The GDPR applies to all services that are operated in the EU, but also when Europeans process personal data. This means that European data protection is also relevant for many companies, associations and organizations in Switzerland, which affects us directly as a German-Swiss company.
Since May 25, 2018, this is getting relevant: We find that many providers are amazingly ill-prepared. Because the regulation came into force two years ago and it was only due to the granted transition period that they had not been enforced before.
- Comply with the imprint duties
- Provide a data protection declaration which defines which personal data is used for what purpose and for how long
- Depending on the size of the company, a data protection officer, who is not a member of the management, must be appointed.
- If personal data is processed, explicit consent must always be obtained.
- Technical processes have to be implemented which ensure that the consent is available. If one takes into account the previous jurisprudence in connection with general terms and conditions, a note that a click on the 'send' button of a form is taken as consent is probably not acceptable.
- Order processing contracts with IT service providers, or also with legally independent companies in a group structure that exchange data are necessary
- Protective measures for sensitive data are to be provided. For example, the data transport of sensitive data by using a form should be encrypted.
- Depending on how much data is affected and how sensitive it is, an analysis of the protection requirements is necessary in accordance with the GDPR. Technical and organizational measures for data protection must be provided and the business processes must be aligned accordingly. For example, the GDPR demands differentiated access rights to personal data, including logging who accesses which data and when, and deletes or changes it. Excel files, for example, are unsuitable for storing personal data.
- Response time (notification) after data leak: 72 hours
- The CMS systems used must be up to date.
No consent is required for personal data that must be stored due to retention requirements. However, the data may only be used for this very purpose. And the data must be deleted if the retention obligation lapses.
Technically, it makes no sense to remove individual data from backups. But if backups are imported again, then the author is obliged to have personal data that have to be deleted deleted again. If, for example, data deleted due to a warning is suddenly available again after importing a backup, it can get expensive ...
At first glance, this seems like a paradox: How can we know in the future which personal data we have to delete if we are no longer allowed to save this data? In other words, can someone have their data deleted and at the same time request that they never be contacted again via their email address?
In practice, we solve such cases by storing the data with one-way encryption or with a cryptographic hash function so that the email can no longer be reconstructed from the stored data. The stored hash value can still be used to check whether an email address is identical to an address to be deleted.
The General Data Protection Regulation regulates the handling of personal data. This is essentially all data in which names appear or which are suitable for identification, such as personal e-mail addresses or IP addresses.
With regard to cookies without links to people, the regulation still leaves room for interpretation. Presumably, these do not fall under the GDPR, but are regulated by the ePrivacy Regulation, which as of spring 2018 has not yet come into force. On the other hand, the Federal Data Protection Council in Germany has already made a recommendation that cookie banners are necessary.