Table of Contents
Privacy in Germany is mainly shaped by the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In Germany, all data protection principles are regulated in the so-called EU General Data Protection Regulation (GDPR). It is a binding data protection law for all persons and companies living or having their headquarters in Germany or Europe. The new General Data Protection Regulation came into force on May 24, 2016. Since May 25, 2018, all data protection measures contained therein have been bindingly applicable in the respective member states. This means that the EU General Data Protection Regulation also applies before the respective national law.
In comparison to Germany and Europe, there is no comprehensive and generally applicable data protection law in the USA. Here, different laws apply for different areas, for example, for the health care system, the financial sector or for the economic and trade sector. In the USA, data protection is part of consumer protection law and thus represents a part of economic life. In Germany and Europe, on the other hand, personal data is simply one of the fundamental rights of every citizen. Many German and European IT decision-makers therefore underestimate the impact of the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which also came into force in 2018. This law stipulates that data that is not physically stored in the USA but is managed by US companies must be transferred without a prior decision by a judge. And it is precisely this provision that makes the CLOUD Act completely at odds with the GDPR. The regulations apply to almost all data that is in the custody, control or ownership of a company. Not only personal data is affected, but also patents, company-related evaluations and data, but also measurement and telemetry data and thus all data that is normally specially protected.
In Germany, the focus is on protecting the basic rights and freedoms of natural persons to a special degree - above all the right to informational self-determination. Above all, the regulation will strengthen consumer rights. In particular, data processing agencies must adhere to very strict regulations, because in order to be allowed to process particularly sensitive personal data, the prior consent of the person concerned must be obtained.
German companies with more than 10 employees must appoint a data protection officer. The same applies in other EU countries with 20 or more employees. But especially companies that are mainly involved in the collection and processing of personal data (regardless of the size of the company) require a data protection officer.
There are exceptions for small businesses: This is the case if only nine or fewer employees are regularly entrusted with the processing of personal data. In this case, you as the managing director can take over the data protection yourself. Incidentally, the number of employees is not determined by whether they are full-time, part-time or freelance. Here, each person is fully evaluated. A data protection officer can be an employee of the company, but can also be appointed externally. He must be able to prove his expertise in data protection through appropriate training, e.g. at the Chamber of Industry and Commerce. You are also obliged to publish the contact details of the data protection officer on your website. You should therefore avoid potential conflicts of interest in advance that could call into question the reliability of the representative.
In general, the further processing of data depends on the respective purpose. This means that personal data that has been collected may not be used for other purposes and that each process of data use must be transparent and comprehensible. In the meantime, the scope of application also applies to companies from third countries as soon as data of EU citizens are involved. According to the law, consent to processing must be given actively - for example, by checking a box on a website. If different data processing operations are planned, consent must be given separately for each individual operation. It must be possible for the data subject to revoke this consent at any time in a simple and comprehensible manner without further explanation.
It must also be possible for the data subject to actively object to a single purpose of data processing. Apart from this, contracts may no longer be made dependent on whether consent to data processing has been given, in accordance with the so-called prohibition of coupling. The General Data Protection Regulation also stipulates that in the course of the right of access, information on the respective legal basis of the processed and collected data, as well as the duration of the storage or its criteria, must also be stated.
Companies must also be in a position to transfer the data of a data subject in a portable yet secure format directly to a third party upon request. If data has been passed on to a third party, public and non-public bodies must contact the respective contact persons and inform them of the incorrectness in the event of an obligation to delete incorrect or outdated data.
If errors or breakdowns occur, data subjects may claim corresponding damages from the data processor. In the event of data protection violations, the Federal Data Protection Act (BDSG) provides for a fine of up to 300,000 euros or up to 2 years imprisonment. In turn, the sanctions in the EU General Data Protection Regulation (EU-GDPR) can result in a fine of up to 4% of the worldwide company turnover or up to 20 million euros.
The term "data protection" refers to protection against the improper processing of personal data and protection of the right to informational self-determination: Each individual can decide in principle what personal data he or she discloses and whether it may be used.
Protection of personal data is required when responsible bodies process personal data in accordance with the General Data Protection Regulation. Data protection is generally about protecting information that is not intended for the general public. Personal data are in particular private and personal data that allow conclusions to be drawn about a person. It is therefore mainly contact data such as name, telephone number, address, e-mail address, date of birth, but also the IP address.
Data protection is therefore understood to mean the protection of the right of personality according to Articles 1 and 2 of the German Law when processing data and the protection of the individual's own privacy. Violations of data protection are punishable by fines of up to EUR 20 million or 4% of the worldwide annual turnover of the responsible body. A prison sentence of up to 3 years is also possible.
With the help of privacy, personal data can be protected against data misuse. Such protection is playing an increasingly important role, especially in the context of progressive digitization.
For example, the data of participants in a competition organized by the German AOK health insurance company was used for advertising purposes, even though they had not consented to its use for marketing measures. Although the health insurance company had attempted to use technical and organizatory The responsible state authority then imposed a fine of 1.24 million euros.
There can also be serious consequences for those affected if, for example, their private e-mail address becomes known and details of their own medical history or chat histories of private conversations that are worthy of protection are made publicly accessible. The same naturally applies to sensitive bank data. In the course of digitization, data protection has gained enormously in importance, especially because, for example, surfing behavior can also lead to the collection of a large amount of data and thus information about the user behavior of third parties.
Compliance with privacy is monitored by the relevant supervisory authority. For companies, this means that the respective data protection commissioners of the federal states assume this task. In addition, the data protection officer is to act as an independent authority within the company to ensure compliance with the regulations. In this way, he or she also assumes a control function that would actually also be the responsibility of the supervisory authorities. Data protection violations are now also assigned to consumer protection, among other things because they also have legal relevance. For this reason, violations can also be punished by consumer protection organizations or any competitors by means of warnings.
In general, however, data protection is a matter for the boss, which means that the managing director of a GmbH must also ensure that data protection is observed. Since the EU-GDPR came into force, he is also liable for the alleged mistakes of his employees. In the course of this, the person responsible also has the burden of proof or the duty to prove that he or she has followed all rules. To obtain an independent assessment, companies can undergo a so-called data protection audit. Suitable auditors are arranged, for example, through the Federal Association of Data Protection Officers in Germany (BvD) and the German Association for Data Protection and Data Security (GDD).
If you are affected as a person, please contact the company's data protection officer. If the responsibility lies in the non-public sector, the relevant country-specific supervisory authority is responsible. Each federal state has a state commissioner for data protection. For public institutions at federal level, responsibility lies with the Federal Commissioner for Data Protection and Freedom of Information. If you as a company are affected, the report is made in the federal state in which the violation occurred. There are forms for this case on the websites of the respective supervisory authorities of the federal states.
In Germany, the General Data Protection Regulation applies as described above. Data protection law is derived from the right to informational self-determination. It stipulates that everyone is basically free to decide for themselves how their personal data is to be handled. The term "personal data" plays a central role in data protection law. Only when data is related to a person (e.g. name, birthday, address, email address, IP address or bank account details) does data protection law apply.
The most important principles of data protection law include:
Get your free full version of DRACOON with 10 users and 10 GB highly secure cloud storage and store, send and manage your data in a secure way.
Data security protects against loss and manipulation. It plays a key role, especially in connection with company-specific data. It refers to all data that is used or processed in a company. It therefore also includes information about personal data. Classic examples include project data, company secrets, but also data from the human resources department. The regulations on data security are anchored in § 9 of the Federal Data Protection Act. Here, for example, it is stipulated that the protection of data must be ensured by technical and organizational measures.
Data protection serves, among other things, to protect the personal privacy of each citizen. It is an integral part of basic rights and personal rights and refers to the regulations that apply in connection with personal data. The corresponding legislation can be found in the Federal Data Protection Act and the data protection laws of the federal states. The data protection law states among other things that it is forbidden to collect and/or process data on persons without legal permission or consent.
It is important to take appropriate precautions to ensure that data in a company is actually protected against access by unauthorized persons, for example against loss, manipulation or unlawful processing. Among other things, it should be ensured that only authorized persons have access to the various information.
Today, IT security is more important than ever. Especially in times when everyone is online and almost all their life is closely connected to the Internet, data has become a highly sensitive and valuable asset. But if data falls into the wrong hands, the consequences can be fatal.
Therefore, companies in particular should make sure that they use suitable technical systems that support them in complying with the EU GDPR regulations and provide maximum protection for data. Failure to comply with these obligations can result in heavy fines. The catalog of fines in the GDPR provides for fines of up to 20 million euros. However, the supervisory authority may also impose fines of up to four percent of the worldwide annual turnover achieved in the last financial year as a fine. The higher of the two figures is decisive. In addition to the financial damage, however, the loss of reputation in the public eye and consequently with the customer is immense.
For adequate data protection, the following topics should also be considered.
The primary goal of IT security is to protect against risks that could result in financial damage.
But nowadays, a company’s IT department can hardly be expected to guarantee the security of all of its IT systems by itself. This is why more and more services are being outsourced to the cloud. The advantage of this is that cloud service providers specialize in IT security. DRACOON is an expert in the field of cloud security and works day in and day out on further improving IT security in the cloud and helping users regain control over their data.
Virtual data rooms offer the ability to share company data within the scope of due diligence, a process subject to more stringent privacy requirements. In this context, a company that is up for sale provides access to a comprehensive document management system, enabling prospective buyers and potential investors to gain a clear overview of all of the company’s relevant data and, if necessary, to collaborate on joint documents.
These mostly cloud-based data rooms must be secured by special measures, such as multi-factor user authentication, to prevent unauthorized access to the company’s files.
IT security concepts have been shaping our digital work environment long before the EU’s General Data Protection Regulation came into force. They have a significant impact on the IT infrastructure and privacy.
End-to-end encryption plays just as important a role as modern access control mechanisms which ensure that internal and external employees only “see” the files they are allowed to see and require for their work.
“I’ll e-mail you the contract as soon as we get off the phone” – everyone has heard this at least once. After all, e-mail is still the most popular way to send information and files.
But hardly anyone is aware that all of the information is sent in plain text.
This is particularly risky in a business context, as e-mails and e-mail attachments can be intercepted with relatively little effort. As a result, many companies are looking for a solution that allows them to send sensitive files via e-mail securely and in compliance with the GDPR.
Ransomware refers to malicious software that encrypts data and systems, making them unusable. Ransomware blocks the infected systems and computers until the owner pays the ransom demanded. This means that an entire company can be crippled as a result of a single user’s mistake. With DRACOON, you won’t ever lose a single file.
When using client-side encryption, a user encrypts their data with their own key and then transfers the data to the server. In this process, the key that encrypts the data never leaves the user’s computer. As a result, it is impossible to decrypt the files on the server itself, as the key needed for this purpose is only saved on the client. In other words, the data and the key used to encrypt and decrypt it are saved in to two physically separate locations. This means that no third party, not even the platform operator, can access the saved data.
Do you have questions about privacy or would you like us to call you back? This contact form is the fastest way to reach us:
Would you like a personal conversation?
Then simply arrange an appointment with one of our experts by selecting a suitable date in the calendar here.