. He or she must fulfill three main criteria:

1. professional qualification and expertise in the field of data protection law

2. expertise in the field of data protection practice

3. ability to perform the tasks specified in Art. 39 GDPR.

Of course, a data protection officer should also be able to maintain discretion and have a certain talent for conflict resolution and organization.

Anyone who is unable to fulfill the function of a data protection officer 'from on-board resources' is welcome to use us and our experience 'externally' from b.r.m.. If you have any questions, please contact our company data protection officers Harald Rossol and Senior Consultant Rainer Dedermann .