According to your responses in the questionnaire, you are not legally required to appoint a Data Protection Officer.
However, you may choose to appoint one voluntarily.
The Data Protection Officer must be professionally qualified and possess sufficient expertise in data protection law and practices.
This can be aligned with the requirements of the Düsseldorf Circle, which, however, are still based on the old legal framework. https://www.lda.bayern.de/media/dk_mindestanforderungen_dsb.pdf
The Data Protection Officer can be appointed internally or externally.
An internal Data Protection Officer can be a staff member who takes on the role in addition to their other duties. However, performing other tasks must not lead to a conflict of interest. For this reason, a Data Protection Officer cannot be part of the company management or head of departments relevant to data protection.
An external Data Protection Officer acts as a service provider for the company.
The Data Protection Officer reports directly to the highest management level of the company.
They must be independent and free from instructions regarding the performance of their duties. The Data Protection Officer must not suffer any disadvantages due to their activities. In Germany, if their appointment is legally required, they can only be dismissed for cause justifying immediate termination.
The Data Protection Officer has at least the following responsibilities:
The Data Protection Officer serves as a point of contact between the company and individuals whose data is processed.
The Data Protection Officer must be provided with sufficient resources to fulfill their duties and maintain their expertise.
Resources necessary for fulfilling their duties can include office space, equipment, and financial resources. Additional staff may be assigned to support them if needed. If the Data Protection Officer performs their duties alongside other tasks, they must have sufficient time available.
They also need access to systems and areas necessary for examining data processing activities.
To maintain their expertise, they should have access to relevant legal literature (legal commentaries, specialist journals) and opportunities for further training and education.
A company that fails to appoint a Data Protection Officer, despite being legally required to do so, can face fines of up to 10,000,000 EUR or up to 2% of the previous year’s annual turnover.
The contact details of the Data Protection Officer must be published by the company, for example, in the privacy policy.
Additionally, the details must be communicated to the relevant supervisory authority. This must be done before May 25, 2018!
You have indicated that you already maintain a record of processing activities. Thus, you are currently complying with the BDSG requirements.
By May 25, 2018, you must update the record to meet the new GDPR requirements.
Under current law, the Data Protection Officer (if present) is explicitly responsible for maintaining the record. In the future, this responsibility will lie directly with the company management, as it already does if no Data Protection Officer is present.
However, there is nothing to prevent the Data Protection Officer from continuing to maintain and update the record if one is present in the company.
With the templates and records for processing activities provided by the data protection compliance product, you can easily create this record.
You have indicated that you already use a privacy policy that is compliant with the GDPR, so you do not need to worry about this.
You have indicated that you use a data processor.
Even when using an external data processor, you remain responsible for your customers’ data. The data processor is merely an “executive organ.”
The GDPR requires you to ensure that the data processor implements appropriate technical and organizational measures to process data in compliance with data protection regulations.
There must be a written contract, known as a data processing agreement, between you as the data controller and the data processor.
The data processing agreement must specifically regulate the following:
If the data processor uses another service provider for data processing, they must be bound by the same obligations.
Sample data processing agreements are available at:
Many providers offer their own contracts. These are often called “Data Processing Agreement” or “Data Processing Addendum” by American companies.
3.1 You have indicated that you transfer data to service providers outside the European Union. This is only permissible under strict conditions.
3.2 The following countries have been deemed by the European Commission to provide an adequate level of data protection:
Europe:
North and South America:
Asia & Oceania:
3.3 Otherwise, data may only be transferred if guarantees for an adequate level of protection are provided, such as:
You have indicated that you have already developed procedures to provide data subjects with information about the data stored about them.
You are therefore prepared to fulfill the future right of access. Below, you will find information on what data you must provide.
You must provide the following information upon request of the data subject:
The rights and freedoms of other individuals should not be adversely affected. This includes considering trade secrets and intellectual property rights (e.g., software copyrights). These should at most result in a limitation of the information provided, not a complete refusal of an access request.
The company must provide the data subject with a copy of their data.
In the case of electronic access requests, such as via email, the information must also be provided electronically in a commonly used electronic format.
The provision of a copy must be free of charge. Charges may be imposed for additional copies to cover administrative costs.
Failure to comply with access requests can result in fines.
Further information on the right of access can be found here:
We will soon provide an online form to help you fulfill the right of access.
You have indicated that you have a procedure in place to provide data portability.
Below, you will find more information to adjust the procedure as needed.
For the right to data portability to apply, the user must have provided the data to the data controller themselves. Additionally, the collection of the data must be based on consent or a contract.
Both conditions are typically met in online commerce when a customer places an order.
The data must be provided as a data set in a structured, commonly used, and machine-readable format. Ideally, the format should be usable independently of any specific operating system. However, there is no obligation to maintain technically compatible data processing systems.
The applicant has the right to provide the data to a third party, usually the new provider. Technical measures that make this transfer difficult or impossible are prohibited.
The applicant can also request that the data set be transferred directly from the original provider to the new provider, if technically feasible.
The right to data portability is independent of the right to erasure. In particular, data necessary for the fulfillment of a contract does not need to be deleted.
Data portability can also be excluded due to legal obligations, such as performing a task in the public interest.
If the rights and freedoms of other individuals are adversely affected, data may not (fully) be transferable.
Clearly unfounded or excessive requests do not need to be complied with, nor do those where the applicant cannot be identified.
There should be no costs to the user for the transfer of data.
An exception applies only to abusive or excessive requests.
Failure to comply with data portability requests can result in fines.
Further information on the right to data portability can be found here:
You have indicated that employees who process personal data are already bound to data confidentiality.
Ensure that your employees are aware of the importance of data protection. Make it clear that all data, whether from customers, employees, suppliers, or other natural persons, must be protected and handled responsibly.
Existing works agreements must be checked for compliance with the GDPR.
It must be verified whether the processing of employee data permitted under the agreement is still permissible under the GDPR.
The fundamental principles of the GDPR should also be applied in works agreements. For example, due to the principle of data minimization, only the necessary employee data should be collected.
Special rules apply to special categories of personal data, such as those concerning racial or ethnic origin, religion, health data, and biometric data. This includes regulations on access restrictions using biometric data (e.g., fingerprint scanners).
Information obligations towards employees must also be fulfilled.
You have indicated that you already have a crisis response plan.
This plan should be updated by May 25, 2018, to comply with the new GDPR requirements.
In the event of a data protection breach, such as a server hack with access to customer data or unauthorized access by an employee, this breach and the remedial actions taken must be documented in a way that is understandable to the supervisory authorities.
Normally, the data breach must be reported without undue delay and, if possible, within 72 hours of becoming aware of it.
The reporting obligation does not apply if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. For example, if customer data accessed through a hack is encrypted according to current technical standards, and misuse is therefore excluded.
If the risk of data misuse is high for the affected person(s), such as access to credit card data or viewing intimate details, the affected person must also be informed. This obligation is waived if the effort for individual notification is too high, and it can be done through a public announcement.
Further information on handling data breaches can be found here:
https://www.infothek.com/allgemein/ds-gvo-wie-geht-man-mit-datenpannen-um
We will soon provide an online form to help you fulfill the notification obligation.
You have indicated that you already collect only the necessary data. You should also pay attention to this in future applications. Further information is provided below.
The GDPR requires the data controller (i.e., the company) to implement appropriate technical and organizational measures to effectively enforce data protection principles and protect the rights of data subjects.
In doing so, the state of the art, implementation costs, nature, scope, context, and purposes of the processing should be considered. The likelihood and severity of risks to the rights and freedoms of natural persons should also be considered.
For example, pseudonymizing data can be a method to achieve the principle of data minimization.
Companies must also ensure that, by default, personal data is processed only if it is necessary for the specific purpose.
Minimization applies to the amount of personal data, the scope of data processing, the duration of data storage, and the access third parties have to the data.
You should review all forms used, such as in the order process, contact forms, or newsletter subscription forms. For each piece of data requested, ask yourself: Do I really need this to fulfill the purpose?
If not, you should either not ask for it or make it clear that it is not a required field. It is recommended to mark all required fields with an asterisk and to note “*Required field” below the form.
A deletion concept, i.e., rules on when and how to delete data, is not mandatory but strongly recommended.
Further information can be found here:
https://www.secorvo.de/publikationen/din-leitlinie-loeschkonzept-hammer-schuler-2012.pdf
In any case, you should regularly, at least annually, review whether data is still needed and delete it if necessary. The templates in the record of processing activities provide recommended deletion periods for individual processing activities.
You have indicated that you already have a plan to regularly review the technical and organizational measures used. Thus, you already meet this requirement of the GDPR.
Under the current BDSG legal framework, consent is one of the legal bases that allows data collection.
In fact, this is currently one of the safest and most reliable methods for collecting and using data. Provided the consent has been obtained in accordance with legal requirements (no pre-checked boxes, double opt-in, logging), data usage is generally permissible.
This is currently the best approach for email marketing.
However, the requirements for obtaining valid consent are partly significantly higher.
The GDPR simplifies the situation regarding the form of consent. In addition to written consent, consent can also be given by ticking a checkbox, via email, orally, or, in some cases, through browser settings. However, the company must prove that consent was given, which can be difficult for oral consent.
For consent to be valid, the user must be sufficiently informed in advance.
The GDPR requires that consent be given voluntarily. Consent linked to a contract, where the data processing being consented to is not necessary for the contract, is not considered voluntary.
Under the GDPR, consent can be withdrawn at any time with future effect.
This must be stated when obtaining consent and in the privacy policy. It must also be stated that this does not affect the legality of data processing based on consent before its withdrawal.
Overall, consent as a legal basis is significantly less attractive under the GDPR.
This is because the current legal certainty does not exist under the GDPR.
Due to the coupling prohibition and the assumption of involuntariness in cases of clear imbalance between the parties, there is always a risk that consent will be declared invalid, potentially rendering the entire data processing unlawful. Given the high fines introduced by the GDPR, this poses a real risk for companies.
Therefore, it should be examined whether data previously collected based on consent can be collected on other legal grounds (e.g., based on “legitimate interests”).