Data Protection

Data protection is another essential part of IT Law. Ever since the European Data Protection Regulation (GDPR) came into effect on 25. May 2018, it has been the legal standard for correct processing of personal data in the entire European Union.

What is the GDPR?

 The GDPR is a regulation issued by the European Union which defines how personal data may or may not be processed in the EU. The GDPR is also legally binding for companies whose head office is outside of the EU if they process personal data in the EU. The GDPR is meant to give every person in the EU full control over his or her personal data.

Which data is protected by the GDPR?

 The GDPR regulates the processing of personal data such as:

  • Name
  • Address
  • E-mail address
  • Phone number
  • Date of birth
  • Account data
  • Car registration number
  • Location data
  • IP addresses

Which principles are laid down in the GDPR?

 For the processing of personal data, the GDPR issues a prohibition under reservation of permission. This means that the processing of personal data is prohibited unless expressly permitted. The person in question must give his or her explicit permission for the use of the data under specific conditions as laid down in the GDPR.

There are other cases in which data processing is permissible under the regulations of the GDPR, for example, when the personal data is required to fulfill a contract with the person in question. This is the case if an online shop needs a buyer’s address to ship a purchase. Another case is a company’s legitimate interest in the processing of the data as long as the interests or fundamental rights or freedoms of the person in question do not prevail. An example is a bank deciding on whether to grant a credit to a customer; here, the bank has a legitimate interest in finding out about the creditworthiness of the customer. The interests of the customer do not prevail here.

Another rule of the GDPR states that full transparency is necessary for the processing of personal data, which means that it must be openly stated which purpose the data is processed for, if data is shared with any third party, and what rights a person has in connection with the processing of his or her data. This information is given in the form of a data protection declaration made available to everyone concerned.

Another principle is the minimization of data, meaning that companies must not process more data than is absolutely needed for a specific purpose.

Data integrity is another aspect of data protection. Companies are required to process only correct and regularly updated data.

Data safety may be the most important of the principles of data protection. Under consideration of the circumstances of each individual case, companies must carry out a risk analysis and take appropriate technical and organizational measures to provide an adequate level of protection for the processed data. The protection level is determined by the need for protection of the respective data, and which measures are adequate depends on the industry standard, the cost of implementation and other, similar circumstances: in short, the more critical the data, the more drastic the measures must be.

What rights do consumers or internet users have?

 Everyone has a right to information, correction, deletion and restriction of processing. Furthermore, they have a right to data portability, a right to object to the processing, a right not to be the object of an automatic individual decision and a right to file a complaint with the supervising authority responsible.

What are the consequences of non-observance of the GDPR?

Fines of up to 20 million Euros or of up to 4 percent of a company’s annual global turnover can be imposed if the GDPR is not observed (depending on which amount is higher).

We provide thorough legal advice in all aspects of data protection, reviewing your business processes and data processing workflow to achieve full GDPR conformity. We will also help you to draft and implement your data protection declaration or to negotiate your SaaS contract.


Aktuelle Artikel aus dem Datenschutzrecht