Foreign Laws Matter

Decoder von Tran, Zimo, D&H

Legal topics

The 10 most frequently asked questions about the GDPR

Veröffentlicht von Dr. Andreas Kaiser am 07.03.2018

  1. Privacy Policy: Does our website need a new privacy policy?

    Each operator of a website has the duty to inform the users of its website about the processing of personal data. Processing of personal data takes place where the operator offers users the possibility to reach him/her via a contact form or email or uses cookies or certain tools to analyze user behavior. The mere accessibility of the website normally does not require a privacy policy. However, an operator who has the ability to identify visitors by their IP-addresses that are usually stored in log files on the server in combination with unique identifiers and other information received by the servers, processes personal data and must inform the visitor. A privacy policy is intended to inform the user of a website about kind, scope and purpose of the collection and use of personal data. A privacy policy must be complete, easy to understand and accessible on the website.

  2. Cookies and Tracking: What are the changes with cookies? Can we continue to use tracking tools?

    The GDPR does not specifically address cookies. A cookie is a small piece of data that a website asks the user’s browser to store on its computer or mobile device. The cookie allows the website operator to store the user’s actions or preferences over time. The e-Privacy Directive already requires the website operator to ask users if they agree to most cookies before the website starts to use them. However, some cookies are exempt from this requirement.

    Data protection authorities require the completion of an order data processing agreement with Google for the use of Google Analytics. The GDPR will force changes of tracking software tools in some ways, but it will have to be seen how Google and other providers change their products or update their policies and implement other additional operational changes until 25 May 2018. The entry into force of the proposed e-Privacy Regulation would simplify provisions on cookies and similar tracking technologies. 

  3. Newsletter and Consents: Can we continue to send newsletters or marketing material to existing customers? What about new marketing campaigns?

    The GDPR also applies to the data gathered before 25 May 2018. Therefore you have to clarify the consent of your existing customers that you have clear authorization to send email marketing campaigns to each contact and that the consent should be clearly documented. Any missing or ambiguous record would require you to ask new and expressed permission from the outdated contacts, in order to send email marketing communications properly.

    Marketing campaigns to potential customers without their consent, such as unsolicited electronic communications (spam) by emails, SMS and automated calling machines will be banned, in principle.

  4. Records of Processing Activities: Do we need records of processing activities? Which contents shall these records contain?

    An organisation employing fewer than 250 persons does not need to maintain Records of Processing Activities ("Processing Records") otherwise required by the GDPR unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

    Processing Records shall be maintained by contollers and processors to demonstrate compliance with the GDPR. The Processing Records maintained by the controller shall contain (1) the name and contact details of the controller and, if any, the joint controller, the controller's representative and the data protection officer; (2) the purposes of the processing; (3) a description of the categories of data subjects and of the categories of personal data; (4) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries; (5) where necessary, the documentation of suitable safeguards of transfer to third countries; (6) the envisaged time limits for erasure of the different categories of data; (7) a general description of the technical and organisational security measures.

    The Processing Records for each processor and, where applicable, the processor's representative shall contain all categories of processing activities carried out on behalf of a controller, including: (1) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; (2) the categories of processing carried out on behalf of each controller; (3) any transfers of personal data to a third country; (4) documentation of any suitable safeguards; (5) and a general description of the technical and organisational security measures.

  5. Data Protection Officer: Do we need a DPO in the future? Can the position be filled internally? What qualifications must the DPO have?

    A controller and a processor need a DPO in any case where: (1) the processing is carried out by a public entity, except courts; or (2) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (3) the core activities of the controller or the processor consist of processing on a large scale of special categories of data mentioned in the GDPR. “Large scale” is not defined by the GDPR, however EU-guidelines clarify that account has to be taken for the number of data subjects concerned, the volume of data and/or the range of different data items being processed, the duration or permanence and the geographical extent of the processing activity.

    The DPO may be a staff member of the controller or the processor (internal DPO). The function of the DPO can also be exercised based on a service contract concluded with an individual or an organisation. The DPO shall have expert knowledge of data protection law and practices and the ability to fulfill his or her tasks professionally. The DPO must have the resources necessary to be able to carry out his or her tasks.

  6. Order Data Processing: With whom must an ODP agreement be concluded? What changes in the content of the ODP agreement?

    When entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the GDPR. The carrying-out of processing by a processor should be governed by an ODP agreement or other legal act under Union or Member State law. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority. Existing ODP agreements need revision to make sure they comply with GDPR requirements.

  7. Employee Data: What changes are there when dealing with employee data? Are there any effects on employment contracts?

    Employers are advised to review their current data protection policies with regards to employees, existing employment contracts, employee handbooks and employment practices. The GDPR requires that there is full transparency over the nature of employee data processing in terms of the data collected, the purposes for which it is used and where it is processed. Where consent has been relied on to justify processing of employee data, confirm that such consent still exists and make sure this is recorded.

    The GDPR contains an opening clause that allows Member States in their Member state law or collective agreements, including ‘works agreements’, to provide for more stringent rules on the processing of employees personal data in the employment context in deviation or in addition to the GDPR requirements. Such a national rule is for example Sec. 26 (3) of the German Federal Data Protection Act that allows the processing of certain categories of sensitive data in an employment relationship.

  8. Data Protection for Minors: What new regulations are there if the target group are children and adolescents? How do we implement these provisions?

    Given that children merit specific protection, any information and communication, where processing is addressed to a child, must be in such a clear and plain language that the child can easily understand.

    Processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the parent. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the child’s parent, taking into consideration available technology. GDPR does not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

  9. Right to Access and Communication Duty: Which data protection policies must be presented on request to whom? When do we have to inform data subjects and supervisory authorities about data breaches?

    A data subject has the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, such considerations should not result in a refusal to provide all information to the data subject.

    The controller must communicate to the data subject a personal data breach where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority.

  10. Corrective Powers and Penalties: How can data protection violations  be sanctioned? 

    A supervisory authority has a variety of corrective powers addressed to a controller or processor, such as warnings, reprimands and compliance and correction orders. Furthermore, the Supervisory Authority can order the controller to communicate a personal data breach to the data subject, impose a temporary or definitive limitation including a ban on processing, order the rectification or erasure of personal data or restriction of processing, withdraw a certification and may order the suspension of data flows to a recipient in a third country or to an international organisation.

    Penalties including administrative fines could be imposed for any infringement of the GDPR, in addition to, or instead of corrective measures. Administrative fines could be imposed up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In addition, Member States may have rules in place on criminal penalties for infringements of the GDPR.

    In a case of a minor infringement or if the imposition of a fine would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard would however be given to the nature, gravity and duration of the infringement, its intentional character, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.


Zuletzt geändert am: 14.03.2018 um 19:25

Zurück zur Übersicht