Frequently Asked Questions
The general goal of data protection is to protect personal data against misuse. This is closely related to the protection of privacy. The purpose and aim of data protection is to safeguard the fundamental right of the individual to self-determination. Everyone should be able to decide for themselves, which of their personal data is accessible to whom, when and for what purpose.
In Germany, a company must appoint a data protection officer if at least 20 employees regularly process personal data, e.g. of customers, employees or suppliers, via computer, tablet or smartphone (see § 38 BDSG). According to this rule the term”employee” applies not only to actual employees, but also to interns, freelancers, temporary employees and trainees. Whether full-time or part-time employees are involved is irrelevant, every person is counted. Members of management, on the other hand, are not included.
Regardless of the number of employees, companies must appoint a DPO, if:
- They are processing which is subject to a data protection impact assessment in accordance with Art. 35 GDPR, § 38 Paragraph Sentence 2 BDSG;
- process personal data in accordance with business practices for the purpose of transmission, anonymised transmission or for purposes of market or opinion research, § 38 Paragraph Sentence 2 BDSG;
- perform processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects, Art. 37 para. 1 b GDPR;
- carry out extensive processing of special categories of data according to Art. 9 DSGVO or of personal data on criminal convictions and offences according to Art. 10 GDPR, Art. 37 para. 1c GDPR.
Authorities or public bodies (with the exception of courts), insofar as they act within the framework of their judicial activity, are also subject to a general duty to appoint a data protection officer.
The obligation to appoint a data protection officer is independent of the data protection obligations arising for a company from the DSGVO. This means that the obligations under the DSGVO apply nevertheless (e.g. obligation to compile a record of processing activities, definition of technical and organisational measures, conclusion of data processing agreements, preparation of data protection impact assessments, etc.).
The DSGVO does not apply to the processing of personal data carried out by a natural person for the exercise of exclusively personal or domestic activities and thus without reference to a professional or economic activity. This is referred to as a household exemption. The typical personal and familiar area of the household exemptions include leisure time, holidays, private consumption or sport. While sharing of images in the familial sphere within closed user groups (e.g. in WhatApp) may still fall under the household exemption, this is not the case for public posts in social networks.
In general, a data protection notice must be made available to a data subject whenever processing of his/her personal data is in place. “Processing” of data is to be understood very broadly. This includes collection, capturing, filing, storing, modifying, retrieving, straightforward use, disclosure by transmission, dissemination or any other form of providing, comparison or association, limitation, erasure or destruction. Data protection declarations are therefore particularly necessary when closing contracts with natural persons (rental contracts, purchase contracts, support contracts, etc.). The operation of a website – even if no data is collected via forms – results in the obligation to provide a data protection notice. This is due to the fact that the server of the website requires IP addresses for the establishment of the connection to the website and is stored at least for a short time. IP addresses are classified as personal data, which means the use of the IP address and any other personal data used within the framework of the website must be disclosed in the privacy notice.
First of all, the declaration of consent does not describe clearly enough for which purpose the consent is to be given and which data of the data subject the consent actually includes. Furthermore, the reference in Art. 7 para. 3 sentence 3 GDPR is forgotten, namely that the consent can be revoked at any time with effect for the future and to whom the data subject can turn in this regard (contact data and contact channels). For the data collected within the scope of consent, reference should then be made to a corresponding data protection declaration explaining further use.
It is not possible to conclude standard contractual clauses with a data processor established in the European Union (EU) (at least this is the view of the working group of the Article 29 now referred to by GDPR as the European Data Protection Committee). Therefore, if a data processor established in the EU is to subcontract another party outside of the EU country, the controller must either directly conclude standard contractual clauses with the subcontractor established outside of the EU or authorise the data processor established in the EU to conclude standard contractual clauses.
Yes, the GDPR can also be fully applicable to companies without a branch office in the EU – e.g. a start-up in the USA. The GDPR applies to such companies whenever they process personal data of individuals located in the EU and offer them goods or services. The goods and services may also be free of charge. Furthermore, the GDPR is applicable if companies without an established office in the EU observe the behaviour of people, insofar as this behaviour takes place in the European Union.
In general, the obligation to draw up a list of processing activities in accordance with Art. 30 (5) GDPR applies only to companies with 250 or more employees. However, this doesn’t apply if the frequency of data processing is other than occasional, Art. 30 Par. 5 GDPR. Already with the processing of its own employee data a company no longer processes data only occasionally, which means that de facto almost all companies are again subject to the obligation to compile a record of processing activities according to Art. 30 GDPR.