Ready for the GDPR from the perspective of website operators
With the entry into force of the European Data Protection Regulation (EU-GDPR) on 25 May 2018, the fear of warnings and fines has increased significantly, especially for small and medium-sized enterprises (SMEs). However, only time will show the actual impact on website operators and SMEs. Risks can be minimised though if one knows the new legal basis and is able to react to it at short notice if necessary.
The most important thing to know is that the GDPR affects everyone, including you! Whether privately or professionally, everyone has to do in some way with personal data and should therefore familiar with the Europe-wide almost uniform data protection rules, at least in broad terms. The good news is: Since large parts of the GDPR are based on the strict German data protection law, you will probably already know some regulations.
Our recommendation to website operators is to pay particular attention to the principle of data minimisation. In this context, we have reduced the scope of collecting and processing personal data to an absolute minimum as well. Moreover, we completely disclaim the use of external analytical tools. However, if you cannot refrain from gathering certain data and integrating external services, you should bear the following in mind:
Data minimisation: Only personal data may be collected which are absolutely necessary for the purpose. For instance, to register for a newsletter, only a valid email address is absolutely necessary, that means neither name nor date of birth or the like are required.
Purpose limitation: The purpose for the collection, storage and processing of personal data must have been previously clearly defined and may not be changed or extended without separate consent.
Prohibition with permission: Personal data may not be collected, stored and processed unless there is a clear legal basis or consent of the person concerned.
Data transfer: Personal data may never be shared with third persons or passed on to third parties without explicit permission. A particular challenge for website operators is the integration of non-European services such as Google Analytics.
Order processing: You should conclude an "order data processing contract" with any external service provider who comes into contact with the personal data you have collected from your customers with obliges each external provider to treat these data in accordance with DSGVO as well.
Tracking: You must inform the visitors of your website about any kind of user tracking. For instance, this includes already the anonymised storage of IP addresses. Likewise, the first time a visitor enters a website, its operator must indicate the use of cookies and implement an opt-out option that can be used to decline the use of cookies.
Encryption: In the case of web forms, logins, contact forms or shop orders, personal data must be transmitted with SSL encryption (https: //).
Clarity and transparency: You must provide a clear privacy policy directly on the home page of your website which informs your visitors about how their data are handled. Moreover, it must be clearly formulated and understandable to anyone. In addition, you must create consent texts for the collection of data and make clear that the agreement may be revoked at any time.
Documentation and accountability: As a website operator, you are obliged to record processes which are connected to personal data in directories and to provide them on request to regulatory agencies.
Obligation to inform and report: As a website operator, you are generally obliged to provide free information about stored personal data. In addition, you must report the loss of personal information to supervisory bodies immediately in order to minimise or avoid fines. Non-compliance with the new data protection rules will also be fined.
Data Protection Officer: If your company has at least ten employees who are permanently involved in the processing of personal data, you must appoint a data protection officer who oversees all operations and acts as connector between operator and supervisory authority.
With these briefly summarised key regulations, we would like to support you in their implementation and hope that we could give you a good introduction and overview. For questions and suggestions, we are always happy to help and wish you all the best and success for your website! [Source: Kompac't 1/2018].
Tag-Filter
18.03.2020 - Home office at the time of the corona pandemic [more...]
07.11.2019 - Judgment of the ECJ on (tracking) cookies [more...]
24.10.2019 - Environmental protection by aixzellent [more...]
02.10.2019 - End-to-end encryption (I): Increasing cooperations between IT companies and states – Is this the end of secure messaging in Germany? [more...]
11.06.2019 - Tracking Cookies - Currently still illegal! [more...]
15.04.2019 - Copyright law – What you should know [more...]
27.02.2019 - Two Factor Authentication [more...]
31.01.2019 - Static vs. dynamic website - which one is the right for your company? [more...]
30.10.2018 - Informational self-determination – the concept of decentralisation as an alternative to powerful data gathering companies [more...]
01.10.2018 - Nextcloud: Control is the key to security [more...]