Data privacy Q&A: Questions and Answers
Contents
Who is affected by the GDPR?
What are personal data?
What are “special categories” of personal data?
Who must appoint a Data Protection Officer?
What are the advantages of an external Data Protection Officer compared to an internally appointed DPO?
What are the duties of a Data Protection Officer?
What should be considered when appointing an external Data Protection Officer?
When to report a data breach?
What is a data processor?
When must a data processing agreement be concluded?
General
Our answers to general questions about data protection:
Who is affected by the GDPR?
The General Data Protection Regulation (GDPR) applies to all organisations based in the EU that process personal data by automated means. Organisations outside the EU must also comply with the GDPR if they have a branch in the EU or process data of EU citizens.
What are personal data?
Personal data means any information that identifies or makes identifiable a natural person. In addition to general personal data, such as name, address, date of birth, e-mail address, profession and nationality, this also includes more sensitive categories of personal data that require comprehensive protection and are therefore subject to stricter data processing regulations. These data are called ‘special categories’ of personal data. The IP address also constitutes personal data.
What are “special categories” of personal data?
In addition to general personal data, there are also particularly sensitive data that fall under the category of sensitive personal data (see Art. 9 GDPR): this includes data on racial and ethnic origin, political opinion, religious belief, trade union membership, health data, biometric data, genetic data, data on sexual life or sexual orientation. These categories of data are classified as particularly worthy of protection during processing.
Data Protection Officer
Our answers to questions on the designation and tasks of the Data Protection Officer:
Who must appoint a Data Protection Officer?
In Germany, a Data Protection Officer must be appointed if at least 20 persons are involved in the processing of personal data in an organisation. This includes all persons who carry out regular and continuous data processing in the company. These may be employees, trainees or volunteers. Regardless of the number of persons in a company, a Data Protection Officer must also be appointed if processing is carried out that is subject to a privacy Impact Assessment pursuant to Art. 35 GDPR or if the core activity of the company is the processing of particularly sensitive data or involves extensive or systematic observation of persons.
What are the advantages of an external Data Protection Officer compared to an internally appointed DPO?
When deciding whether to appoint an internal or external Data Protection Officer, factors such as expertise, liability, termination and costs must be taken into account. An external Data Protection Officer has certified and well-founded expertise. He is always up to date with the latest developments in data protection law. An external data protection officer can minimise the organisation’s liability. He has no special protection against dismissal. Notice periods for the mandate are contractually agreed. The costs for the external Data Protection Officer are to be set against the costs for salary, as well as training and further education costs of an internal DPO.
What are the duties of a Data Protection Officer?
Under Art. 39 GDPR, the Data Protection Officer shall advise and inform the management and employees about the obligations under the GDPR and other data protection regulations regarding the processing of personal data. The Data Protection Officer shall monitor compliance with the GDPR and make suggestions for improvement. If a Privacy Impact Assessment is required, the Data Protection Officer can be consulted in an advisory capacity. The Data Protection Officer is also the link between the supervisory authority, the data subjects and the company.
What should be considered when appointing an external Data Protection Officer?
When choosing an external Data Protection Officer, attention should be paid to his/her professional qualifications and, in particular, expertise. The Data Protection Officer should be competent in the field of data protection law and data protection practice and should undergo regular further training. The selection of a suitable person is easier if the Data Protection Officer is a member of professional associations and has a corresponding expertise in IT law, employee data protection or other data privacy topics that are relevant for your organisation.
Obligations
Our answers to questions on data protection obligations:
When to report a data breach?
A data breach occurs when personal data is disclosed or lost. It is irrelevant whether this happened unintentionally or unlawfully. A data breach must be reported if the incident results in a risk to the rights and freedoms of natural persons. In the event of a breach, the notification must be made to the competent supervisory authority without delay and, if possible, within 72 hours of the breach becoming known.
What is a data processor?
A data processor is a natural or legal person (a company), public authority or other body that processes personal data on behalf of the controller. The data processor may process the personal data only on the instructions of the controller and on the basis of a contract. The processor must implement appropriate technical and organisational measures to protect the personal data. Examples of processors are IT service providers or cloud providers. However, tax accountants or lawyers are not considered processors, as they act with discretion and on their own responsibility.
When must a data processing agreement be concluded?
A data processing agreement must always be concluded if a data processor accesses personal data and processes it on behalf of the controller in accordance with the instructions given.