Data protection for companies: We answer your questions
The current General Data Protection Regulation shows that the security of personal data is now a much higher priority for the EU than it was a few years ago. For you as a company, this means that you are now legally obliged to implement the new regulations and specifications in conformity with the law. Our GDPR checklist for companies already contains a clear summary of what you must take into account. Nevertheless, many segments of the population continue to be very uncertain. There are still open questions regarding data protection, the answers to which are unclear for companies. We have taken the matter into consideration and have taken a closer look at a few points for you.
“Does my data protection officer personally assume responsibility for compliance with the GDPR in my company?”
No. The company that appoints an internal or external data protection officer is primarily responsible. However, the expert is responsible for providing the best possible advice to their employer or client and supporting them in implementing the GDPR in conformity with the law.
However, the situation is different with regard to liability. Data protection officers in companies can be held fully liable by the supervisory authorities if they feel compelled to issue GDPR warnings. Our recommendation: Visit the following category on this platform: “External data protection officer.” It takes you to a page where you can compare providers and find a technically skilled expert for your company.
“Do I have the right to be advised by the supervisory authorities?”
No. The state data protection authorities as such are not obliged to provide GDPR advice for companies. However, there is one exception: If you determine within the framework of a data protection impact assessment that the processing of personal data represents a disproportionately high risk, the authorities must issue you a recommendation within eight weeks. This is laid down in Art. 36 GDPR.
“Do I have to disclose personal data if a public body asks for it?”
Data protection also applies to the employees of your company at the workplace. In principle, public authorities may collect data. In order to protect the rights of your employees, however, there must be an important reason for this. Disclosure of these specific circumstances is therefore mandatory. If you are unsure how to proceed, seek the advice of your data protection officer. Furthermore, you have the option of contacting the supervisory authority responsible for you in the non-public sector.
“Does the GDPR also apply if I use publicly accessible information from the internet to update the data in my database?”
The General Data Protection Regulation applies to all personal data that you both collect and process in the company. This circumstance does not preclude information that is accessible to the general public. Nevertheless, the legal situation does not provide any concrete help on how to implement the GDPR in matters like this. Art. 6 GDPR merely states that the consent of the data subjects is necessary – but does not give any indication as to how public data should be handled.
“What do I have to report to the supervisory authorities?”
According to Art. 33 GDPR, you are subject to the notification obligation if you notice a violation of the protection of personal data. This can be a case that occurs internally in your company as well as a violation of the General Data Protection Regulation of another company. The report must be made ASAP.
“What consequences can I expect for my company if I do not implement the GDPR?”
The supervisory authorities are entitled to impose fines amounting to 20 million euros or four percent of your annual revenue. Therefore, we strongly advise you to start implementation right now. A data protection software comparison on our platform or a data protection kit for small businesses can help.
“Do I need to specially secure the premises where personal data are processed?”
The answer is yes and no:
- Yes: You are obliged to take both technical and organizational measures to ensure data protection in your company.
- No: This clause primarily refers to problems such as data theft or human error.
However, we recommend that you exercise caution rather than leniency. As part of a GDPR audit for your company, you need to tell your employees to take security precautions. For example, your employees should lock their screen when they leave the office. It is also advisable to password-protect computers and laptops to prevent unauthorized access. Even with these small measures, you can adequately implement data protection in your company.
“Does the GDPR also apply to data that I collected before May 25, 2018?”
Yes, but it was decided that, for example, consent already given for data processing will continue to be valid. Also excluded from the regulation are operations that were completed by May 25. However, all collections must also be discussed again with the data subjects in order to protect their data protection rights in your company.
“When I hire a new employee, I need information from them. Is it personal information?”
Of course. When you hire someone, you will generally receive personal data such as year of birth, religious denomination, bank details, etc., which will inevitably be processed in your company. You must protect this information in order to protect the rights of data subjects.
“I sell individually designed products in my online shop. These may include names and addresses. Do I need consent for this?”
No, separate consent is not necessary in this case. If a customer orders goods such as stamps, business cards or bottles decorated with a name from you, they already give you their consent by placing the order. The General Data Protection Regulation is not violated by your company. The protection of personal data only includes contract information.