DSGVO: Business cards for the visit
A familiar picture: at the end of a customer meeting, the partners exchange their business cards. Both of them later enter the data contained on them into their respective customer databases, but they have already violated the new General Data Protection Regulation (GDPR) several times. At least if you take the wording of the law at its word. This is because the GDPR is primarily intended to create 'more data transparency'. Every partner would therefore have to be informed immediately about which personal business card data is processed and how, and which rights of objection this person has in the course of data processing.
How these information obligations are to be fulfilled is described in particular in Articles 13 and 14 of the GDPR. It also states that this information must be provided immediately. So if two people hand over their business cards to each other, for example at a trade fair, then both would have to inform each other about the reciprocal handling of the data in accordance with Art. 13 GDPR. However, a short sentence is by no means sufficient for this; the required data protection information would barely fit on an A4 page. In reality, compliance with the GDPR would therefore be more like a slapstick act, with both parties 'texting' each other for pages on end. It would also be far removed from reality to hand the other person a piece of paper with data protection information when handing over business cards. Combined with the request to confirm this in writing. Especially as this would pose a problem in terms of subsequent verifiability.
In view of the impracticability of the GDPR, politicians are already fiddling around, and not just on this point. A spokesperson for the Berlin supervisory authority said that the mere "receipt of the business card does not in itself trigger an obligation to provide information". This 'duty to inform' would only arise in cases where the data contained on the card is stored. Although this would make things easier, it would still contradict the intention of why business cards are exchanged in the first place. Companies store the data from business cards handed over in their customer data management program so that they can expand their own partner network in the business interests of both sides. Quite apart from this, the supervisory authority also fails to state the legal basis on which it arrived at its unusual opinion. This is because the statement by the above-mentioned employee contradicts the wording of the regulation. In other words, the GDPR is still in conflict with reality in many respects.
Bitkom Managing Director Dehmel recommends informing every person who has handed over a business card promptly afterwards about the mandatory information in accordance with Art. 13 GDPR in order to offer them the opportunity to object to the data processing at a later date. Such a solution would still contradict the direct wording of the law, but at least it seems more 'practicable'. What the GDPR lacks above all, however, are concrete and legally certain statements and assistance from the supervisory authorities. The GDPR urgently needs practical 'implementing provisions'.