With Harald Rossol or Thorsten Brendel from b.r.m. in the Hanseatic City of Bremen as your company data protection officer, you are in safe hands.
The European General Data Protection Regulation (GDPR) from 2018 initially aroused fears among many companies and internet users. With a good IT service as a companion, such as that of b.r.m., these fears proved to be unfounded, at least in the greater Bremen area.
The new European General Data Protection Regulation (GDPR) was not on the radar of many companies and internet users for too long. The first draft dates back to 2012, the new paragraphs were adopted in April 2016 and the GDPR will now come into force on May 25, 2018. A lot of time has passed since then. The aim of the regulation is to create a uniform basis for data protection across Europe. It is intended to effectively prevent the undermining of standards by individual member states.
A new feature for users of online services is their 'right to be forgotten'. They will be able to obtain information about personal data and can request the deletion of data if storage is overdue, unnecessary or unlawful. Furthermore, all data must be 'portable' from now on: On request, the customer of a service can ask for their data to be handed over in a structured form so that they can pass it on to another provider. In general, two principles apply to all data processing operations on the Internet and in companies: privacy by design and privacy by default: The protection of privacy must already be taken into account when setting up a data processing operation and the default settings must be set up to protect privacy.
Anyone who cooperates with an external service provider for data processing can already rest assured at b.r.m. that we do not violate the new regulation when processing data on our behalf, and that the aforementioned privacy principles are adhered to. We have long since implemented the creation of a 'record of processing activities', which is required by the GDPR. Furthermore, all processing activities are fully documented. We are therefore your competent partner for all questions relating to the GDPR, if only because Harald Rossol, our Managing Director, is also a recognized data protection officer. Advice and support in all matters relating to the new European General Data Protection Regulation (GDPR) are therefore in the best hands with us - from technical and organizational measures (TOM) to security analysis and the register of processing activities through to risk assessment.
Incidentally, anyone who processes personal data online is affected by the GDPR, from small bloggers to global giants such as Facebook. All characteristics such as name, gender, skin color, political views, but also car license plates or clothing sizes are considered 'personal'. As soon as data is collected, stored, modified, read or transmitted, this is considered 'processing'. In future, anyone operating a website must inform every visitor about what data they collect and store and for what purpose. Only the judiciary and law enforcement are exempt from this. Compliance with the GDPR will be monitored by the data protection authorities. The main establishment of an operator or company is decisive for jurisdiction.
Initially, little will change for operators of small websites because the GDPR is in many respects similar to the previously applicable data protection laws. In most cases, it will be sufficient to adapt the data protection declarations and general terms and conditions (GTC). Above all, online data protection declarations should be 'generally understandable' in future, which of course opens up a wide scope for interpretation. Another new feature is 'self-disclosure under data protection law': every company must provide a citizen with information within one month about what information about them is stored there, for what purpose and for how long.
However, the boundary between 'private' and 'commercial' is becoming clearer. If I post pictures of my garden at home, this remains uncritical. However, if I sell garden furniture shown there, for example, then the website will fall under the GDPR in future. This also applies to 'affiliate offers', i.e. where the operator of a website links to another provider. Private operators should better eliminate such plug-ins, whether under WordPress or Firefox, until there is legal clarity.
In any case, it is essential to adapt the privacy policy and the terms and conditions on every website, otherwise you are just opening the door to 'warning lawyers'. There is a wealth of legally compliant text templates available online.
The threat of financial penalties for violations caused a lot of alarm. While the maximum fine was previously 300,000 euros, it can now be up to 20 million euros, depending on the severity of the infringement (Art. 83). An extra rule, which is primarily aimed at the tech giants, also makes a fine of up to four percent of global turnover possible, and ultimately also access to private assets.
However, the first consequence of the GDPR is likely to be ongoing legal uncertainty. What, for example, are a company's 'legitimate interests'? The regulation contains an abundance of such vague formulations, which will only be clarified by court decisions, presumably after years before the European Court of Justice. National data protection law also had to be adapted to the GDPR by means of a new Federal Data Protection Act. On the other hand, there is no longer an escape route from this regulation, for example overseas. The regulation applies to anyone who wants to collect or analyze data within the EU - so it also applies to Google or Facebook.
If you have any questions about the new GDPR and IT service in Bremen, simply contact us ...