A data protection breach rarely comes alone – and on 25.5.2018 the GDPR
A must for all companies that come into contact with personal data: preparing for the new rules of the GDPR.
Violations may result in fines of up to € 20,000,000 or up to 4 % of the total annual turnover achieved worldwide and Warning letters and Injunctions by consumer associations and competitors.
We will show you a overview about the new regulations and 16 points, that you have to observe.
1. general, goals, principles
You will learn everything about the objectives and principles of the Regulation, e.g. protection of personal data and free movement of personal data.
2. the core of the GDPR: What is personal data?
What many do not know: Any kind of information about a natural person can be a personal data. This applies, for example, to the color of one’s hair, information about which hairdresser one goes to, and the date of the last haircut.
3. processing prohibition with permission reservation
In principle, the GDPR prohibits the processing of personal data. An exception is only made to this prohibition insofar as the processing of personal data serves the fulfillment of a contract or pre-contractual measures, as long as this is done at the request of the person concerned, or consent is given.
4. technical data privacy
According to Art. 24 DSGVO you have to ensure data protection by technical and organizational measures.
5. documentation requirements
From now on, you must document all your data processing activities. If applicable, you may be required to prove that you have complied with the requirements of the GDPR (accountability obligation).
6. big data analytics
In the future, you will generally require consent for Big Data analytics.
7. are there any commissioned data processors (CDP)?
What is new is that the GDPR already prescribes certain content requirements for the contract between you and any CDP.
8. is a data protection officer (DPO) necessary?
The requirements for the appointment of a data protection officer change significantly as a result of the GDPR.
9. the information requirements / the privacy policy
With the GDPR, the information obligations for entrepreneurs are significantly expanded.
10. the right to be forgotten
The right to be forgotten is a new feature of the GDPR. Under certain conditions, all data of the data subject must be deleted.
11. the right to data portability
Users can now take their data from your company with them when they move to another company.
12. data transfer to a third country
With regard to cross-border data transfer to a third country, there are a few points to consider.
13. the obligation to report data breaches
Any breach of the protection of personal data must be reported to the supervisory authority within a period of 72 hours.
14. the one-stop store principle
If cross-border data processing occurs in your company, you no longer have to deal with several data protection authorities. Thanks to the one-stop-shop principle, only the lead supervisory authority is your contact.
15. special obligations for employers / employee data protection
With regard to employee data protection, the GDPR contains an opening clause that allows member states to create their own statutory regulation.
16. consequences of violations
Violations may result in fines of up to €20,000,000 or up to 4% of total annual global sales, as well as warnings and injunctions from consumer associations and competitors.
