Data protection: Appropriate and reasonable
Since 25.05.2018, the European General Data Protection Regulation (GDPR) is in force in Europe, as well as the amended Federal Data Protection Act (BDSG n.F.) in Germany.
The new principles of the regulation, the so-called “data subject rights” such as the “right to be forgotten”, “data portability” and “transparency obligation”, present your company with new challenges, especially organizational and technical ones.
And that’s not all.
In the future, violations and omissions will be punished far more extensively than was previously the case. The calculation basis for this is, among other things, the total turnover of your company.
Click on the list of fines imposed so far for GDPR violations in the European Union:
In addition, data subjects may, within the meaning of the GDPR, assert claims for damages against you, in particular also with regard to immaterial damages due to possible personal injury, damage to reputation, etc. (see Section 253 of the German Civil Code (BGB).
The burden of proof, lies with you.
- Are your directories of processing activities (VVT) up to date with regard to processes / systems? (Art. 30 GDPR)
- Have you assessed the risks of your processes regarding special category personal data? (Rec. 75-77 GDPR)
- Have you subjected them to a data protection impact assessment (DSFSA), if applicable? (Art. 35 GDPR)
- How do you ensure “documented” processing security in compliance with the law? (Art. 32 GDPR)
- Have you renegotiated the old contracts according to Section 11 (2) BDSG in terms of Art. 32 GDPR, if applicable?
- Are your processes in place for the “unlikely event” of a data breach and notification within 72 hrs? (Art. 33 GDPR)
- What amount does 2% – 4% of annual turnover mean for your company in the event of a fine? (Art. 83 GDPR)
Do you have compliance with the legal deletion deadlines under GDPR for the processing of personal data under control?
For your information: Transfer of personal data to the USA “Privacy Shields” (so-called Schrems II – judgment)
Data protection audit
We offer both an audit of the current status of your data protection management by certified data protection auditors.
You can find the current auditor certificate in the TÜV Rheinland certificate database.
We work up the “findings” for you within the framework of the annual financial statement in order to be able to prove data protection compliance to the auditor.
As a member of the European recognized Society for Data Protection and Data Security e.V. (GDD), you will receive from us, upon request, up-to-date information on all data protection-relevant topics and changes that you as a company need to know about at an early stage so that you can act in a timely and appropriate manner in compliance with data protection requirements.
We roll up our sleeves for you!
We have considerable practical experience with the implementation of the GDPR with several clients in Germany and other international Countries (North-America, Asia) which operating in various industries.
Among our clients we may count various financial institutions, companies from the aviation sector, large purchasing companies from the food and sanitary sector, as well as industrial and logistics companies that operate worldwide and are now facing additional challenges because of the GDPR.
International companies (so called Third-Countries) who want their products / services in Europe.
We support companies from the North-America or Asia with regard to the provision of an
- External data protection officer (DPO) or
- European Representative (Art. 27 GDPR)
In addition, we cooperate with international law firms, such as Orrick’s IP/IT & Data Privacy Practice Group, Düsseldorf, among others.
See as well: Regarding transfer of personal data to the USA “Privacy Shields” (so-called Schrems II – judgment)
The appropriateness and use of synergies in the organizational or technical implementation of legal requirements, especially with regard to effort and resources.
Please contact our office in Canada!