We are currently experiencing it first-hand: relocating a company is associated with a great deal of anticipation, but also poses many challenges. This is a process that is not at all uncommon for many companies and therefore also provides an opportunity for current consideration.
We shed light on circumstances that are relevant under data protection law not only for relocations – but also in general – for the infrastructure in the company.
Internal and external communication
After you have informed employees and, if applicable, the works council or staff representatives about the company move, you should also inform customers and business partners about the change of address. This can of course be done passively via references in the signature of e-mails or the letterhead. However, general reports are also conceivable, for example on the website.
Direct information letters to customers – possibly also in connection with advertising service offers – must be examined more closely under data protection law. The latter are not unproblematic, especially when using electronic commerce. § Section 7 of the German Act against Unfair Competition (UWG ) only permits advertising by “electronic mail” for similar goods or services in exceptional cases if the customer has been informed about the use of the address as an advertising address and has not objected. Under data protection law, such promotional use of the contact person’s data usually also constitutes an impermissible change of purpose. However, a simple reference to a change of location would be permissible under competition and data protection law without consent within the framework of the existing communication channels. After all, it is necessary to know the new address of the contractual partner in order to maintain the contractual relationship.
In addition to information in the commercial register and on business letters, the information in the privacy policy, imprint and customer information must also be updated. Otherwise, the legal requirements will not be met, which can lead to fines.
Organizational measures for relocation
The security of personal data must also be ensured for the move itself, taking into account the state of the art, the implementation costs and the nature, scope and circumstances of the data processing. The purposes of the processing as well as a different probability of occurrence and the severity of the risk to the rights and freedoms of natural persons for appropriate technical and organizational measures must also be taken into account.
The existing data must also be secure during the move. This starts with proper data backup, continues with organizational measures such as neatly labeling the moving boxes and ends at the earliest with careful restoration in the new office. In terms of data protection law, it depends on the overall security measures. There is no legally prescribed catalog of individual measures.
It is also important to select a suitable removal company that has ideally been trained in data protection law and uses secure, possibly sealed transport containers. On-site instruction of the removal company should then be supervised by expert personnel so that no documents are lost.
Technical measures in the new office building
In the digital age, data security in the new office building is particularly relevant. Art. 32 of the General Data Protection Regulation (GDPR ) requires both organizational and technical measures to protect data. The more sensitive the data, the higher the standard to be applied for the level of data protection.
The first thing to think about is restricting access. Only authorized persons should be granted access to non-public areas of the building. Any video surveillance systems are subject to data protection law in accordance with the Artt. 12 ff. GDPR to teach. Often, a data protection impact assessment even has to be documented for this. Individual sensitive areas such as server rooms or the accounts department should also be subject to separate access restrictions. This can be achieved using simple locking systems.
The heart of a modern commercial property, the IT department, must be up to date accordingly. Not only the safety technology should have reserves, but also the performance capacity. This is because data protection law must also ensure that faults, errors and data loss are avoided.
Your data protection officer is moving
As your data protection officer, we are moving. This means little effort on your part. We will successively adapt all your documents in order to keep your administrative workload to a minimum. Of course, our new address has already been registered with the relevant data protection authority.
If, for example, you would like to update your privacy policy now, you will find Schneiders & Behrendt PartmbB and ADLEX GmbH at their new home at Gerard-Mortier-Platz 6, 44793 Bochum.
We look forward to your visit!
