Frequently Asked Questions
The GDPR aims primarily to give control to individuals over their personal data. As relatively new legislation, there are many questions about GDPR, which we hope to answer in the following FAQ.
In Germany, a company must appoint a data protection officer if at least 20 employees regularly process personal data, e.g. of customers, employees or suppliers, via computer, tablet or smartphone (see § 38 BDSG). According to this rule the term”employee” applies not only to actual employees, but also to interns, freelancers, temporary employees and trainees. Whether full-time or part-time employees are involved is irrelevant, every person is counted.
Regardless of the number of employees, companies must appoint a DPO, if:
- processing is subject to a data protection impact assessment in accordance with Art. 35 GDPR, § 38 Paragraph BDSG;
- personal data is processed in accordance with business practices for the purpose of transmission, anonymised transmission or for purposes of market or opinion research, § 38 Paragraph BDSG;
- processing operations are performed which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects, Art. 37 para. 1 b GDPR;
- extensive processing of special categories of data according to Art. 9 GDPR or of personal data on criminal convictions and offences according to Art. 10 GDPR, Art. 37 para. 1c GDPR is carried out.
Authorities or public bodies (with the exception of courts), insofar as they act within the framework of their judicial activity, are also subject to a general duty to appoint a data protection officer.
Even if there is no duty to appoint a data protection officer the obligations under the GDPR apply (e.g. obligation to compile a record of processing activities, definition of Technical Organisational Measures, conclusion of data processing agreements, preparation of data protection impact assessments, etc.).
The GDPR does not apply to the processing of personal data carried out by a natural person in the course of a purely personal or household activity and thus without reference to a professional or economic activity. This is referred to as a household exemption. The typical personal and familiar area of the household exemptions include leisure time, holidays, private consumption or private sport activities. While sharing of images in the familiar sphere within closed user groups (e.g. in WhatApp) may still fall under the household exemption, this is not the case for public posts on social networks.
In general, a data protection notice must be made available to a data subject whenever processing of their personal data is in place. “Processing” of data is to be understood very broadly. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction. Data protection declarations are therefore particularly necessary when signing contracts with natural persons (rental contracts, purchase contracts, support contracts, etc.). The operation of a website – even if no data is collected via forms or other communication channels, such as chat tools – results in the obligation to provide a data protection notice. This is due to the fact that the server of the website requires IP addresses for the establishment of the connection to the website and that the IP address is stored at least for a short time. IP addresses are classified as personal data, which means the use of the IP address and any other personal data used within the framework of the website must be disclosed in the privacy notice.
A common mistake is that the declaration of consent does not describe clearly enough the purpose for which the consent is to be given and the specific personal data it applies to. Furthermore, the reference in Art. 7 para. 3 sentence 3 GDPR is forgotten, namely that the consent can be withdrawn at any time with effect for the future and who the person can turn to in this regard (contact data and contact channels). For the data collected within the scope of consent, reference should then be made to a corresponding data protection notice explaining further use.
It is not possible to conclude standard contractual clauses with a data processor established in the European Union (EU) – at least this is the view of the Article 29 working group now referred to as the European Data Protection Board). Therefore, if a data processor established in the EU is to subcontract another party outside of the EU, the controller must either directly conclude standard contractual clauses with the sub-processor established outside of the EU or authorise the data processor established in the EU to conclude standard contractual clauses with the sub-processor.
Yes, the GDPR can also be fully applicable to companies without a branch office in the EU – e.g. a start-up in the USA. The GDPR applies to such companies whenever they process personal data of individuals located in the EU and offer them goods or services. The goods and services may also be free of charge. Furthermore, the GDPR is applicable if companies without an established office in the EU observe the behaviour of people, insofar as this behaviour takes place in the European Union.
In general, the obligation to draw up a list of processing activities in accordance with Art. 30 (5) GDPR applies only to companies with 250 or more employees. However, this doesn’t apply if the frequency of data processing is other than occasional, Art. 30 Par. 5 GDPR. Even when processing its own employee data a company no longer processes data only occasionally, which means that de facto almost all companies are again subject to the obligation to compile a record of processing activities according to Art. 30 GDPR.