GDPR - GENERAL DATA PROTECTION REGULATION
GDPR stands for General Data Protection Regulation, more precisely for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regards to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
The purpose of the GDPR is to standardize the legal framework for data protection within the EU. This also serves the purpose of ensuring that personal data can be processed anywhere in Europe within the scope of this regulation and that an equality of competition is established between the individual European countries.
The GDPR regulates the data protection principles for the processing of personal data by companies and authorities in the European Union, as well as the processing of personal data of users who are located in the EU, even if the process takes place outside of the EU.
The regulation contains various open clauses that allow the individual member states to regulate certain sub-areas of data protection based on their national requirements. In all other areas, the General data protection regulation applies directly – adjustments by the national legislator are not possible.
The GDPR has been in effect since May 25, 2018, in all member states of the European Union after a two-year transition period.
User rights
- The general data protection regulation offers users a wide range of rights
- First of all, every company that processes personal data is obliged to inform the user in a transparent manner about the data processing and the most important key points according to Art. 13 and 14
- Likewise, the user has the right to request information about the data being processed by the responsible person, to have his data corrected or deleted, at any time
- In addition, the user may complain at any time to a data protection supervisory authority about data controllers in accordance with Art. 77 GDPR – supervisory authorities are obliged to examine and process incoming complaints
The GDPR in everyday life
Data is transmitted and encrypted with TLS on websites
The standard technology TLS („Transport Layer Security“) is used to secure connections on the Internet and to protect sensitive data that is sent between two systems. Informally, this is still often referred to as “SSL”. SSL stands for “Secure Sockets Layer” and is the predecessor of TLS. The SSL standard was introduced in 1996 and according to the specification has no longer been used since 2015.
If a website is secured via TLS, this is indicated with the identifier HTTPS (Hyper Text Transfer Protocol Secure) in the URL.
Clicking on the padlock in the browser bar will display information about the certificate such as the issuing certification authority and the company name of the website owner.
E-Mail - Communication - Real end-to-end encryption
End-to-end encryption (“end-to-end encryption”, “E2EE”) denotes the encryption of data that is sent across all transmission stations. Only the respective endpoints of the communication can decrypt the message.
Protection of stored data
The General Data Protection Regulation aims to minimize the risks to the rights and freedoms of those affected by data processing. In the area of technical data protection, the focus here is primarily on two aspects:
Depending on the risks that a violation of the protection of personal data may result in, the user and the person responsible must take protective measures. Risks considered are from the perspective of the person concerned, while in the area of information security risks are considered from the perspective of the company.
The other dimension of technical data protection is primarily determined by the principles of “privacy by design” and “privacy by default”. Even when designing data processing systems, care must be taken to ensure that only the necessary processing takes place in the “standard-setting”. When using software, the company must also ensure that it is configured in such a way that it only collects and processes the data that is necessary to achieve the purpose.
The Implementation of the GDPR
In order to implement the GDPR in a company, many aspects have to be considered:
- Creation of a processing directory according to the requirements of the GDPR
- Providing information on the data processing carried out
- Implementation of processes to implement the rights of users
- Implementation of state-of-the-art technical measures to protect data
- Creation of organizational instructions to support employees in processing data in accordance with the company’s data protection principles
- Creation of organizational instructions to support employees in ensuring the security of the company when using IT systems
- Creating awareness of data protection and IT security in the company in order to identify possible security and data protection incidents
- Implementation of a process for recording, analyzing, and evaluating a data protection incident within the legally prescribed period of 72 hours
- Implementation of central contract management for an efficient overview of required and existing order processing contracts
- Implementation of a deletion concept to ensure timely and data protection compliant data deletion
- Implementation of processes that ensure that the existing documentation remains up to date
- Mechanisms for regular control and evaluation of the implemented processes and measures to ensure appropriateness and effectiveness
An external External Data Protection Officer can support you in the implementation of the above measures and can draw on a wealth of experience.