This is what you really need to know about the new GDPR

The numerous changes that the GDPR will bring with it from May 25, 2018 will affect every entrepreneur and website operator. There are extensive new regulations in almost all areas of data protection law. Some are relatively easy to implement, others are very complex.

Our GDPR special – which we make available to you as an agency partner in cooperation with eRecht24 – helps you to get an overview of the requirements of the GDPR and shows you how you can implement them quickly and easily for your website. We are happy to support you in the DSGVO-compliant implementation of your website. Just talk to us .

1. Introduction
From May 25, 2018, the GDPR regulates the handling of personal data by companies - uniformly throughout Europe. Many of the current regulations of the German Federal Data Protection Act (BDSG) will then no longer apply or the BDSG will be revised at the same time. The General Data Protection Regulation standardizes data protection law within the EU, as different data protection laws and therefore different standards have previously applied everywhere. Entrepreneurs can therefore rely on the fact that a (predominantly) uniform data protection law will apply within the EU in the future. However, the regulation also applies to companies based outside the EU if they process data from people from the EU. This is to ensure that cloud services or social networks (e.g. from the USA) also have to comply with the rules. The GDPR really affects EVERY company that is active on the Internet: user tracking, customer data, newsletters or advertising emails, advertising on Facebook, your own data protection declaration, many things will change as a result of the new regulations. In detail:

2. Privacy Policy and Imprint
First of all, every website needs a new data protection declaration that meets the requirements of the GDPR. Principles of a GDPR-compliant data protection declaration:

• Simple and understandable language
• if applicable, a preceding, general, summary declaration
• Contact details of the site operator
• Data protection officer, if available
• The legal basis for the respective data collection/processing (statutory regulation or consent) must be specifically named

A data protection declaration according to the GDPR must contain at least the following points:

• Mention of all data processing operations on the website
• Handling customer / order data
• Tracking, cookies, social media
• Newsletter, A(D)V
• Duration of storage, deletion periods
• Information, correction, deletion, objection
• Right to data disclosure and portability

Consent must not be declared within the data protection declaration.

Danger! Obligation to delete Art. 17 GDPR:

Data must be deleted when:

• the purpose of the survey no longer applies,
• the consent has been revoked (unsubscribe from the newsletter),
• the user objects ("delete my data") and there are no legal storage obligations (taxes and accounting)

No changes are necessary in the imprint. However, it is currently being discussed that a special contact form should be created for information, correction and deletion claims, which should be integrated into the general menu structure (in the data protection declaration and imprint).

3. Processing directory (previously: procedure directory)
You need a processing directory if you employ more than 250 people and if you process special categories of data.

The obligation also applies to companies with fewer than 250 employees if the processing is “not just occasional”. However, it has not yet been finally clarified what this means exactly. Until the requirements have been finally clarified, you should create such a directory if in doubt.

What content goes in?


• Details of the person responsible
• Name and contact details of the controller, his representative and the data protection officer
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Transfers of personal data to a third country
• Deadlines for deletion
• Description of the technical and organizational measures
• Details of the processor
• Name and contact details of the processor and controller, their representatives and the data protection officer
• Categories of processing
• Transfers of personal data to a third country

You can find examples and structure of such a processing directory at Bitkom:
https://www.bitkom.org/NP-Themen/NP-Vertrauen-Sicherheit/Datenschutz/FirstSpirit-1496129138918170529-LF-Verfertigungsverzeichnis-online.pdf

4. Cookies and Tracking

With regard to cookies and tracking, there are currently no changes. Cookies are specifically re-regulated by the ePrivacy Regulation (ePR). However, this will probably not come until 2019.

The good news: Google Analytics remains "permitted" under the GDPR as before if the following requirements are met:

• A(D)V contract concluded with Google
• IP anonymization enabled
• Opt-out options for desktop and mobile

Be sure to sign a GDPR-compliant AV contract with Google from May 25, 2018. Google will probably provide such a contract soon.

Instructions for correct implementation can be found here .

With other tools such as the Facebook pixel, unfortunately, no exact statement can be made at the moment.
However, the legal situation is likely to become more complicated.

5. Newsletters and Consents
Consent from users, e.g. to the sending of newsletters, which was already effectively obtained under the old law (double opt-in) continues to apply in principle.

Exceptions:
• Coupling prohibition not observed for old consents
• Consents by minors

What about new newsletter campaigns or competitions?

If there is no legal permission to store / transfer data, consent is always required.

The double opt-in principle should also be observed under the GDPR in order to be able to prove consent in case of doubt. In any case, the consent must be documented electronically.

The consent must be “voluntary”: Real prohibition of coupling in Art. 7 Para.4 GDPR.

As a rule: No data against content (e.g. e-books, competitions, checklists) and no linking of the newsletter dispatch to the conclusion of a contract.

6. Data Protection Officer

Companies that usually employ at least ten people on a permanent basis to process personal data or that are obliged to carry out a data protection impact assessment in accordance with Article 35 GDPR (details below under Section 9.) must appoint a data protection officer.

conflicts of interest

There must be no conflicts of interest when appointing the data protection officer. Therefore, a board member, a managing director or the company owner cannot be a data protection officer. These people cannot mediate in the event of conflicts between company interests and data protection regulations.

You can also appoint an external data protection officer to avoid conflicts.

Qualifications of the Data Protection Officer


The data protection officer must be reliable. Legal and technical expertise are also essential for the position of data protection officer. Training courses/seminars including examinations are offered nationwide in order to acquire the relevant qualifications, eg at the TÜV.

7. Employee Data

The GDPR also comes with new regulations on employee data protection. The new regulations contain numerous duties and obligations that employers must comply with in the future.

Only the data that is “necessary” should be collected.

Employee data should only be processed if this is necessary to make a decision about hiring an applicant or to carry out, exercise or terminate an employment relationship.

Processing is also permitted if it is necessary for the fulfillment of legal rights and obligations, a collective agreement or a company or service agreement or for the purpose of criminal prosecution. Whether and when the collection of certain data is actually necessary must always be determined on the basis of the specific individual case.

obtain consents


Anyone who wants to avoid the legal uncertainties surrounding “necessity” can obtain voluntary consent from their employees. In the event of a dispute, however, the alleged voluntary nature of the consent must be proven by the employer.

Effective consent must meet certain formal criteria. It must always be in writing, ie signed independently. However, since this is not always practicable, electronic consent can also be obtained under special circumstances. In addition, the employee must be informed in a suitable form that the consent can be revoked at any time. Ultimately, the employer must create certain conditions for the declaration of revocation.

In case of doubt, an employer must be able to prove compliance with the obligations just mentioned (documentation obligations). Furthermore, employers will be confronted with stricter information obligations in the event of data protection violations and numerous other obligations (e.g. deletion obligations).

With regard to these obligations, employers should therefore have their internal company processes thoroughly checked and, if necessary, adjusted (keyword: compliance management).

8. Order (data) processing

If the collection and processing of personal data is carried out by an "external" company, this must - as in the old law - be contractually regulated.

examples


• Agency carries out advertising measures
• External newsletter provider
• Web hosts
• External maintenance contracts

What will change in the content of the A(D)V contracts?

Few changes in content:


• Processors may be required to keep a record of procedures
• Processor must log the instructions of the person responsible
• contracts no longer need to be in writing

9. Privacy of Minors

In the case of young people under the age of 16, the parents must give their consent. However, this only applies to cases in which the GDPR requires consent (e.g. for advertising) and in practice only when it comes to offers that are aimed directly at children and young people.

In the case of mixed offers (for adults and young people), no specific requirements need to be implemented.

10. Data Protection Impact Assessment

In certain cases, you are obliged to assess the consequences of data processing and record this in a so-called data protection impact assessment in accordance with Art. 35 GDPR. A so-called DPIA must always be carried out if "a form of processing, especially when using new technologies, is likely to result in a high risk for personal rights and freedoms due to the type, scope, circumstances and purposes of the processing ( Has)".

This is the case, for example, in the following constellations:

• Processing of health data, religion, sexuality
• Trade Secrets
• Profiling/Scoring
• Criminal acts
• etc.

You can read about when and how such a data protection impact assessment is to be carried out in detail in the extensive white paper from the Privacy Forum:

https://www.forum-privatheit.de/forum-privatheit-de/publikationen-und-downloads/veroeffentlichungen-des-forums/themenpapiere-white-paper/Forum_Privatheit_White_Paper_Datenschutz-Folgenabschaetzung_2016.pdf

11. Right of Inspection and Obligation to Report

In general, those affected have the right to information about their stored personal data (Article 15 GDPR).

Form of information:
• in written form
• electronically (e-mail)
• orally upon request

Deadline for information: Immediately, but no later than 1 month after receipt of the application

When do those affected and the supervisory authorities have to be informed in the event of data breaches?

Stricter requirements now apply here than before. According to Art. 33 GDPR, data breaches must be submitted to the supervisory authorities immediately (if possible within 72 hours) using comprehensive documentation.

Art. 33 Para. 5 GDPR regulates details on the content
https://dejure.org/gesetze/DSGVO/33.html

12. Fines and warnings

Violations of data protection can be warned!

In the event of violations, there is a risk of warnings and court proceedings, because:
• Data protection law is relevant to competition law!
• Violations can also be warned according to the GDPR!

fines


The GDPR provides for fines of up to 20 million euros or 4% of the previous year's worldwide turnover.

So far, data protection authorities have only very rarely exhausted the upper limit of the fines and in the case of permanent violations.

But that will very likely change, the high fines are a core part of the GDPR.

Important: Take inquiries/complaints from users seriously. More importantly, take inquiries/complaints from data protection authorities seriously.

What exactly should I do now?

Of course, part of our extensive services in the area of website creation is also support in the implementation of a GDPR-compliant data protection declaration and practical, legally verified content on the GDPR.