The GDPR: How to comply with the law - and without pitfalls

With Harald Rossol or Thorsten Brendel from b.r.m. in the Hanseatic City of Bremen as your company data protection officer, you are in safe hands.

The European General Data Protection Regulation (GDPR) from 2018 initially aroused fears among many companies and internet users. With a good IT service as a companion, such as that of b.r.m., these fears proved to be unfounded, at least in the greater Bremen area.

 

Some things clear - and many things unclear in Europe: the GDPR

 

The new European General Data Protection Regulation (GDPR) was not on the radar of many companies and internet users for too long. The first draft dates back to 2012, the new paragraphs were adopted in April 2016 and the GDPR will now come into force on May 25, 2018. A lot of time has passed since then. The aim of the regulation is to create a uniform basis for data protection across Europe. It is intended to effectively prevent the undermining of standards by individual member states.

A new feature for users of online services is their 'right to be forgotten'. They will be able to obtain information about personal data and can request the deletion of data if storage is overdue, unnecessary or unlawful. Furthermore, all data must be 'portable' from now on: On request, the customer of a service can ask for their data to be handed over in a structured form so that they can pass it on to another provider. In general, two principles apply to all data processing operations on the Internet and in companies: privacy by design and privacy by default: The protection of privacy must already be taken into account when setting up a data processing operation and the default settings must be set up to protect privacy.

Anyone who cooperates with an external service provider for data processing can already rest assured at b.r.m. that we do not violate the new regulation when processing data on our behalf, and that the aforementioned privacy principles are adhered to. We have long since implemented the creation of a 'record of processing activities', which is required by the GDPR. Furthermore, all processing activities are fully documented. We are therefore your competent partner for all questions relating to the GDPR, if only because Harald Rossol, our Managing Director, is also a recognized data protection officer. Advice and support in all matters relating to the new European General Data Protection Regulation (GDPR) are therefore in the best hands with us - from technical and organizational measures (TOM) to security analysis and the register of processing activities through to risk assessment.

Incidentally, anyone who processes personal data online is affected by the GDPR, from small bloggers to global giants such as Facebook. All characteristics such as name, gender, skin color, political views, but also car license plates or clothing sizes are considered 'personal'. As soon as data is collected, stored, modified, read or transmitted, this is considered 'processing'. In future, anyone operating a website must inform every visitor about what data they collect and store and for what purpose. Only the judiciary and law enforcement are exempt from this. Compliance with the GDPR will be monitored by the data protection authorities. The main establishment of an operator or company is decisive for jurisdiction.

Initially, little will change for operators of small websites because the GDPR is in many respects similar to the previously applicable data protection laws. In most cases, it will be sufficient to adapt the data protection declarations and general terms and conditions (GTC). Above all, online data protection declarations should be 'generally understandable' in future, which of course opens up a wide scope for interpretation. Another new feature is 'self-disclosure under data protection law': every company must provide a citizen with information within one month about what information about them is stored there, for what purpose and for how long.
However, the boundary between 'private' and 'commercial' is becoming clearer. If I post pictures of my garden at home, this remains uncritical. However, if I sell garden furniture shown there, for example, then the website will fall under the GDPR in future. This also applies to 'affiliate offers', i.e. where the operator of a website links to another provider. Private operators should better eliminate such plug-ins, whether under WordPress or Firefox, until there is legal clarity.

In any case, it is essential to adapt the privacy policy and the terms and conditions on every website, otherwise you are just opening the door to 'warning lawyers'. There is a wealth of legally compliant text templates available online.

The threat of financial penalties for violations caused a lot of alarm. While the maximum fine was previously 300,000 euros, it can now be up to 20 million euros, depending on the severity of the infringement (Art. 83). An extra rule, which is primarily aimed at the tech giants, also makes a fine of up to four percent of global turnover possible, and ultimately also access to private assets.

However, the first consequence of the GDPR is likely to be ongoing legal uncertainty. What, for example, are a company's 'legitimate interests'? The regulation contains an abundance of such vague formulations, which will only be clarified by court decisions, presumably after years before the European Court of Justice. National data protection law also had to be adapted to the GDPR by means of a new Federal Data Protection Act. On the other hand, there is no longer an escape route from this regulation, for example overseas. The regulation applies to anyone who wants to collect or analyze data within the EU - so it also applies to Google or Facebook.

If you have any questions about the new GDPR and IT service in Bremen, simply contact us ...

Data protection officer: supervisory function without instructions

b.r.m. offers companies the services of an external company data protection officer. In Germany, the tasks and activities of an internal or external data protection officer are governed by Articles 38 and 39 of the General Data Protection Regulation (GDPR) and Sections 6 and 7 of the...

Personal data

What exactly is personal data anyway? This question has certainly been asked by everyone who has followed the topic of the General Data Protection Regulation in the media or received the 101st newsletter with the new data protection information. According to Art. 4 No. 1 GDPR,...

Privacy by default

Where 'privacy by design' refers more to the technical structure of a data processing system, 'privacy by default' focuses on the configuration of the system, the 'default settings'. The General Data Protection Regulation (GDPR) requires that 'user-friendly'...

Privacy by design

The two terms 'privacy by design' and 'privacy by default' are older than the new General Data Protection Regulation (GDPR). However, the law has given them a whole new meaning (Art. 25 GDPR). 'Privacy by design' means that the technical structure of a...

Everything under control?

The technical and organizational measures (TOMs) The GDPR now makes a whole series of technical and organizational measures (TOMs) mandatory for every provider and processor of digital services. Not all of them are new; they are often also provisions on how...

Some things clear - and many things unclear in Europe: The GDPR - continued

The first draft of the regulation dates back to 2012; the new paragraphs were adopted in April 2016; the General Data Protection Regulation (GDPR) then came into force on May 25, 2018. The intention of the regulation is to...

Microsoft Teams security vulnerability

The Microsoft Teams platform is used by many companies for video conferences or other chats. Confidential documents are often exchanged in the process. However, researchers have now discovered that there is a security vulnerability at Microsoft. Microsoft Teams...

Mail encryption

There is a general security risk on the Internet, as data transfer on the Internet is always unencrypted. To ensure that emails can only be received and read by authorized persons, there are various security mechanisms for encrypting emails. This...

A "safe" day at b.r.m. IT & Aerospace GmbH

Today, b.r.m.'s team of 5 GDPR experts came together. Under the leadership of Mr. Harald Rossol, Mr. Markus Rossol and Mr. Marius Ammermann, b.r.m. received the DIN SPEC 27076 certificate today. ISO27001 certificate DIN SPEC 27076...