DSGVO: So verhindern Sie teure Abmahnungen – vollkommen automatisch
The basic European data protection regulation is already in force. But if it is implemented from 25 May 2018 onwards, it will hit many companies unprepared. Infringements can be punished with up to 4% of the turnover and with fines of up to 20 million euros. What’s worrying is that the rules will remain in motion for quite some time to come. Gosign offers a DSGVO shield that significantly reduces this operational risk by moving with the case law. And all this automatically.
Worum is it possible at all? The data protection reform has the purpose of providing users of online services with more transparency on how their personal data is used. span>
The requirements on how you as a website operator have to inform about this can turn out to be almost unclearly high.
In principle one differentiates between
- Personal data
- Pseudonymized data
- Anonymized Data
Data is anonymous only if an assignment of the data to a person is almost impossible in practice. This is the case, for example, with ballots for the Bundestag elections. In the case of pseudonymised data, the data on the person concerned is separated in such a way that it can only be reassigned to one another with considerable effort – for example using a key. Everything else is personal data. In all likelihood, your company collects such data from visitors to your website.span>
This is not just about visitor statistics, which can be more personal than you like. Also, third-party tools that customers use to send their contact requests to you, with which applicants upload their resumes, and yet others that allow a newsletter subscription, they all send sensitive personal information – often to third parties. Did you know that some of your providers of stock photos are sending home personalized messages? Does your privacy policy clarify this? What happens if you update your website and replace one or more of these providers – will you then rewrite your privacy policy?
Present that your company collects personal information
The decisive point is now that your old data protection declaration is far from sufficiently informing your visitors in the sense of the DSGVO about it. Our experiences and observations to date paint a rather sad picture of how DSGVO-ready most companies are so far.
For the responsible authorities will not squeamishly ask the companies to pay. It is a declared aim of the new regulations to make abuse extremely unattractive and painful in the event of infringements. Therefore, considerably higher penalties are planned than before.
Experts also see complaints from consumer protection associations as an imminent danger. They now have very effective tools at their disposal to enforce their interests.
The new privacy policy now requires you to make your users fully and understandably aware of what is happening to their data and what rights they have over their data.
These are the following rights:
- Your visitors have the right to be informed about the use of their data
- You have the right to object to this use
- You have the right to correct and forget
- You have the right to fully transfer your data to another service
The first point alone requires a considerably greater effort from every company that offers services on the Internet or is simply present than was previously provided for in § 13 of the German Telemedia Act. Among other things, it must be clarified on what legal basis you collect this data and that you have a legitimate interest in collecting this data.
If you do not yet have a data protection officer in your company, you must also change this and name him – this is also part of the information obligation.
„But we don’t collect any data – not correct, at least“
excuses of this kind are not liked at all. Because every user of digital services (the law refers to the „data subject“) has a right to have his data properly collected and kept. The data protection officer is also responsible for this. He has to keep a so-called procedural register, which informs authorities and affected persons at any time and without much fuss in a structured manner about which data are used and how, and that they are controlled and securely processed. Such a structured approach should also ensure that each data subject can be provided with a collection of his data immediately upon request.
Each page visit triggers a huge data stream to third parties
It is not clear to most users, but also to many companies, what a cascade of data streams can trigger interaction with a website. In most cases, Google’s analysis software pseudonymously reports each page visitor (if the page operator has taken this into account). If the site uses Google fonts, Google also delivers these fonts to the visitor’s IP address and makes them known, even if Google Analytics is not at work. So Google still gets to know the visitor, even if you don’t.
Only fonts from another provider are known to the visitor. The same applies to various technical frameworks or other integrated services such as forms, newsletters or payment services that are dynamically loaded into the visitor’s browser.
This applies even more to the recommendation buttons of various social media like Facebook. They identify and track every user who is logged in at the same time (usually the case) by name while viewing pages that have like and recommendation buttons on the page without additional protection.
To this are the tracking technologies of hundreds of advertising networks used on media and shopping portals. They serve to monetize the offer of these pages, even if it does not come on them immediately to a purchase.
Companies lack expertise for DSGVO impact assessment
It is no wonder that companies lack personnel to implement and comply with all the necessary regulations. Never before have the technologies used been so complex and dynamically interlinked. It is precisely this proliferation, however, that is the background to better informing the layman about it.
Only a few experts are able to penetrate the functionality of the technologies used far enough and at the same time bring them into line with a legally valid explanatory text.
That’s why the same standard texts are used everywhere, which are already outdated in many cases today. As a result, they represent facts that are actually incorrect or incomplete. In most cases, they are not formulated as comprehensibly as required by the new EU data protection legislation.
Even the fortunate fact that your company employs a lawyer does not guarantee that you are really secure. Often enough, they are not even informed when something new is installed. In other cases your lawyer is experienced in fundamental data protection issues, but he is not a technician.
Many lawyers are not always clear in detail what the technologies used do, where they scatter their data, and where they leave traces. Read the privacy statements of law firms and ask yourself how much they can do for your company in the demanding implementation of the EU DSGVO.
Privacy qualified attorneys are fully booked
Many companies that have not already made plans to implement the DSGVO in the past are now at a loss for advice and advice. The number of law firms in Germany specializing in IT and data protection law is manageable. The best of them have not taken any more orders for some time.
The Consequences: It is becoming increasingly difficult for many companies to get an appointment with a specialist lawyer. Subsequently, the detailed preparation of the status quo and the corresponding requirements can be a time-consuming process that takes a lot of time – especially if the documentation of processes relevant to data protection law was incomplete or not available in the past.
In the next step, you must define the organizational and procedural measures so that you can work in the future with legal compliance and data protection compliance. All this takes time. Only then has your company implemented the necessary organisational and personnel structures, which include a responsible data protection officer, a list of procedures and a meaningful and comprehensible data protection declaration in the sense of the DSGVO.
We can help with all these processes with our DSGVO shield. It helps to accelerate standardized processes and analyses, automate parts of them and others. The speed and legal certainty gained in implementing the basic data protection regulation is considerable – considerable operational risks are eliminated.
We can help with all these processes with our DSGVO shield. It helps to accelerate standardized processes and analyses, automate parts of them and others. The speed and legal certainty gained in implementing the basic data protection regulation is considerable – considerable operational risks are eliminated.
The data protection law of the DSGVO remains in motion
We are convinced, together with our specialist attorneys, that case law will continue to be applied in practice for a long time to come. There is now a new legal framework which must first be tested and tested by all companies in the initial phase.
As in the past there will be different assessments and assessments of the situation. Precedents will appear, model lawsuits will be conducted, consumer protectors will exert pressure, industry associations will argue against it – as a result, many legitimate interests will have to be weighed up against each other and reconciled with each other.
In the meantime, new technologies are appearing on the market that will gradually replace others and bring new changes in user data handling.
The DSGVO requires Privacy by Design and Privacy by Default. Over time, this can have very positive effects for all users if many of the technical solutions used on websites today evolve in this direction.
Because these two terms require all digital service providers and their developers to trim their applications for data economy from the outset. Privacy by default, on the other hand, means that every digital offer does not collect any personal data without the conscious and informed consent of the user.
The fact alone that these two topics are demands of the DSGVO and not a description of the situation, reveals to us that in many cases it has not yet been implemented, but is to be implemented with immediate effect. This means that many technological solutions will look different in the future than they do today. And with their new functionality, the future demands on the data protection declarations of those who use them – i.e. every operator of a website, for example.
In the meantime, new technologies are appearing on the market that will gradually replace others and bring new changes in user data handling.
The DSGVO requires Privacy by Design and Privacy by Default. Over time, this can have very positive effects for all users if many of the technical solutions used on websites today evolve in this direction.
Because these two terms require all digital service providers and their developers to trim their applications for data economy from the outset. Privacy by default, on the other hand, means that every digital offer does not collect any personal data without the conscious and informed consent of the user.
The fact alone that these two topics are demands of the DSGVO and not a description of the situation, reveals to us that in many cases it has not yet been implemented, but is to be implemented with immediate effect. This means that many technological solutions will look different in the future than they do today. And with their new functionality, the future demands on the data protection declarations of those who use them – i.e. every operator of a website, for example.
Conclusion
The new basic EU data protection regulation requires a constant discussion of the topic – even after the successful implementation of all necessary measures.
Because the technologies used and the living jurisdiction move and change, the data protection procedures, and declarations also have to – an elaborate and error-prone process.
Even if you want to implement the DSGVO regulations conscientiously and with the best intentions, there are still countless pitfalls to stumble across. It can be assumed that from 25 May 2018 so-called warning lawyers will advance into all conceivable omissions and gaps in order to enrich themselves. Because recently, the amounts in dispute have paid off. What these lawyers cannot do is checked by the competent official bodies and consumer protection associations.
The associated fines are a danger to any company.
Luckily you can make sure.
Automate the DSGVO process!
Even if you want to implement the DSGVO regulations conscientiously and with the best intentions, there are still countless pitfalls to stumble across. It can be assumed that from 25 May 2018 so-called warning lawyers will advance into all conceivable omissions and gaps in order to enrich themselves. Because recently, the amounts in dispute have paid off. What these lawyers cannot do is checked by the competent official bodies and consumer protection associations.
The associated fines are a danger to any company.
Luckily you can make sure.
Automate the DSGVO process!