Attention "dusty"!
This article is already a little outdated and may contain information that no longer corresponds to the current status of the topic.
First things first: Create a table in which you list all service providers that process data on your behalf in any way. This includes tax and payroll offices, cloud services, email services and hosters. Make a note of when you requested an ADP contract, when you received it and document all communication with the respective service provider. This way, you are always up to date. In this article, we will focus on various online services that we and our customers use regularly.
If your company uses one or more of the following online services, you should take the steps mentioned to ensure data protection in accordance with the GDPR.
1. google analytics
Google Analytics is used by many website operators to measure and monitor website traffic. The data is sent to Google in the USA, which can be at least questionable in terms of data protection. As a company in the EU, you have a duty to ensure that the data of EU citizens is protected if you commission the processing of this data. This is the case as soon as you create website analytics.
Firstly, the IP addresses of your visitors must be anonymized. This is referred to as the tracking parameter "anonymize IP" or "aip", which must be "true". To do this, a line of code must be entered in the Google Analytics tracking code. How exactly this works is described in detail here. As an internet agency, we can of course take on this task for you.
Secondly, you should conclude a contract with Google Analytics that protects you as a company with regard to the data you have commissioned to be processed. To do this, log in to Google Analytics and then click on"Manage" (Admin) in the sidebar on the left and on"Account settings" at account level
Scroll all the way down to this section:
Click on"Show addition". A pop-up opens with the terms and conditions of this addendum. Click on"Agree".
Then click on Save at the bottom. If you are a company based in the EU, you must also click on the link"Manage details of the data processing addendum" in the gray box to enter at least one legal entity and at least one contact (primary contact) of your company. A new window will open:
Click in the"Legal entities" field and enter your company name there, for example. Click on the + in the"Contact persons" field at the top right and enter the necessary information here.
2 Amazon Web Services
Amazon Web Services (AWS) is a platform for "cloud services that provide computing power, database storage, content delivery and other functions [...]". If you use AWS for your company, you must conclude a written contract with AWS. You can find this contract here https://eu-west-1.console.aws.amazon.com/console/dpa or download it here.
Fill out the contract and send it by e-mail to aws-dpa-submissions@amazon.com. The contract has already been signed by AWS. Keep your copy in a safe place.
3 Google Suite
Google Suite, formerly Google Apps for work, is often used to use and store documents, spreadsheets or presentations in a cloud for collaborative work. Personal data can also be collected here. Google offers a similarly simple solution to Google Analytics.
Log in to the Google Suite: https://admin.google.com. Then click on"Company profile"
Click on"Profile"
Scroll all the way down to this section:
Of the 4 additions, you must check and accept 1., 2. and 4. in each case. Point 3 is for companies that are subject to the HIPAA law (Health Insurance Portability and Accountability Act).
4. slack
Slack is a communication medium in which workspaces can be created for different (project) teams so that online communication can take place. The service is available as a free and paid version. The conditions can be viewed here.
Slack has already adapted its privacy policy to the GDPR and provides information on data protection on this page: https://slack.com/intl/de-de/privacy-policy-updated
The ADV contract is available on request at feedback@slack.de, on this page: https://slack.com/intl/de-de/terms-of-service/data-processing or here for download
An ADV contract must be concluded for each workspace. The contract is already signed by Slack and must be completed and sent to dpa@slack-corp.com with the information about which workspace URL is involved. Keep your copy in a safe place.
How to proceed with other service providers?
Most service providers have already responded to the upcoming GDPR and provide information on their websites. You will probably find what you are looking for by searching for "service adv", "service dpa" or "service datenschutz". Searching for the service provider's data protection officer can also help. As already mentioned at the beginning, you should record in a table what measures you have taken to protect yourself legally.