The 25th of May 2018 is the big day: From this day forth, the General Data Protection Regulation (GDPR) is mandatory for companies, associations and self-employed persons.
The GDPR came into force two years ago, but must be implemented on the 25th of May 2018. So, there is still a little time left to prepare for it. And you should use that time, because many users assume that some lawyers are just waiting to send warning letters to freelancers, companies and other organizations.
GDPR and the consequences
Basically – and that is valid not just now – all personal data must be protected. In what form these data are to be treated, is regulated in the GDPR. Until May 25th, operators of their own homepage or website have time to implement these regulations.
If you fail to do so, you have to expect high penalties: Up to 20 million euros or four percent of sales (calculation base is the higher value) may cost violations of the law.
The changes of the EU data protection regulation (GDPR)
Good news first: Data protection has always been important in Germany. So important that the EU Commission, which has worked out the GDPR, has followed the German guidelines on data protection.
There is no change in the basic idea of data protection: consumer rights should be protected and every person should retain their legal right to self-determination with regard to their own personal data.
The same applies to the data protection officer in companies with permanent data collection and the processing of personal data – again, nothing changes compared to the currently valid data protection directive 95/46 / EC.
The amendments to the GDPR
However, there are also areas that are affected by the new rules of data protection.
One of the areas concerns the persons themselves from whom the data are collected. As of the 25th May 2018, companies must obtain clear and understandable consent from their users to process their data. And it is often not done with a single consent. If the operator of the website wants to collect different data from the person, the user must agree to each individual step separately.
Another novelty is that the new rules of the GDPR allows the user of the website to revoke his or her consent to the use of personal data. This can be done informally at any time and the user may even object to certain specific aspects, such as direct marketing.
Businesses and self-employed people with their own website must pay attention to even more regulations: from the end of May onwards, they must make their personal data available on request in a portable form, which must also comply with the requirements of data protection. They must also give the criteria and legal basis for storing and processing the data.
If companies pass on false or outdated data to third parties, they must from now on take care of the deletion of this data and also prove it.
The procedure in case of a data leak
Wherever data is processed, there is a risk of mistakes. The GDPR requires companies to report such breakdowns or data leaks within 72 hours. Not as before after weeks or even months.
If companies or self-employed people violate this regulation, they will face severe penalties. In addition, users whose personal data are affected have the option of claiming damages.
To prevent data breaches, therefore, a regular data protection impact assessment must be carried out.
What website operators should do
The more extensive regulations of the GDPR often unsettle many operators, especially those of smaller websites. However, do not panic, but check your webpage for a few points:
- Are you using Google Analytics or another program to gather statistics about visitors to your site?
- Is there a contact form or sign up for a newsletter on your site?
- Is it possible to leave comments or posts on your website?
If the answer to any of these questions is yes, the new regulations of the GDPR most likely also apply to your site. So, what do you need to do?
Freelancers should check their webpage
Store as little data as possible
One of the most important advices regarding the GDPR is that you should retrieve and store as little personal information as possible. For example, if you offer whitepapers to download, the e-mail address of the interested person is sufficient. In this case, you do not need further data such as the name or even the address.
Don’t forget the ADV contract for tracking services
Tracking services, such as Google Analytics, means that you share your customers’ data with third-party services. A very sensitive point in relation to the GDPR. Because if that is the case, you have to close a data processing contract (ADV contract). However, not with your customers or readers, but with the provider to whom you pass the data on. In the case of Google Analytics, that would be Google itself. Fortunately, the company offers a link to download that contract. You just have to complete it, sign it and send it to Google’s legal department.
Even a forum that is not directly hosted by you falls under this point. Therefore, you should also secure this with an ADV contract.
Mr. Gawenda, you are a Data Protection Officer for Westhouse and you are answering some questions regarding the European Basic Regulation on Data Protection (GDPR).
Can you tell our readers what SAP-freelancers have to keep in mind when running their own website?
Not only freelancers, but generally all website operators should make a brief review of their settings: Do they collect personal information in any way? Because you do that often in a contact form, or by using Google Analytics.
However, this is nothing new, but due to the concentration of the data protection to website visitors, this could be the starting point in a review by the supervisory authorities.
The website operators should also consider switching their websites to SSL, since the GDPR on data protection “by design” and “by default” only requires a generally encrypted data transfer over the network.
What about e-mails that freelancers receive from the customer, are they allowed to store them? Is there something to keep in mind?
Business e-mails are treated like traditional business letters, so the same legal retention periods apply to them. A field of tension, however, results in the transmission of e-mails and their contained personal reference. The GDPR demands very specifically the pseudonymization and encryption of personal data. A business e-mail includes this personal reference, for example only because of the e-mail address and the required signature. According to this argument, a data transmission – as soon as the personal data leaves the company – complies only encrypted with the legal specifications.
Incidentally, this obligation is not new, but already existing through the Federal Data Protection Act.
Do freelancers need a special program now to store client e-mails? Because from a tax perspective, relevant e-mails and personal data must be kept for ten years.
I also recommend an encryption software for the purpose of archiving. But here it must be ensured that even after ten years of storage, the plain text can be accessed – otherwise a message is very difficult to find.
What are the changes to the imprint?
The new regulation of the GDPR also includes the so-called “register of processing activities”. Can you explain what this directory looks like and which group of people has to have one?
In this directory, the processing of personal data should be described clearly and transparently, i.e. what happens to the data. This directory is one of the most important foundations for data protection obligations and – with very few exceptions – mandatory for all companies, entrepreneurs, self-employed persons and even associations. Automatic processing is not required in this process.
The GDPR is only a basic regulation. Do you have comments or an advice on specific regulations and opening clauses that could be interesting for freelancers?
The GDPR is not “just” a basic regulation – it is important to know that EU law takes precedence over the respective national laws. The goal is to achieve full harmonization between the EU countries, but the respective member states are granted a certain amount of room for maneuver via their almost 70 so-called opening clauses to integrate their national regulations.
To what extent this could be of particular interest to freelancers depends on the individual case.
What kind of advice do you have for freelancers who have photos or videos integrated into their website?
In addition to copyright, you have to protect the personal rights of the people depicted. A consent form of the parties regarding the use of sound and image recordings is therefore required.
Do you have any further information for our readers?
The GDPR will remain exciting after May 25th 2018, especially as far as the activities by the supervisory authorities are concerned. Hopefully, the first judicial decisions will bring clarity to some previous interpretations.
Mr. Gawenda, thank you very much for the interview.
Basically: Keep calm and do not be too unsettled. In case of doubt, contact a lawyer or see for more information on the following page on the DSGVO.
Note: This article does not claim to be legally valid and can not replace the consultation of a lawyer.