Overview of data protection law
When must data protection law be observed?
Data protection law must always be observed when personal data is involved. Personal data is data that relates to an identified or identifiable natural person and is therefore available much more quickly than is often assumed. Here is an example: The manufacturing company U from the automotive sector stores on the SaaS platform of a third party when certain employees operate U's production machine. However, U does not store the names of the employees on the SaaS platform, but uses identifiers such as "M1" and "M2". So that U can assign the label to a specific employee name itself, U maintains an assignment table. This assignment table is not stored on the SaaS platform. Does the SaaS platform contain personal data and must it therefore be integrated in accordance with the requirements of the GDPR? Yes - U must fully comply with data protection law in the example case. The provider of the SaaS platform does not have access to the mapping table. However, this is not important. This is because the data available on the SaaS platform can be related to a person, even if only with the help of the additional knowledge at U. Due to the marking with "M1" and "M2" etc., the working times on the SaaS platform are pseudonymous data, not anonymous data (see also Are encrypted data personal data?). Only in the case of anonymization would data protection law no longer have to be observed. For anonymization - in the example case - at least the markings with "M1" and "M2" etc. would have to be omitted.
What are the main consequences of the application of the GDPR?
If data protection law is to be observed, there are two main consequences with regard to data processing:
Finding and complying with a permission standard
Fulfillment of information obligations
Finding and complying with a permission standard
If personal data is available, its processing is initially prohibited in accordance with Art. 6 para. 1, 9 para. 1 GDPR. The prohibition only does not apply if one of a few exceptions applies. Such exceptions are primarily found in Art. 6 para. 2 GDPR, namely:
The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect the vital interests of the data subject or of another natural person
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
If sensitive data (more precisely: special categories of personal data) are affected, different rules apply. Such sensitive data are
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data relating to health, such as sick notes or the fact that a person wears glasses, is therefore sensitive data. If such data is available, there must be a permission from Art. 9 para. 2 GDPR. The permissions under Art. 9 para. 2 GDPR differ from the permissions under Art. 6 para. 2 GDPR cited above in a number of key respects.
For example, consent is also possible in the area of sensitive data. However, it must be explicit here. Implied consent, for example, is therefore not - or at least hardly - possible.
It is also of particular importance that in the case of "simple" data in accordance with Art. 6 para. 2 GDPR, processing is possible on the basis of a legitimate interest (Art. 6 para. 2 lit. f GDPR). A balancing of interests must therefore be carried out. If the outcome of this balancing of interests is positive, the data may be processed. In practice, many processing operations are based on this permission, e.g. the setting of cookies for the shopping cart of an online store or the organizational integration of sales representatives. However, if sensitive data is affected, e.g. data on religious affiliation, a sick note or a health disposition, Art. 9 para. 2 GDPR, which does not provide for such a balancing of interests, must be applied as a matter of priority. If no other permissive circumstance of Art. 9 para. 2 GDPR applies, express consent may quickly be required. However, consent has various disadvantages, which is why it should generally be avoided. These include the organizational effort, the voluntary nature of consent, the prohibition of linking consent to certain services, the obligation to document consent and the revocability of consent.
If personal data is available, it is therefore first necessary to find the most practicable consent standard for processing the data and to comply with its requirements.
Fulfillment of information obligations
If data is processed, the data subjects must always be informed. This obligation applies even to those who have no direct contact with the data subject. For example, if a company receives personal data from an end customer as part of a recourse claim, this company must inform the data subject in accordance with data protection law.
The information to be provided is listed in twelve points in Art. 13 GDPR and thirteen points in Art. 14 GDPR. These two standards are the reason for the "privacy policy" required on almost every website.
The information to be provided includes simpler points such as the name of the controller under data protection law, i.e. usually the name of the company, and any contact details of a data protection officer. Compiling other information can involve more effort. For example, the authorization standard for processing (see above) must also be stated. Furthermore, the duration of storage must be specified and, if applicable, the source of the data must be stated. The last point in particular can have a considerable economic impact, as subcontractors may also have to be named. However, the identity of subcontractors should often be kept secret - e.g. from competitors.
Other data protection issues
The above points are intended to illustrate the wider spectrum of data protection law. Only issues that arise directly during the processing of data have been addressed. For example, the extensive obligations with regard to the company's internal organization have not been addressed above. Numerous other standard topics and special topics must also be taken into account.
Some examples of other standard topics include
Dealing with data breaches (reporting obligation within 72 hours)
Proper conclusion of processing contracts
Liability of the processor
Compliance with the principles of privacy by design and privacy by default when designing technology
Deletion concepts
Appointment of a data protection officer
Right to data portability ("data portability")
Some examples of special topics include
Design of networked products consisting of SaaS portal or customer portal, app and new types of devices
Consideration of requirements based on e-privacy, according to which regulations similar to those in data protection law must be observed, but without any reference to individuals. It is sufficient, for example, that pure information is retrieved from a user's end device.
Involvement of sales intermediaries, e.g. commercial agents
Compliance with special data protection regulations, e.g. social data protection
Data protection and photos
Cookies banner
Company-internal and group-wide data protection regulations