What you as a website operator need to know about the GDPR
The numerous changes brought about by the GDPR since 25 May 2018 affect every entrepreneur and website operator. There are extensive new regulations in almost all areas of data protection law. Some are relatively simple to implement, others are very complex.
Our DSGVO special - which we provide for you as an eRecht24 agency partner in cooperation with eRecht24 Premium (partner link) - helps you to get an overview of the requirements of the DSGVO and shows you how to implement them easily and quickly for your website.
We would be happy to support you in the DSGVO-compliant implementation of your website. Please contact us.
From 25 May 2018, the GDPR will regulate the handling of personal data by companies - uniformly throughout Europe. Many of the current regulations of the German Federal Data Protection Act (BDSG) will then no longer apply or the BDSG will be revised at the same time.
The General Data Protection Regulation unifies data protection law within the EU, as different data protection laws and thus different standards have applied everywhere up to now. In the future, entrepreneurs can therefore rely on the fact that a (predominantly) uniform data protection law applies within the EU.
However, the regulation also applies to companies based outside the EU if they process data of persons from the EU. This is to ensure that cloud services or social networks (from the USA, for example) also have to comply with the rules.
2. data protection declaration and imprint
First of all, every website needs a new data protection statement that complies with the requirements of the GDPR. Principles of a DSGVO-compliant data protection statement:
- Simple and understandable language
- If applicable, an upstream, general summary statement
- Contact details of the website operator
- Data protection officer, if available
- The legal basis of the respective data collection/processing (legal regulation or consent) must be specifically stated.
A data protection declaration according to the GDPR must at least contain the following points:
- Naming of all data processing procedures on the website
- Handling of customer / order data
- Tracking, cookies, social media
- Newsletter, A(D)V
- Duration of storage, deletion periods
- Information, correction, deletion, objection
- Right to data disclosure and transferability
Consent may not be declared within the data protection statement.
Attention. Obligation to delete Art. 17 DSGVO:
Data must be deleted if:
- the purpose of collection has ceased to exist,
- consent has been revoked (newsletter unsubscription),
- an objection is made by the user ("Delete my data") and there are no legal storage obligations to the contrary (taxes and accounting).
3. processing directory (previously: procedure directory)
You need a processing directory if you employ more than 250 employees and if you process special categories of data.
The obligation also applies to companies with less than 250 employees if the processing is "not only occasional". However, it has not yet been conclusively clarified what this means exactly. Until the requirements are finally clarified, you should create such a directory in case of doubt.
What contents belong in it?
- Details of the person responsible
- Name and contact details of the controller, his representative and the data protection officer.
- Purposes of the processing
- Categories of data subjects and personal data
- Categories of recipients
- Transfers of personal data to a third country
- Time limits for erasure
- Description of technical and organisational measures
- Details of the processor
- Name and contact details of the processor and the controller, their representatives and the data protection officer
- Categories of processing operations
- Transfers of personal data to a third country
Examples and structure of such a processing directory can be found, for example, at Bitkom: https://www.bitkom.org/NP-Themen/NP-Vertrauen-Sicherheit/Datenschutz/FirstSpirit-1496129138918170529-LF-Verarbeitungsverzeichnis-online.pdf.
4 Cookies and Tracking
There are currently no changes with regard to cookies and tracking. Cookies will be specifically regulated by the ePrivacy Regulation (ePV). However, this will probably not come until 2019. Nevertheless, an opt-out option must be offered as part of future statistics tracking.
The good news: Google Analytics remains "allowed" as before, even after the GDPR, if the following requirements are met:
- A(D)V contract concluded with Google
- IP anonymisation activated
- Opt-out options for desktop and mobile
Make sure that you conclude a DSGVO-compliant AV contract with Google as of 25 May 2018. Google is likely to provide such a contract soon.
You can find a guide plus tools for correct implementation at eRecht24 Premium (partner link).
With other tools, such as the Facebook Pixel, it is unfortunately not possible to make a precise statement at the moment. However, the legal situation is likely to become more complicated.
5 Newsletters and consents
Consents from users, e.g. to send newsletters, which were already effectively obtained under the old law (double opt-in) generally continue to apply.
- Prohibition of tying in old consents not observed.
- Consent by minors
What about new newsletter campaigns or prize competitions?
If there is no legal permission to store / transfer data, consent is always required.
Even under the GDPR, the double opt-in principle should be observed in order to be able to prove consent in case of doubt. In any case, consent must be documented electronically.
Consent must be given "voluntarily": Genuine prohibition of tying in Art. 7 para. 4 DSGVO.
As a rule: no data in exchange for content (e.g. e-books, competitions, checklists) and no linking of newsletter dispatch to the conclusion of a contract.
6. data protection officer
Companies that usually employ at least ten persons permanently with the processing of personal data or are obliged to carry out a data protection impact assessment pursuant to Article 35 of the GDPR (details below under No. 9.) must appoint a data protection officer.
Conflicts of interest
There must be no conflicts of interest in the appointment of the data protection officer. Therefore, a member of the board of directors, a managing director or the owner of the company cannot be the data protection officer. These persons cannot mediate in case of conflicts between the company's interests and the data protection regulations.
They may also appoint an external data protection officer to avoid conflicts.
Qualifications of the Data Protection Officer
The data protection officer must be reliable. Legal and technical expertise are also essential for the position of data protection officer. Training courses/seminars including examinations are offered nationwide to acquire the relevant qualifications, e.g. at the TÜV.
7. employee data
With the GDPR also come new regulations on employee data protection. The new regulations contain numerous duties and obligations that employers must comply with in the future.
Only data that is "necessary" should be collected.
Employee data shall only be processed if this is necessary for the decision on hiring an applicant or for the implementation, exercise or termination of an employment relationship.
Processing is also permitted if it is necessary for the fulfilment of legal rights and obligations, a collective agreement or a works or service agreement, or for the purpose of law enforcement. Whether and when the collection of certain data is actually necessary must always be determined on the basis of the specific individual case.
If you want to avoid the legal uncertainties surrounding "necessity", you can obtain voluntarily given consent from your employees. In the event of a dispute, however, the employer must prove the alleged voluntariness of the consent.
Effective consent must meet certain formal criteria. In principle, it must be in writing, i.e. signed independently. However, since this is not always practical, electronic consent can be obtained under special circumstances. In addition, the employee must be informed in a suitable form that the consent can be revoked at any time. Finally, the employer must create certain conditions for the revocation declaration.
An employer must be able to prove compliance with the obligations just mentioned in case of doubt (documentation obligations). Furthermore, employers will in future be confronted with stricter obligations to provide information in the event of data protection breaches and numerous other obligations (e.g. deletion obligations).
Employers should therefore thoroughly review their internal processes with regard to these obligations and have them adapted if necessary (keyword: compliance management).
8. commissioned (data) processing
If the collection and processing of personal data is carried out by an "external" company, this must be contractually regulated - as was also the case under the old law.
- Agency carries out advertising measures
- External newsletter provider
- Web host
- External maintenance contracts
What changes in the content of A(D)V contracts?
Few new regulations in terms of content:
- Processor may have to keep a register of procedures
- Processor must record the instructions of the controller
- Contracts no longer have to be in writing
Where can I get samples for my A(D)V contracts?
You can find a DSGVO-compliant sample contract at eRecht24 Premium (partner link).
9. data protection for minors
In the case of minors under the age of 16, parents must give their consent. However, this only applies to cases where the GDPR requires consent (e.g. for advertising) and in practice only when it comes to offers that are directly aimed at children and young people.
In the case of mixed offers (for adults and young people), no specific requirements need to be implemented.
10 Data Protection Impact Assessment
In certain cases, you are obliged to assess the consequences of the data processing and to record this in a so-called data protection impact assessment according to Art. 35 DSGVO. In principle, a so-called DSFA must always be carried out if "a form of processing, in particular where new technologies are used, is likely to result in a high risk to personal rights and freedoms by virtue of the nature, scope, context and purposes of the processing".
This is the case, for example, in the following constellations:
- Processing of health data, religion, sexuality
- Business secrets
- Criminal offences
- and many more.
When and how to carry out such a data protection impact assessment in detail can be found in the comprehensive white paper of the Forum Privacy:
11 Right of access and duty to notify
In general, data subjects have the right to access their stored personal data (Art. 15 GDPR).
Form of information:
- in writing
- electronically (e-mail)
- orally on request
Deadline for information: Immediately, but no later than 1 month after receipt of the request.
When must data subjects and supervisory authorities be informed in the event of data breaches?
Stricter requirements now apply here than before. According to Article 33 of the GDPR, data breaches must be reported to supervisory authorities without delay (if possible within 72 hours) by means of comprehensive documentation.
Details on the content are regulated by Art. 33 (5) of the GDPR
12. fines and warnings
Data protection violations may be subject to warnings!
Violations may result in warnings and legal proceedings, because:
- Data protection law is relevant to competition law!
- Violations can also be subject to warnings under the GDPR!
The GDPR provides for fines of up to 20 million euros or 4% of the previous year's global turnover.
So far, data protection authorities have only very rarely exhausted the upper limit of fines and in the case of persistent infringements.
This is very likely to change, however, as the high fine framework is a core component of the GDPR.
Important: Take requests/complaints from users seriously. Even more important: take requests/complaints from data protection authorities seriously.
What should you do now?
You know that you have to take care of topics such as data protection, imprint, image rights or Facebook & Co. You don't have the time to research all the complicated legal requirements yourself? You don't want to or can't pay an expensive lawyer for every website check? You need clear answers, understandable solutions and practical tools instead of even more questions?
This is what you get in the GDPR special at eRecht24-Premium (partner link):
1. practice guide on the GDPR
We have compiled a practice guide for dealing with the most common basic questions on the GDPR.
2. webinars on the GDPR
In exclusive webinars, the lawyers of the law firm Siebert Goldberg explain practical approaches to legally compliant handling of the GDPR.
3rd DSVGO data protection generator
The new professional data protection generator is now available to you. This allows you to create a DSGVO-compliant data protection declaration in just a few minutes.
4. frequently asked questions from website operators
We have collected, sorted and answered the most frequent 50+ questions that entrepreneurs have in connection with the GDPR.
5. your questions about the GDPR
Ask your additional questions about the GDPR during the initial consultation. These will be answered by lawyer Siebert and his team.
6. lawyer DSGVO check with 100 Euro discount
The law firm Siebert Goldberg offers everyone a comprehensive lawyer website audit at a fixed price. All eRecht24 Premium users receive a 100 euro discount.
7. further highlights
At eRecht24 Premium (partner link) you will not only find answers to the GDPR, but also numerous tools, video trainings, live webinars, sample contracts and checklists on data protection, image rights and copyright, newsletter marketing or Facebook & Co.
Secure eRecht24 Premium now and protect yourself from DSGVO warnings quickly and easily.
Important legal notice!
Our article gives you an overview of the most important points of the GDPR. However, it is no substitute for legal advice. For the correct implementation of all data protection requirements, it is best to seek advice from a lawyer or eRecht24.