Data protection basics according to GDPR
The digital age not only brings numerous innovations and conveniences, it also poses new challenges for authorities, companies and all people. In the past, personal data could only be found in the telephone book or in internal company registers, but thanks to the World Wide Web, this information can be distributed across all continents within a very short time. At the same time, a large part of the population is not even aware of how much about them is actually already circulating online.
Starting with various online purchases, the entry of bank details, dates of birth and up to the personal taste in music. All of this data could be used to draw a very precise profile. Since people are unfortunately still quite careless with their own data, the topic is gaining in importance. data protection increasingly becoming a priority.
Because if sensitive data such as bank information etc. falls into the hands of unauthorised third parties, the damage is usually not far away. Data protection stipulates that exactly this does not happen. In Germany and many other European countries, data protection stipulates by General Data Protection Regulation (abbreviated to GDPR) stipulates that every responsible citizen may decide for themselves where and for what purposes their personal data may be used.
Data protection definition
In society we read very often about data protection, but what is behind this term? The Privacy definition circumscribes the protection against improper processing of personal data and grants the protection of the privacy of data subjects.
The General Data Protection Regulation, which came into force on 25 May 2018, is intended to safeguard the fundamental right to informational self-determination. This means that individuals themselves determine how their data is handled and who may receive what information. Based on the right to informational self-determination, the GDPR regulates the collection, use, storage and disclosure of personal data.
What are the data protection laws?
The Federal Data Protection Act (short BDSG.) is a central data protection law in Germany, which regulates data protection at national level when the GDPR grants a certain leeway in the implementation of data protection through opening clauses. It serves to supplement and concretise the GDPR and only intervenes with its specific provisions if the GDPR cannot be applied.
The Telemedia Act (TMG for short) is a central law in the field of internet law and the most important legal provision since the Telemedia Service and the Interstate Treaty on Media Services ceased to be in force. It contains regulations and obligations for providers of telemedia. This includes electronic information and communication services that are not subject to the Interstate Broadcasting Treaty or the Telecommunications Act. In general, the regulations apply to private, public or commercial providers of telemedia. One example of the obligations written into the TMG is the obligation to provide an imprint.
What is the point of data protection or why is data protection so important?
Technological advances bring with them not only unimagined opportunities, but also many unimagined dangers. For example, websites collect data from users without their necessarily knowing it. This data can be very valuable for personal or economic reasons.
The processing of data on the Internet carries the risk of unauthorised persons gaining access to it. To protect customers from data misuse, but also to protect your company from attackers and fines, you should ensure that personal data is processed in compliance with the GDPR and is optimally protected.
How do consumers benefit from data protection?
Data protection obliges companies to treat customer data etc. with care. In doing so, data protection offers additional options for individuals, especially since the introduction of the GDPR. If your data in a directory is no longer up-to-date or incorrect, or if you do not want your personal data to continue to be stored in an online shop, this has now been explicitly regulated in the GDPR. By means of a request for information, various companies and service providers must hand over all of a person's stored data and process or delete it upon request.
Are there industry-specific differences in data protection?
At the latest since the introduction of the GDPR, there has been a uniform regulation on data protection. Anyone who works with personal data within the European Union will find regulations and obligations in the GDPR that must be followed. In addition, there may be special legal bases for certain industries that must be observed. Likewise, the GDPR applies to sellers from non-EU countries (so-called third countries) as soon as the customer is from the European Union.
Regular checks and inspections
Unfortunately, it is often difficult for the average consumer to understand to what extent companies in reality comply with their obligations in terms of data protection. For this reason, so-called "data protection data protection supervisory authorities which carries out such checks and investigates possible violations in the event of suspicious circumstances. In Germany, in addition to the Federal Commissioner for Data Protection and Information Security, there is a State Data Protection Commissioner for each federal state. In total, Germany has 17 supervisory authorities for data protection.
Companies of all sizes - from micro-enterprises to large corporations - are required to have a data protection documentation in accordance with the GDPR and, in the event of an inspection by the supervisory authorities, be able to demonstrate this. Therefore, it is recommended to select a person in the company, regardless of whether this is mandatory due to the size of the company, who takes care of data protection issues of all kinds.
What is the cost of a data breach?
Ask yourself the question, are you in any way involved with personal data?The answer to this question is yes, then you are obliged to implement this data protection in accordance with the regulations. If the answer to this question is yes, then you are obliged to implement this data protection according to the regulations. Due to the high penalties for data protection violations, you should take care of these issues in a timely manner. The General Data Protection Regulation provides for data protection violations fines are provided for. These can amount to up to 20 million euros or 4% of a company's global annual turnover, whichever is higher. However, prison sentences of up to 3 years are also possible if the data protection provisions are violated.
Who is liable for breaches of the Data Protection Act?
Many companies order a so-called Data Protection Officer and leave the topic behind from now on. However, such behavior does not relieve the company of liability in the event of damage. This is because the appointment as data protection officer does not necessarily mean the complete assumption of liability. In the case of simple violations, the managing director or another manager will still be held responsible.
The data protection officer or another employee can only be held accountable if intentional or grossly negligent conduct in the handling of personal data can be proven. As an entrepreneur, you are therefore always well advised to check for yourself from time to time whether the data protection provisions are being complied with in your company in the best possible way.
What is the difference between data protection and data security?
The difference between data protection and data security is that data protection is limited to informational self-determination and the protection of privacy. The focus is on personal data. In contrast, data security is broader and concerns all types of data that must be protected against unauthorised access, misuse and loss. The means for these measures are regulated in the TOM, for example pseudonymisation. Data protection and data security can be summarised with the following questions:
- Data protection: May individual-related data collected and processed?
- Data security: What are the best measures to protect data from unauthorised access?