What Is True and False with GDPR? Check Your Prejudices!
The European GDPR (EU General Data Protection Regulation), aims to strengthen the control of individuals over their personal data and to encourage stakeholders to play an active role in monitoring compliance with the processing of such data “accountability”. The protection of personal data is also a way for companies to strengthen the trust they place in their customers, partners and employees in an increasingly digital environment, and to possibly force competitors from privacy low level EU countries out of the running.
The main impact of GDPR? Ignoring users’ rights/ the rules of GDPR will be much more expensive in the future; up to 4% of ww turnover or EUR 20million. And the chances of it being noticed are increasing.
Join Sybille Boese-Tarsia, an expert in privacy law, and follow her ‘quiz’ on GDPR, where you can test some of your prejudices about the changes occuring.
The GDPR does not affect me if I have already anonymised the personal data.
TRUE: The GDPR does not apply to anonymised data. CAUTION, because the GDPR refers to “pseudonymised” data that can be used to identify a person through a series of cross-checks. Anonymisation presupposes that the identification of the individual becomes impossible or difficult (taking into account the costs, the time or the available technology).
The GDPR is not my concern if I only have paper files.
FALSE: The GDPR applies to fully or partially automated processing, but also to files that are not automated at all and consist of a structured data record (customer or patient files, e.g., handwritten list of defaulting payers, etc.).
The customer’s consent is always required before data can be retrieved.
FALSE: It is possible to collect, use and process personal data if the person has consented to the processing of their personal data, but also if the processing is necessary to fulfil a contract (in which the person is involved) or to fulfil a legal obligation to which the responsible person is subject, the protection of a person’s vital interests (e.g. in emergencies), the performance of a task of public interest or the pursuit of the legitimate interest of the responsible person or the subcontractor (unless this is contrary to the interests of the persons concerned).
GDPR does not apply to me if I have less than 250 employees.
FALSE: There is no threshold. The GDPR concerns all organisations (i.e. companies, associations, trade associations, trade unions, political parties, public authorities, etc.) and all companies (start-ups, small and medium-sized enterprises, large companies, international groups). Not all smaller organisations (less than 250 employees) are subject to all obligations, e.g. appointment of a Data Protection Officer, DPO.
I must obtain the employee’s/employee’s consent to the processing of his/her personal data.
FALSE: The processing of an employee’s personal data is necessary for the execution of the employment contract. The employee’s consent is therefore not required, however, for data that is not directly related to the employment contract but are necessary to receive benefits for the employee, such as number of children, age of children, etc., the data can only be collected with the employee’s prior consent.
In general, I am responsible for what my subcontractors/processors do with the data I entrust to them.
TRUE: The company is responsible for processing the personal data it collects or uses. On the other hand, when entrusting the management or processing of this data to third parties (partners, external service providers or subcontractors), these third parties may be regarded as subcontractors/processors within the meaning of the GDPR. Parties should therefore provide for a contract or contractual clauses governing the relationship between the undertaking responsible for processing and processors (“subcontractors”) in relation to personal data (or concluded in a new or modified form). In addition, depending on their role, these third parties may also be regarded as co-responsible for the controlling and thus have the same obligations with regard to the processing of personal data and share the liabilities with the responsible company /controller. The subcontractor is subject to certain obligations of the GDPR (designation of a DPO, to keep records of processing activities, safety, documentation of its activities in particular).
I can entrust the processing of my company’s personal data to a provider/processor outside the European Union.
TRUE: It is possible to choose a non-European partner or a service provider. However, this is a transfer of personal data outside the European Union. It is therefore necessary to check the country of establishment of the processor or subcontractor and the possibility of transferring the data to that country. In fact, the transfer is only possible if: there is an international agreement (e.g. Privacy Shield for the USA), or if there are established company BCRs (Binding Corporate Rules: binding corporate rules that are only used within a group of companies) that have been validated by the Data Privacy Authority, or agreed EU Standard Clauses with the processor.
In the specific case I store my data in a cloud, it is imperative that I find out where the servers are installed.
TRUE: The use of the cloud is considered as the transfer of personal data if the cloud operator is in the EU but the servers are outside the European Union. In this case, the company must: agree on the EU Standard Clauses in writing, or set up BCR’s (if it is a transfer to a company in the same group) or check the existence of an international agreement (e.g. Privacy Shield in the USA), or obtain the express consent of the parties concerned beforehand.
For example: ” Slack “, which, like all tools used by US providers, especially for its US messenger service, is now under scrutiny under the GDPR . Slack is not yet GDPR compliant.
Among other things, functions for exporting customer data and extended functions for managing access rights of administrators and users are still missing.
However, according to data protection experts, start ups do not have to worry about continued use. According to the company, the tools are already in work. Slack is expected to meet all the necessary requirements of the GDPR by the deadline.
If a DPO is appointed, she/he is responsible for non-compliance with GDPR in the processing of personal data.
FALSE: The DPO’s task is to monitor processing operations and advise the company on the protection of personal data. He/she must therefore be linked as quickly as possible to any (new) project containing such data. However, he/she is not liable for non-compliance with the processing operation for which the company and its representative are solely responsible. On the other hand, it is possible to initiate disciplinary proceedings under employment law in the event of serious misconduct on the part of the DPO if the DPO has been named within the company; his/her liability insurance applies to an external DPO.
Particular attention shall be paid to the processing of personal data which may pose a high risk to the rights and freedoms of data subjects.
TRUE: If processing involves high risks for the rights and freedoms of the data subjects, a data protection impact assessment is compulsory before the introduction of the concerned software/electronic measure. This document, which must be sent to the Data Protection Authority in certain cases, contains a detailed description of the processing operation concerned and the measures planned by the company to limit the risks.
If the impact assessment reveals a high risk to human rights and freedoms, I must consult the Data Protection Authority.
TRUE: The Data Protection Authority must respond to the measures within a maximum period of 8 weeks and be guaranteed that the person responsible for monitoring intends to implement them. At the end of this period, the Data Protection Authority may decide to approve the processing operation, impose additional measures or restrict or suspend the processing operation.
To protect personal data, I can simply use antivirus and firewalls.
FALSE: The use of anti-virus or firewalls alone is not sufficient for the company’s security obligations under the GDPR. Other security measures, such as the use of passwords or access codes, encryption or the division of access rights, must be introduced. On the other hand, it must be ensured that an up-to-date virus protection or firewall is used. One of the first measures recommended by data protection authorities is to ensure that the IT systems and software already in use are updated.
The first of the security measures to be taken is to secure physical access to the premises, especially if you have paper files containing personal data, such as personnel files. Sites or furniture must be closed, a video surveillance system or an access control system installed.
In the event of a security incident affecting personal data, I must notify the Data Protection Authority.
TRUE: In the event of a security-related event (e.g. unauthorised access, data leakage or data loss) that could pose a threat to the rights of the persons concerned (e.g. loss of access to bank data), the DPO or the company manager must notify the Data Protection Authority. This notification must be made within 72 hours of the discovery of the incident, i.e. from the time when the person responsible is certain that a security breach has occurred on his or her computer systems and that personal data is involved.
Sybille Boese-Tarsia
Managing Partner
Nickisch-Rosenegkstrasse 9
D-14129 Berlin
Telephone: +49 30 804 03 588
About Sybille Boese-Tarsia and her firm
Sybille Boese-Tarsia, headquartered in Berlin, works pragmatically, solution-oriented and tries to discourage legal disputes – often in advance by sensitizing and training clients in the course of legal advice. As a successful lawyer, I look after German, French, Italian and Anglo-Saxon clients in the areas following website together with my team at the law office in Berlin.
