The GDPR applies to all services that are operated in the EU, but also if personal data are processed by Europeans. For example, in Switzerland, European data protection is also relevant for many companies, associations and organizations, which is something that directly affects us as a German-Swiss company.
Since May 25, 2018, things are getting serious: we find that many providers are surprisingly not well prepared. The ordinance came into force two years ago, the reason it was not enforced was, because of the transitional period granted.
The General Data Protection Regulation regulates the handling of personal data. These is essentially all data in which names occur or which is suitable for identification, such as personal e-mail addresses or IP addresses.
With regard to cookies without linking to persons, the regulation leaves room for interpretation. Presumably these are not covered by the GDPR, but are governed by the ePrivacy Ordinance, which has not yet come into force in spring 2018. On the other hand, the Federal Data Protection Council in Germany has already issued a recommendation that cookie banners are necessary.
So what does a provider have to do to ensure that their website is DSGVO-compliant?
1. The imprint obligation
3. Depending on the size of the company, a data protection officer must be assigned. This may not be a member of the management.
4. When personal data is processed, explicit consent must always be obtained.
5. Technical processes must be implemented which ensure that the consent is present. Considering the previous jurisdiction in the context of terms and conditions, a click on the 'send' button of a form is probably not sufficient to ensure consent
6. Contracts with IT service providers, or even between legally independent companies in a corporate structure to exchange the data are necessary
7. Protective measures for sensitive data are to be provided. For example, the data transport of sensitive data via a form should be encrypted.
8. According to the GDPR, depending on how much data is affected and how sensitive it is, an analysis of the need for protection is necessary. Technical / organizational measures for data protection must be provided and the business processes must be aligned accordingly. For example, the GDPR asks for differentiated access rights to personal data, including logging who accesses which data, and when this is deleted or changed. Thus, Excel files, for example, are unsuitable for the storage of personal data.
9. Reaction time (message) after data leak: 72 hrs.
10. CMS systems used must be up to date.
For personal data, which must be stored, for example, due to retention obligations, no consent is required. However, the data may only be used for exactly this purpose. And the data must be deleted if the storage obligation is no longer valid.
Technically, it makes no sense to remove individual data from backups. But when backups are restored, then the uploader is required to delete personal data that needs to be deleted again. If, for example, due to a warning, deleted data suddenly returns after a backup has been loaded, it can be expensive ...
At first glance, this seems like a paradox: how can we in the future know which personal data we have to delete if we are no longer allowed to store this data? In other words, can someone delete their data and at the same time demand never to be contacted via their email address?
In practice, we solve such cases by storing the data with one-way encryption or using a cryptographic hash function, so that the email can no longer be reconstructed from the stored data. Due to the stored hash value, however, it is still possible to check whether an e-mail address is identical to an address to be deleted.