Self Audit

A. Data Protection Officer

1. Introduction
2. Requirements for the Data Protection Officer
3. Internal or External
4. Position of the Data Protection Officer
5. Responsibilities of the Data Protection Officer
6. Consultation Rights of Data Subjects
7. Support for the Data Protection Officer
8. Fines
9. Publication and Notification Obligations of Contact Details

B. Record of Processing Activities

1. Introduction
2. Responsibility for the Record of Processing Activities
3. Content of the Record of Processing Activities
4. Templates and Records

C. Privacy Policy

D. Data Processing Agreement

1. Suitability of the Data Processor
2. Data Processing Agreement
3. Transfer of Data to Service Providers Outside the European Union

E. Right of Access

1. Information to be Provided
2. Form of Provision
3. Costs
4. Fines
5. Further Information

F. Data Portability

1. Introduction
2. Requirements
3. Provision of Data
4. Transfer
5. Exceptions
6. Costs
7. Fines
8. Further Information

G. Data Confidentiality

1. Obligation of Employees to Maintain Data Confidentiality
2. Data Protection Awareness

H. Works Agreements

1. Works Agreement

I. Handling Data Breaches / Crisis Response Plan

1. Introduction
2. Legal Obligations in the Event of Data Breaches

J. Data Minimization – “Privacy by Design” & “Privacy by Default”

1. Data Minimization
2. Privacy by Design
3. Privacy by Default
4. Deletion Concept

K. Measures for Reviewing, Evaluating, and Improving Security Measures

1. Measures for Reviewing, Evaluating, and Improving Security Measures

L. Data Collection Based on Consent

1. Current Legal Situation in Germany and Legal Situation After the Implementation of the GDPR

A. Data Protection Officer

1. Introduction

According to your responses in the questionnaire, you are not legally required to appoint a Data Protection Officer.

However, you may choose to appoint one voluntarily.

2. Requirements for the Data Protection Officer

The Data Protection Officer must be professionally qualified and possess sufficient expertise in data protection law and practices.

This can be aligned with the requirements of the Düsseldorf Circle, which, however, are still based on the old legal framework. https://www.lda.bayern.de/media/dk_mindestanforderungen_dsb.pdf

3. Internal or External

The Data Protection Officer can be appointed internally or externally.

An internal Data Protection Officer can be a staff member who takes on the role in addition to their other duties. However, performing other tasks must not lead to a conflict of interest. For this reason, a Data Protection Officer cannot be part of the company management or head of departments relevant to data protection.

An external Data Protection Officer acts as a service provider for the company.

4. Position of the Data Protection Officer

The Data Protection Officer reports directly to the highest management level of the company.

They must be independent and free from instructions regarding the performance of their duties. The Data Protection Officer must not suffer any disadvantages due to their activities. In Germany, if their appointment is legally required, they can only be dismissed for cause justifying immediate termination.

5. Responsibilities of the Data Protection Officer

The Data Protection Officer has at least the following responsibilities:

  • Informing and advising the data controller and employees who process data about their obligations under the GDPR
  • Monitoring compliance with the GDPR and other data protection regulations within the company
  • Training and raising awareness among employees
  • Advising on data protection impact assessments
  • Cooperating with supervisory authorities

6. Consultation Rights of Data Subjects

The Data Protection Officer serves as a point of contact between the company and individuals whose data is processed.

7. Support for the Data Protection Officer

The Data Protection Officer must be provided with sufficient resources to fulfill their duties and maintain their expertise.

Resources necessary for fulfilling their duties can include office space, equipment, and financial resources. Additional staff may be assigned to support them if needed. If the Data Protection Officer performs their duties alongside other tasks, they must have sufficient time available.

They also need access to systems and areas necessary for examining data processing activities.

To maintain their expertise, they should have access to relevant legal literature (legal commentaries, specialist journals) and opportunities for further training and education.

8. Fines

A company that fails to appoint a Data Protection Officer, despite being legally required to do so, can face fines of up to 10,000,000 EUR or up to 2% of the previous year’s annual turnover.

9. Publication and Notification Obligations of Contact Details

The contact details of the Data Protection Officer must be published by the company, for example, in the privacy policy.

Additionally, the details must be communicated to the relevant supervisory authority. This must be done before May 25, 2018!

B. Record of Processing Activities

1. Introduction

You have indicated that you already maintain a record of processing activities. Thus, you are currently complying with the BDSG requirements.

By May 25, 2018, you must update the record to meet the new GDPR requirements.

2. Responsibility for the Record of Processing Activities

Under current law, the Data Protection Officer (if present) is explicitly responsible for maintaining the record. In the future, this responsibility will lie directly with the company management, as it already does if no Data Protection Officer is present.

However, there is nothing to prevent the Data Protection Officer from continuing to maintain and update the record if one is present in the company.

3. Content of the Record of Processing Activities

  • Name and contact details of the company and, if applicable, its representatives and the Data Protection Officer (if present)
  • In the case of joint data processing with another company, the details of the other company must also be provided
  • Purpose(s) of the processing
  • Description of the categories of data subjects and the categories of personal data processed
  • Categories of recipients of personal data, including recipients in third countries or international organizations
  • Whether data is transferred to third countries
  • Deletion periods, if determinable
  • General description of technical and organizational measures, if possible

4. Templates and Records

With the templates and records for processing activities provided by the data protection compliance product, you can easily create this record.

C. Privacy Policy

You have indicated that you already use a privacy policy that is compliant with the GDPR, so you do not need to worry about this.

D. Data Processing Agreement

1. Suitability of the Data Processor

You have indicated that you use a data processor.

Even when using an external data processor, you remain responsible for your customers’ data. The data processor is merely an “executive organ.”

The GDPR requires you to ensure that the data processor implements appropriate technical and organizational measures to process data in compliance with data protection regulations.

2. Data Processing Agreement

There must be a written contract, known as a data processing agreement, between you as the data controller and the data processor.

The data processing agreement must specifically regulate the following:

  • The data processor processes the data only on your instructions, except to fulfill a legal obligation
  • The individuals processing data at the data processor must be bound to confidentiality
  • The data processor must work with the data controller to ensure an appropriate level of security
  • The data processor supports the data controller in fulfilling their data protection obligations, particularly regarding the right of access of the data subject
  • After processing is complete, the data must be deleted or returned to the data controller unless there is a legal obligation to retain it

If the data processor uses another service provider for data processing, they must be bound by the same obligations.

Sample data processing agreements are available at:

Many providers offer their own contracts. These are often called “Data Processing Agreement” or “Data Processing Addendum” by American companies.

3. Transfer of Data to Service Providers Outside the European Union

3.1 You have indicated that you transfer data to service providers outside the European Union. This is only permissible under strict conditions.

3.2 The following countries have been deemed by the European Commission to provide an adequate level of data protection:

  • Europe:

    • Andorra
    • Faroe Islands
    • Guernsey
    • Isle of Man
    • Jersey
    • Switzerland
  • North and South America:

    • Argentina
    • Canada (for data processing by Canadian organizations in the course of commercial activities)
    • Uruguay
    • USA (EU-US Privacy Framework) US organizations must appear on the Data Privacy Framework List of the US Department of Commerce
    • You can check this here: https://www.dataprivacyframework.gov/list
  • Asia & Oceania:

    • Israel (only for automated data processing, only within the territory of the State of Israel)
    • New Zealand

3.3 Otherwise, data may only be transferred if guarantees for an adequate level of protection are provided, such as:

  • Binding corporate rules
  • Standard contractual clauses adopted by the EU Commission
  • Standard contractual clauses adopted by supervisory authorities
  • Approved codes of conduct
  • Approved certification mechanisms
  • Contractual clauses approved by the competent supervisory authority

E. Right of Access

You have indicated that you have already developed procedures to provide data subjects with information about the data stored about them.

You are therefore prepared to fulfill the future right of access. Below, you will find information on what data you must provide.

1. Information to be Provided

You must provide the following information upon request of the data subject:

  • The purposes of the processing, i.e., what the data is needed and processed for
  • The categories of personal data being processed
  • The recipients or categories of recipients to whom the data has been or will be disclosed, particularly those outside the EU or international organizations
  • The planned duration of data storage, if possible, or the criteria used to determine the duration
  • The rights of the data subject (right to rectification, right to erasure, right to restriction of processing, and the right to object to processing)
  • The existence of a right to lodge a complaint with a supervisory authority
  • The source of the data, if the data was not collected from the data subject
  • Whether automated decision-making (including profiling) is used, such as automatic credit checks, and the potential consequences of such processing
  • If data is transferred to a third country or international organization, the guarantees that protect the personal data must be indicated

The rights and freedoms of other individuals should not be adversely affected. This includes considering trade secrets and intellectual property rights (e.g., software copyrights). These should at most result in a limitation of the information provided, not a complete refusal of an access request.

2. Form of Provision

The company must provide the data subject with a copy of their data.

In the case of electronic access requests, such as via email, the information must also be provided electronically in a commonly used electronic format.

3. Costs

The provision of a copy must be free of charge. Charges may be imposed for additional copies to cover administrative costs.

4. Fines

Failure to comply with access requests can result in fines.

5. Further Information

Further information on the right of access can be found here:

https://www.infothek.com/whitepaper/ds-gvo-die-ausweitung-der-betroffenenrechte-stand-maerz-2018#Auskunftsrecht

We will soon provide an online form to help you fulfill the right of access.

F. Data Portability

You have indicated that you have a procedure in place to provide data portability.

Below, you will find more information to adjust the procedure as needed.

1. Requirements

For the right to data portability to apply, the user must have provided the data to the data controller themselves. Additionally, the collection of the data must be based on consent or a contract.

Both conditions are typically met in online commerce when a customer places an order.

2. Provision of Data

The data must be provided as a data set in a structured, commonly used, and machine-readable format. Ideally, the format should be usable independently of any specific operating system. However, there is no obligation to maintain technically compatible data processing systems.

3. Transfer

The applicant has the right to provide the data to a third party, usually the new provider. Technical measures that make this transfer difficult or impossible are prohibited.

The applicant can also request that the data set be transferred directly from the original provider to the new provider, if technically feasible.

4. Exceptions

The right to data portability is independent of the right to erasure. In particular, data necessary for the fulfillment of a contract does not need to be deleted.

Data portability can also be excluded due to legal obligations, such as performing a task in the public interest.

If the rights and freedoms of other individuals are adversely affected, data may not (fully) be transferable.

Clearly unfounded or excessive requests do not need to be complied with, nor do those where the applicant cannot be identified.

5. Costs

There should be no costs to the user for the transfer of data.

An exception applies only to abusive or excessive requests.

6. Fines

Failure to comply with data portability requests can result in fines.

7. Further Information

Further information on the right to data portability can be found here:

https://www.infothek.com/whitepaper/ds-gvo-die-ausweitung-der-betroffenenrechte-stand-maerz-2018#Datenuebertragbarkeitsrecht

G. Data Confidentiality

1. Obligation of Employees to Maintain Data Confidentiality

You have indicated that employees who process personal data are already bound to data confidentiality.

2. Data Protection Awareness

Ensure that your employees are aware of the importance of data protection. Make it clear that all data, whether from customers, employees, suppliers, or other natural persons, must be protected and handled responsibly.

H. Works Agreements

1. Works Agreement

Existing works agreements must be checked for compliance with the GDPR.

It must be verified whether the processing of employee data permitted under the agreement is still permissible under the GDPR.

The fundamental principles of the GDPR should also be applied in works agreements. For example, due to the principle of data minimization, only the necessary employee data should be collected.

Special rules apply to special categories of personal data, such as those concerning racial or ethnic origin, religion, health data, and biometric data. This includes regulations on access restrictions using biometric data (e.g., fingerprint scanners).

Information obligations towards employees must also be fulfilled.

I. Handling Data Breaches / Crisis Response Plan

1. Introduction

You have indicated that you already have a crisis response plan.

This plan should be updated by May 25, 2018, to comply with the new GDPR requirements.

2. Legal Obligations in the Event of Data Breaches

In the event of a data protection breach, such as a server hack with access to customer data or unauthorized access by an employee, this breach and the remedial actions taken must be documented in a way that is understandable to the supervisory authorities.

Normally, the data breach must be reported without undue delay and, if possible, within 72 hours of becoming aware of it.

The reporting obligation does not apply if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. For example, if customer data accessed through a hack is encrypted according to current technical standards, and misuse is therefore excluded.

If the risk of data misuse is high for the affected person(s), such as access to credit card data or viewing intimate details, the affected person must also be informed. This obligation is waived if the effort for individual notification is too high, and it can be done through a public announcement.

Further information on handling data breaches can be found here:

https://www.infothek.com/allgemein/ds-gvo-wie-geht-man-mit-datenpannen-um

We will soon provide an online form to help you fulfill the notification obligation.

J. Data Minimization – “Privacy by Design” & “Privacy by Default”

1. Data Minimization

You have indicated that you already collect only the necessary data. You should also pay attention to this in future applications. Further information is provided below.

2. Privacy by Design

The GDPR requires the data controller (i.e., the company) to implement appropriate technical and organizational measures to effectively enforce data protection principles and protect the rights of data subjects.

In doing so, the state of the art, implementation costs, nature, scope, context, and purposes of the processing should be considered. The likelihood and severity of risks to the rights and freedoms of natural persons should also be considered.

For example, pseudonymizing data can be a method to achieve the principle of data minimization.

3. Privacy by Default

Companies must also ensure that, by default, personal data is processed only if it is necessary for the specific purpose.

Minimization applies to the amount of personal data, the scope of data processing, the duration of data storage, and the access third parties have to the data.

You should review all forms used, such as in the order process, contact forms, or newsletter subscription forms. For each piece of data requested, ask yourself: Do I really need this to fulfill the purpose?

If not, you should either not ask for it or make it clear that it is not a required field. It is recommended to mark all required fields with an asterisk and to note “*Required field” below the form.

4. Deletion Concept

A deletion concept, i.e., rules on when and how to delete data, is not mandatory but strongly recommended.

Further information can be found here:

https://www.secorvo.de/publikationen/din-leitlinie-loeschkonzept-hammer-schuler-2012.pdf

In any case, you should regularly, at least annually, review whether data is still needed and delete it if necessary. The templates in the record of processing activities provide recommended deletion periods for individual processing activities.

K. Measures for Reviewing, Evaluating, and Improving Security Measures

1. Measures for Reviewing, Evaluating, and Improving Security Measures

You have indicated that you already have a plan to regularly review the technical and organizational measures used. Thus, you already meet this requirement of the GDPR.

L. Data Collection Based on Consent

1. Current Legal Situation in Germany

Under the current BDSG legal framework, consent is one of the legal bases that allows data collection.

In fact, this is currently one of the safest and most reliable methods for collecting and using data. Provided the consent has been obtained in accordance with legal requirements (no pre-checked boxes, double opt-in, logging), data usage is generally permissible.

This is currently the best approach for email marketing.

2. Legal Situation After the Implementation of the GDPR

2.1 The GDPR still allows consent as a legal basis.

However, the requirements for obtaining valid consent are partly significantly higher.

2.2 Form:

The GDPR simplifies the situation regarding the form of consent. In addition to written consent, consent can also be given by ticking a checkbox, via email, orally, or, in some cases, through browser settings. However, the company must prove that consent was given, which can be difficult for oral consent.

2.3 Informed Consent

For consent to be valid, the user must be sufficiently informed in advance.

  • At a minimum, the company collecting the data must be named
  • The purpose(s) for which the data is being collected must be stated

2.4 Coupling Prohibition

The GDPR requires that consent be given voluntarily. Consent linked to a contract, where the data processing being consented to is not necessary for the contract, is not considered voluntary.

2.5 Withdrawal of Consent

Under the GDPR, consent can be withdrawn at any time with future effect.

This must be stated when obtaining consent and in the privacy policy. It must also be stated that this does not affect the legality of data processing based on consent before its withdrawal.

2.6 Challenges

Overall, consent as a legal basis is significantly less attractive under the GDPR.

This is because the current legal certainty does not exist under the GDPR.

Due to the coupling prohibition and the assumption of involuntariness in cases of clear imbalance between the parties, there is always a risk that consent will be declared invalid, potentially rendering the entire data processing unlawful. Given the high fines introduced by the GDPR, this poses a real risk for companies.

Therefore, it should be examined whether data previously collected based on consent can be collected on other legal grounds (e.g., based on “legitimate interests”).

2.7 Further information on consent can be found here:

https://www.infothek.com/whitepaper/rechtsgrundlagen-fuer-datenverarbeitung-nach-der-datenschutz-grundverordnungds-gvo#Einwilligung