Kalendereintrag 25.05 für das Inkrafttreten der neuen Datenschutzverordnung

6 Questions and Answers on the General Data Protection Regulation (GDPR)

The protection of sensitive data is essential in everyday business life. Every day, confidential and personal data are processed in both digital and printed form. In order to modernize data protection law and to standardize Europe-wide, the General Data Protection Regulation (DSGVO) was created, which will enter into force on 25 May 2018. Many provisions of the previously applicable German Federal Data Protection Act will be expanded and tightened. Violations of data protection can then be significantly more expensive than before. We have summarized in 6 questions and answers which changes the new data protection law brings with it.

1. When does the European Data Protection Regulation (GDPR) come into force?

On 25 May 2018, the transitional period of the new European Data Protection Regulation will expire. For small businesses, businesses, authorities and associations, this means that the provisions of the new regulation must enter into force and be implemented. In April 2016, the regulation was officially proclaimed "Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data, on the free movement of data and repealing Directive 95/46 / EC" by the EU Council of Ministers and the European Parliament decided to standardize data protection in Europe and adapt it to the Internet age.

The regulation aims to ensure that the privacy of personal data is guaranteed and uniformly regulated in Europe. The new specifications are not completely new. They build on previous directives and national laws of the respective countries for data protection. In Germany, for example, the German Federal Data Protection Act applied before the DSGVO.

2. What changes in privacy?

Especially in the transparency and information duty there are innovations. Companies that process personal data are required to provide information about what happens to data and why it is used. Personal data includes, for example, the name, address, and banking and health information. The use of data is only allowed if it is needed immediately. For example, for sending newsletters that require the input of an e-mail address. The DSGVO provides no information on the destruction of data carriers with shredders. However, this is where the DIN 66399 comes in, which defines the secure destruction of data using shredders.

Other examples of privacy changes include:

  • Contact forms or web forms that enter personal information must be encrypted
  • Only data that is directly required may be requested - for newsletters the consent of the addressee is necessary
  • If data reach unauthorized persons, there is an early obligation to report to the responsible data protection authority and a duty to inform those affected
  • The use of the data must be created in a processing directory in order to provide evidence of the activities
  • Affected persons can inform themselves about which personal data is collected for which purpose and which can be deleted or removed on request
Laptop mit Ansicht von Daten

3. Who is affected by the General Data Protection Regulation?

Data controllers and data processors are affected by the General Data Protection Regulation. Anyone working with data must be able to justify why and why personal data is being used. If the data is used in cooperation with data processing companies, they must also implement the GDPR. This is the case, for example, when collecting data for evaluating the online activities of users and providing them from a data-processed company (for example, analysis tools, newsletter providers).

4. Does the General Data Protection Regulation provide for a data protection officer for companies?

Almost all companies that process personal data automatically require a data protection officer according to Article 37 of the GDPR. Personal data includes, for example, names, e-mail addresses, account information and customer locations. Only companies with fewer than 10 employees working with personal data do not need a data protection officer. From May 25, the data protection officer's contact details will need to be made available to employees, for example on the intranet, as well as on the company's website when processing customer data. In addition, the responsible state data protection authority, which turns on in the event of data breaches, must receive the contact data.

Papierdaten müssen sicher aufbewahrt werden.

5. Are processes needed for data protection?

In addition to the employment of a data protection officer, processes and technology should also be reviewed. Many online tools now offer updated terms of service and contract data processing contracts that should be completed between data controllers and data processors. It is recommended that companies, together with the Data Protection Officer, adapt and optimize responsibilities, processes and strategies to ensure privacy. For example, it should be regulated when data must be deleted or what the safe handling of paper documents looks like.

6. What is a processing directory?

Anyone working with data must in future create a processing directory in accordance with Article 30 of the General Data Protection Regulation. Which points need to be included in the processing directory, you can read in the General Data Protection Regulation. Essentially, the following information is in the directory:

  • Information on the name, the contact details of the responsible person and, if available, the data of a representative and the data protection officer
  • Information on the purpose of the data use
  • Information on categories of affected persons
  • Information on categories of personal data
  • Information on categories of recipients of the data
  • Information about the transfer of personal data to third countries
  • Deadlines for deleting the data categories

Privacy is always important

The innovations introduced by the General Data Protection Regulation show that companies should take data protection seriously and should ideally seek the assistance of a data protection officer. Data protection does not only refer to electronic data but also to data contained on data media such as paper or CDs. What aspects of data protection in the company still have to be considered and how important the correct document shredder for the secure destruction of data media is, we have summarized in the article Data protection has always the highest priority.


* This article does not constitute legal advice and is not exhaustive.