Run through the following 12 questions to find out if you are knowledgeable with German data protection law and obligations today.
1 – Do you know ?
That the framework of the German data protection can be found in article 2 of BDSG , Art 2 of the German Constitution, Art 8 of the Charter of Fundamental Rights of the EU. ? Data protection is therefore one of the fundamental rights of each individual.
BUT: Law-specific rules ( eg labor law telecommunication law, criminal law, etc..) take precedence over the BDSG (article 1 (3) BDSG .
2 – Do I have to appoint a data protection officer (external/internal) for my company size or because of my company activity?
Companies that regularly and automatically process personal data of at least 10 people/employees on a regular basis must appoint a data protection officer in writing (by no later than one month after commencement of their activities)”, article 4 (f) BDSG.
EXCEPTION: The collection of personal data takes place exclusively for personal or family purposes (article 4 (e) BDSG).
The obligation to appoint a DSB (i. e. irrespective of the number of employees) continues to apply “if processing is subject to prior control”.
Do I work with Big Data?
Then I have to appoint a DSB, because Big Data facilitates a particularly high risk potential by merging different data into large amounts of data, which potentially leads to the abolition of anonymity and also leads to a reduction in the risk of data loss. clashes with the imperative of data minimisation and earmarking, transparency and the obligation to provide information; the BDSG provides for a preliminary ruling in these cases.
For companies with big data activity, a DSB or data protection management is and will (still in the future) be necessary for the fulfilment of the increased, comprehensive obligations to provide evidence of legal conformity.
3 – I am responsible (i. e. a “data controller” in accordance with articles 3,3 (7) of the BDSG) for the processing of personal data? Or am I a data processor/contractor (article 11 BDSG)?
According to the current BDSG law , only the person who collects, processes and uses the data for himself/herself is responsible. Any contractual data processor (e. g. cloud service provider, external server service provider) is not responsible for the personal data, since no transfer of function takes place according to BDSG.
4 – Do I know the reasons for my collection, processing, use of personal data? Can I divide them up into seperate categories?
I am “trustee” of the personal data.
5 – Have I asked all persons whose personal data are affected by my data collection BEFORE processing for their direct express and voluntary permission and received it? Have I informed them of the purpose (s) of personal data processing? OR: is there a legal permission for my processing?
6 – Do I process particularly sensitive personal data, such as racial and ethnic origin? Political opinions (party membership), religious or philosophical beliefs, trade union adhesion ?
Then I have to point out to those collectings in a seperate way.
7 – Do I have a contract? AGB (ie pre-formulated standard contract terms)?A license? with all of my service providers (e. g. Google, Microsoft, etc.) or order data processors? I know “where I am” in the area of liability in the event that personal data in my area of responsibility is leaked into the public, damaged?
For example: Cloud computing knows (often) no boundaries (i. e. often cloud services providers work with third-party providers in other countries). This entails the danger for users (i. e. buyers of cloud services) of contractual confrontation with a foreign legal system. The (cloud) provider normally sets the legal order for its services (see also 8, here below).
8 – Contracts with cloud services.
I work with a cloud operator and know the legal classification, the terms of its cloud services?
There is no standardized legal classification of cloud services contracts today. The definition (i. e. the legal classification) depends on the main focus of the service (? SaaS? PaaS? SaaS?). There can be different types of contract: a rental agreement, a contract for work and services, or a service contract, or a mixed form, (rarely also a partnership agreement). The classification determines the legal consequences which vary from type to type, in particular for tortious claims. The service description of the provider is very important, but also what the user has been promised (contractually) by the provider.
9 – List of procedures
Do I have a complete, updated registry of all personal processing of the company, articles 4 e, 4g BDSG?
Is the directory created by a (internal/external) DSB ordered by me?
Can I respond immediately to the (legitimate) request for information of a data subject (regarding the data stored about him/her (articles 19,34 BDSG)?
10 – Third party data recipient
Will the personal data processed by me be passed on to third parties (exception:”list privilege”)? Have the people concerned been informed of this and have they agreed to it?
Typical example: Transfer of personal data (of employees) to e.g.: insurance companies, consulting firms (also banks) for corporate strategies: in cases of M&A activities.
11 – Third country data recipients
Will I transfer personal data to third countries outside the EU (e. g. the United States)?
The transmission must not take place if the person affected has a legitimate interest in the exclusion of the transmission, in particular if an adequate level of data protection is not guaranteed in the third country (article 4b BDSG), (see also Schrems (1) vs/ Facebook Judgement ECJ October 2015).
Is my cloudserver in the USA? in India? Morocco?
Have appropriate data protection agreements been made in my cloud service contracts?
For example, how to sign EU standard/model contracts? Or:
Does the company have BCR’s (“binding corporate rules”), i. e. guidelines drawn up by the company and binding for the company?
12 – Are the personal data processed by my system deleted regularly in accordance with the statutory periods stipulated by law or due to non-compliance (article 20 BDSG)?
13 – Is there a “Clean Desk Policy” in my employees’ workplaces, which I have set up and which employees are familiar with?
For this purpose, the company uses the necessary technical organizational measures (“TOM”) (article 9 BDSG)?