Data protection from a legal perspective
Data protection has become a hot topic in society in recent years. Companies can no longer afford to neglect data protection. In our legal practice, we are also seeing a steady increase in data protection-related issues in the field of IT law.
On the one hand, the general data protection law is characterized by a frequently amended law whose system has become difficult to understand. As specialized lawyers, we also note that the data protection authorities often interpret this law extremely strictly and can frequently impose fines for violations.
The General Data Protection Regulation, which came into force on May 25, 2018, has significantly increased the importance of data protection law. The new law provides for fines of up to €20 million or – if higher – up to 4% of the group's global turnover. At the same time, the requirements and the legal framework are also becoming more stringent.
The General Data Protection Regulation (GDPR) is an EU regulation that regulates the protection of personal data for all companies and organizations that are active in the EU or process personal data of EU citizens. It ensures that the protection of personal data remains at a high level and is uniformly regulated for all EU member states.
The GDPR defines what is meant by personal data and when the processing of this data is permitted. It also contains rules on the rights of the data subjects, such as the right of access, the right to rectification, the right to erasure and the right to restriction of processing.
In general, data protection law covers the following topics, which we will present as examples.
Do not forget the company data protection officer
It is particularly annoying for companies if, due to a lack of legal advice, even basic formal requirements for data protection compliance are not observed. A company data protection officer is required as soon as a relatively small number of employees handle data. However, there are also other cases, which are less well known, in which a data protection officer must be appointed, such as the processing of personal data which, by virtue of its nature, scope or purposes, involves regular and systematic monitoring of data subjects, or the processing of particularly sensitive personal data or personal data relating to criminal convictions and offenses.
The Data Protection Officer is tasked with monitoring and advising on compliance with data protection regulations within the company or organization. They must possess the necessary expertise and may not simultaneously perform any other function that would conflict with this role.
It is important that the DPO can act independently and free from instructions, and that they report directly to the managing director or a higher management level.
Commissioned data processing requires a special agreement
The scope of application of penalty provisions is quickly reached if a data processing operation is outsourced to a third party without concluding and, of course, implementing the agreement for order processing that is necessary under the law. The specialist lawyer for IT law can individually prepare the necessary agreements for this, provided that there is no clear case of a transfer of functions.
A data processing agreement (DPA) is a contract that defines how a company or organization, the processor, may process personal data on behalf of another company or organization, the client. The DPA governs the obligations and responsibilities of the processor with regard to data protection and ensures that the personal data is processed in accordance with the GDPR and other data protection regulations.
The DPA is usually required when the processor processes personal data for the controller that was not collected in its own company or organization. Examples include cloud services provided by a third-party vendor or personal data processing by a call center on behalf of another company.
It is important that the AVV meets all the requirements of the GDPR and other data protection regulations and covers all relevant aspects of order processing. The client is responsible for compliance with data protection regulations in order processing and must therefore ensure that the AVV is designed accordingly.
What is sometimes overlooked, however, is that the AVV alone does not constitute a legal basis for transferring data to a third party or having the data collected by a third party on behalf of the client.
However, the AVV alone is not sufficient to justify the processing of personal data. The processing of personal data must always have a legal basis that the client and the processor can refer to. The legal basis for the processing of personal data is set out in the GDPR.
The same possible legal bases for the processing of personal data apply to a DPA as to any other data processing, such as
- the consent of the data subject
- fulfillment of a contract to which the data subject is a party
- fulfillment of a legal obligation to which the controller is subject
- protecting the vital interests of the data subject or of another natural person
- exercise of official authority vested in the controller
- the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
The DPA must therefore always be based on a legal basis for the processing of personal data and explicitly cite it. It must also meet all the requirements of the GDPR and other data protection regulations and cover all relevant aspects of the processing.
Data protection in marketing
Data protection can often pose a particular challenge for marketing. Marketing activities usually require the processing of personal data in order to target advertising to the right audience. It is important that data protection is maintained and the rights of the data subjects are observed.
However, there are many ways to respect data protection and comply with legal requirements in marketing. For example, companies and organizations can obtain the consent of the data subjects before contacting them for marketing purposes. They can also ensure that they only process the personal data necessary to carry out marketing activities and that they store and protect this data carefully.
It is important that companies and organizations always keep data protection in mind when marketing and position themselves accordingly. This way, they can ensure that they comply with legal requirements and avoid violations.
Marketing campaigns are by their very nature presented to the public as effectively as possible. The population's heightened awareness of data protection issues can therefore easily turn a competition, for example, which was intended to convey a "positive image", into its opposite. Even mere address data are not freely available and usable for any purpose. As early as the planning of the marketing campaign, legal advice should be sought to ensure that the right course is set so that the objectives can be achieved later. As specialized lawyers, we can usually support you in this area at short notice, because we are also aware that the involvement of a lawyer is often not considered until the end of the marketing planning.
Privacy policy for websites
Data protection officers will no doubt be pleased to note that more and more website operators are remembering their special obligation to provide data protection information when operating a website and are seeking expert legal advice in this regard.
It is becoming more and more common knowledge that even the processing of so-called IP addresses of visitors, which the website operator is usually unable to assign to a specific person, is a data protection-relevant process. This results in the necessity of individually adapting the necessary data protection declaration to the specific circumstances of the website, which we carry out in our legal practice according to the information provided by the technicians. In any case, it would be inappropriate to believe that the model instructions of another website would always suffice.
A privacy policy has become an important part of any website, as it describes how the company or organization operating the site processes personal information. The privacy policy must provide visitors to the website with the necessary information to enable them to make an informed decision about whether they wish to disclose their personal data.
It is important that the privacy policy for the website is easy to understand and access, and that it contains all the relevant information. It should be regularly updated to ensure that it always meets the applicable data protection requirements.
However, it must also be noted that the mere existence of the privacy policy is not sufficient to justify the data processing. A great many services used on websites require informed consent or another legal basis must be found.
The examples show that data protection law, as part of IT law, is actually very broad and its importance is probably still considerably underestimated in some cases. As specialized attorneys for IT law, we look forward to discussing your topic.