Website operators and the EU General Data Protection Regulation

Everything you need to know
Julia Kadauke
DSGVO neue EU-Datenschutverordnung

Attention "dusty"!

This article is already a little outdated and may contain information that no longer corresponds to the current status of the topic.

The new legal framework for EU-wide data protection, which has been years in the making, was adopted in 2016 and comes into force on May 25, 2018. Unlike EU directives, which have to be transposed into national law by the member states, EU regulations apply equally to all member states and take precedence over national laws. One advantage of this is that the "patchwork" of regulations in the various member states is to disappear thanks to a common regulation, which also eliminates competitive distortions caused by different data protection laws. However - and this is also criticized - the General Data Protection Regulation (GDPR for short) contains many opening clauses (79 in number), which offer national legislators the opportunity or force them to define their own regulations. Germany has already done some work here with the Data Protection Adaptation and Implementation Act (DSAnpUG-EU for short), which will then become the new Federal Data Protection Act (BDSG) and about which socialmediarecht.de provides comprehensive information. The ePrivacy Regulation completes the GDPR with regard to digital data.

THE CHANGES IN BRIEF

Consumers have more rights: they can view the processing of their data and prohibit or restrict processing at any time. In particular, the right to be forgotten, which previously could only be exercised in court, has now been included in the regulation (Art. 17 GDPR).

Companies have more obligations: This includes, among other things, that devices and software must have a data protection-friendly default setting. Anyone who wants to process very sensitive data (e.g. health data) or uses technologies that are "likely to result in a high risk to the rights and freedoms of natural persons" must carry out a data protection impact assessment (Art. 35 GDPR). You can find more information on this at https://datenschutz-grundverordnung.eu/dsgvo/art-35-dsgvo/. Companies that are not based in the EU but offer their services to EU citizens must also comply with the GDPR.

Those who do not comply with the new GDPR will face significantly higher fines of 20 million euros or up to 4% of their global annual turnover from May. The penalties under the previous BDSG are ridiculously low in comparison.

WHAT DO I HAVE TO CONSIDER AS A WEBSITE OPERATOR?

The GDPR is intended to protect personal data. First of all, you should be clear about what personal data actually is. This is all data that can be linked to a person, i.e. name, address, bank details, GPS connections, online behavior (cookies), IP addresses, etc. - in short, all data that is collected and stored. - In short: all data that can be collected and stored. If you collect and / or store such data and / or process it further, the new regulations affect you. And this is already the case if you operate a website.

PRINCIPLES

The collection, storage and processing of personal data is generally prohibited unless permission has been granted by the data subject or a legal provision permits this. The data you collect must be tied to a purpose and only collected if you need it for this purpose. If you offer a newsletter, for example, the name is not required and may not be collected. You are also obliged to ensure the security of the data.

The right to be forgotten means that if a person wishes to have their data deleted, you are obliged to do so immediately. From May 2018, this will apply to all data processors and no longer just to search engines.

Example"Newsletter": A user cancels their newsletter subscription. According to the GDPR, you are obliged to delete the user's data immediately. However, all companies to which you have provided this data (newsletter service, tracking service, CRM software) must also delete this data immediately. ADV contracts are required to ensure this (see below).

DATA PROTECTION DECLARATION

As a website operator, you will have to adapt your privacy policy in order to be compliant with the GDPR. This means that all necessary information must be precise, easy to understand, transparent and easily accessible. A very good example is the privacy policy from datenschutz-guru.de. It is also worth reading because it deals with the technology and necessity of data protection methods.

What should be included in the privacy policy?

  • Name and contact details of the company and, if applicable, the data protection officer

  • The purposes for which personal data is to be collected and processed and the legal basis for this (consent or legalization by legal document)

  • If the processing is based on Article 6(1)(f) GDPR, the legitimate interests pursued by the controller or a third party

  • If available, the recipients or categories of recipients of the personal data (in the event of disclosure)

  • The duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration

  • The rights of the data subjects, such as the right of access to the personal data concerned (Art. 15 GDPR) and the right to rectification or erasure (Art. 16 and 17 GDPR) or to restriction of processing (Art. 18 GDPR) and the right to object to processing (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR)

  • The possibility to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

  • The existence of a right to lodge a complaint with a supervisory authority

  • Whether the provision of personal data is required by law or contract or is necessary for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data and the consequences of not providing the data

MINIMIZE RISKS - WHAT YOU CAN DO

1. HTTPS IS UNAVOIDABLE

With the introduction of the GDPR, you are virtually obliged to use an SSL connection for your website in order to send data in encrypted form. This is the only way to ensure that the data your visitors send via a contact form, for example, cannot be intercepted by third parties. We have already written a detailed article on switching to HTTPS and what you need to bear in mind: Switching to HTTPS done right.

2. KEEP CMS UP TO DATE (OR HAVE IT UPDATED)

Websites are usually based on content management systems such as Drupal, Wordpress, Joomla or similar. There are always security updates to ward off hacker attacks. To keep your system secure, these updates must be installed regularly. If you have hired an agency to take care of your web CMS, you should make sure that they always ensure that your data is up to date and secure.

We assume that only 5-10% of CMSs regularly install security updates! Are you one of them?

3. keep CMS settings up to date

Employees come and go. If CMS user accounts are not deleted after an employee leaves, former employees potentially have access to the CMS. You should also encourage your employees to keep their passwords secure and change them regularly. We have already written an article about secure passwords. Also make sure that CMS users only have the rights they need for their work.

What about ORDER DATA PROCESSING?

The following illustrates what happens when a visitor visits a particular website.

Request wird an Server gesendet

A visitor calls up the page "/product1" with their browser. The browser sends a request to the website, which includes the IP address. However, this request reaches several recipients:

1: The request reaches the server

2: The request reaches the web server

3: The request reaches the application level with the website

4: The website responds to the request.

On the way back, the data reaches all 3 levels again.

Log files are created at all levels to record the actions on devices or software. These log files can be used to rectify errors, among other things, but can of course also be used for analysis purposes. Log files include the IP address, date, time, request, etc. Thought experiment: If the server, web server and website are operated by different companies (company A-C), the number of people who theoretically have access to the request data is unmanageably large.

And anyone who knows which person is behind an IP address can then also know what this person did and when.

Potentieller Zugriff auf Daten

In this example, there are only 3 companies "in the game" so far. However, it can be assumed that these companies commission other companies with services. The server operator commissions an IT administrator for maintenance, the web server operator uses a backup service to secure data and the website operator tracks its visitors. In theory, the data is therefore passed on to many more companies than you are even aware of.

If you are the operator of this website, you are responsible for ensuring that all data collected and shared on your website is protected. In this case, there are ADV contracts (order data processing contracts). As a company, you must conclude ADV contracts with all subcontractors that process data for you. These must include the fact that other companies that may come into possession of this data (other subcontractors) must also conclude ADV contracts. This was previously regulated by Section 11 BDSG, but from May 2018 by Art. 28 GDPR. This is a tightening of the regulations:

As the client, you are the first point of contact for data subjects and are responsible for compliance with data protection regulations. What is new under the GDPR, however, is that the contractor who processes the data for you is also responsible.

Further examples of data transfer:

  • Server

  • Newsletter services

  • Store software

  • Payment systems

  • Billing software

  • cloud systems

etc. You should therefore be aware that there are potentially many recipients of personal data with whom data processing agreements should be concluded.

Do I need a data protection officer?

Generally speaking, every company can voluntarily appoint a data protection officer. For some companies, however, this is mandatory if the company carries out core activities that require special monitoring from a data protection perspective. This includes you, for example, if you deal with data (address databases etc.). You must then also include the contact details of the data protection officer in your privacy policy.

Art. 37 para. 1 GDPR regulates when a company data protection officer must be appointed. However, the regulations are supplemented by the new Federal Data Protection Act due to the opening clauses. While the number of employees in a company is not a reason to appoint a data protection officer in the GDPR, Section 38 BDSG (new) will stipulate from May 25, 2018 that a company must appoint a data protection officer if at least 10 people are permanently involved in the processing of personal data. It is possible to appoint an internal or external data protection officer. He or she should meet certain requirements in order to be able to support the company in terms of data protection law. These include professional qualifications, specialist knowledge and practical experience in data protection and the ability to fulfill the legally defined tasks:

  • Informing and advising controllers, processors and employees

  • Monitoring compliance with the GDPR and special national regulations

  • Raising awareness and training

  • Advice and monitoring in connection with the data protection impact assessment

  • Cooperation with the supervisory authority

Conclusion

Website operators must be prepared for the fact that a new privacy policy is not enough. Entire processes that deal with personal data may need to be completely overhauled in order to comply with the new GDPR. We have compiled a short list of to-dos to help you with this:

  1. Record all data processing procedures in a directory.

  2. Check whether all data processing processes are necessary. Also check whether all previously processed data is really necessary.

  3. Make your employees aware of the topic of data protection and inform them about the GDPR regulations that apply to them.

  4. Conclude contracts with subcontractors and service providers that are compliant with the GDPR. Make sure that the entire chain of data processing companies is included in these contracts.

  5. Ensure that information obligations and the rights of access, rectification, erasure and restriction can be complied with.

Some of the images used in this article come from other sources. You can find the sources in the imprint.

Tag cloud