What is personal data? - Art. 9 GDPR
"Individual information about the personal or factual circumstances of a specific or identifiable natural person (data subject)". This includes all information that says something about a person! In addition to name, (e-mail) address, date of birth, genomic data, medical information (electronic patient dossier), biometric data, bank data, property characteristics, customer and applicant data, online identifiers and special characteristics (e.g. physical, genetic, cultural, social identity).
Rights of the data subjects - Art. 5 - 22 GDPR
They are the core of data protection and are not contractually mandatory:
Right to transparency - Personal data must be processed in a lawful manner, in good faith and in a way that the person concerned can understand. Transparency of the context: who collects what from whom? When? Why and for what?
Right to information - the right to request confirmation of whether your own personal data is being processed and the information about it.
Right to correction, deletion and restriction of processing
Right to data portability - The data subject has the right to receive the personal data relating to them that were provided to the person responsible in a structured, common and machine-readable form ...
Right not to be subject to an automated decision - The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which has legal effects or significantly impairs them.
When do we speak of processing? - Art. 30 GDPR
For the purposes of the regulation, the term “processing” means any process with or without the help of automated processes with personal data such as the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, the Use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, deletion or destruction.
What is profiling? - Art. 4 GDPR
Automated processing that uses personal data to evaluate personal aspects of a natural person, in particular to analyze and predict work performance, economic situation, health, preferences, interests, reliability, behavior, location or change of location.
What is data security?
The protection of data against unauthorized access, unwanted falsification as well as against destruction and loss. The goals are confidentiality, integrity and availability.
Data protection directive or data protection manual - Art. 5 Para . 2 GDPR
Under the EU GDPR, companies are obliged to meet the data protection requirements selectively and structurally. Specifically, this means that in the event of an audit, a company must not only be able to demonstrate that it was working in compliance with data protection regulations at a certain point in time. Rather, evidence must be provided that the data protection requirements are continuously met in business practice.
Therefore, the uniform recommendation of the data protection supervisory authorities is that companies (depending on their size) should adopt a data protection guideline or a data protection manual in order to be able to address the data protection requirements.
List of processing activities - Art. 30 GDPR
Companies are obliged to document their processing activities in a written directory. In other words, a supervisory authority employee who is not familiar with your processing activities in detail should have a rough overview of who is processing how and which data is processed in the company, when it is deleted and how it is technically secured after reviewing the list of processing activities. Order data processing is the collection, processing or use of personal data by a service provider - e.g. a tax consultant who is responsible for payroll accounting on behalf of a company - on behalf of the person responsible.
IT security - Art. 32 GDPR
By increasing the fines, the EU GDPR reinforces the requirement for companies to safely operate their own IT systems according to the state of the art. This includes making sufficient funds available. This formulation could be described as "vague"; what is meant by this is an ongoing adaptation of data protection - data security and - data backup due to the changing digital world and the resulting dangers due to cyber crime, among other things.
Website data protection declaration - Art. 13/14 GDPR
"Digital Fitness" awareness-raising and training of employees - Art. 5 Para. 2 GDPR
Derived from the company's accountability, the employer must inform its employees about data protection issues and requirements. The scope of training depends on the branch and size of the company. Companies are required to document the implementation of the training measures.
Pseudonymization and anonymization - Art. 4 (5) GDPR
With pseudonymization, the personal data is processed in such a way that it can no longer be assigned to a specific person without the use of additional information. A final resolution of the possibilities of assigning data to a specific person, on the other hand, characterizes anonymization and is therefore the higher level of protection.
Your orientation support in the implementation of the GDPR is our online test.
Make an appointment with us.