We would like to use the end of the usually changeable month of April to remind you of the traditional “spring cleaning”. However, as experts in law and technology, we are less concerned with the cleanliness of your windows or the sorting in your archive. We would like to encourage you to carry out a spring clean with regard to your data protection management. We will provide you with a summary of the measures you should take in order to comply with all the essential requirements for successful data protection and thus avoid liability and penalties in the further course of the year.
Personal data
The most important basis of data protection law is often overlooked: the scope of application. Please bear in mind that data protection regulations only ever apply to personal data. This means that only information that allows a direct or indirect conclusion to be drawn about the natural person behind it is relevant. Only the processing of such information (not only in a private context) means that data protection regulations must be complied with. This means that no attention needs to be paid to data protection for purely company data.
Data Protection Officer
Apart from a few exceptional cases, companies with 20 or more employees are obliged to appoint a data protection officer in accordance with Section 38 BDSG. Although employees must be involved in data processing in order to be counted, it is usually sufficient for them to have their own e-mail inbox.
The data protection officer should not monitor his or her own processing measures. As a result, senior employees are generally not eligible for this position.
Incidentally, the employee limit is somewhat deceptive. Every company – even with just one employee – must comply with all data protection regulations. For this reason, it is often a good idea to use external data protection officers, who will relieve you of problems in dealing with the complex regulatory matter.
Cornerstones of data protection law
In addition to the “prohibition with reservation of permission”, “purpose limitation”, “data minimization”, “confidentiality and integrity” and the “transparency requirement” are the cornerstones of data protection.
In this respect, personal data may only be processed with a legal basis (e.g. consent). However, the most common permissive circumstance for overcoming the fundamental prohibition of data processing is the fulfillment of a contract pursuant to Art. 6 para. 1 letter b) GDPR. This also includes contract initiation (offer letter) or contract processing (reminder letter). In rare cases, legitimate interests of the controller may also justify data processing.
The data processing may then only be carried out for the initially defined purpose and only concern the necessary minimum of data. Then the requirements of purpose limitation and data economy are also fulfilled.
In addition to data security (confidentiality and integrity), transparency in the handling of data must also be guaranteed.
Suitable and appropriate technical and organizational measures must be taken in accordance with Art. Art. 32 GDPR at all times in order to protect the confidentiality and integrity of the data. In addition to authorization and deletion concepts, simple measures can also be considered to protect data from damage or misuse. These can be organizational measures such as a fire extinguisher in the server room or a key plan, but also technical measures such as password entries or virus scanners.
The transparency requirement also leads to far-reaching information and documentation obligations. Processing measures must be documented in a “processing directory” and the data subject must be informed about the data processing. This is often done online via a privacy policy, offline via an information document.
Must-haves in data protection
So there are a few must-haves to consider for your spring cleaning in data protection management if you process personal data. These are summarized below as questions that you should ask yourself for your company:
- Do you need a data protection officer?
- Is your data processing covered by a permission?
- Have you introduced suitable technical and organizational measures to protect the data?
- Has the data subject been informed about the data processing?
- Have you documented the processing in a processing directory?
Conclusion
If you now take the annual spring clean as an opportunity to check your data protection management from time to time, nothing stands in the way of successful data protection management. Always make sure that the above-mentioned must-haves are guaranteed so that you are not exposed to the risk of fines or liability.
