Data Protection Academy » Data Protection Wiki » Data protection basics
Data protection basics according to GDPR
In addition to numerous conveniences, advancing digitalisation also brings considerable challenges for authorities, organisations and companies. Whereas personal data used to be kept primarily in local registers, it can now be disseminated globally and in the shortest possible time thanks to the internet. Many people do not realise the extent of the information about them that is already circulating online. From online purchases and bank details to personal preferences, detailed profiles can be created. The often careless handling of this data emphasises the growing need for data protection.
If sensitive information falls into unauthorised hands, it can cause considerable damage. Data protection has the task of preventing this. In Germany and many other European countries, the General Data Protection Regulation (GDPR) regulates the right of every citizen to determine how their personal data is used.
Content on the topic of data protection basics according to GDPR:
Definition: What is data protection?
Through the General Data Protection Regulationwhich came into force on 25 May 2018, aims to safeguard the fundamental right to informational self-determination. This means that individuals themselves determine how their data is handled and who may receive what information. Based on the right to informational self-determination, the GDPR regulates the collection, use, storage and disclosure of personal data.
Data protection protects individuals from abusive data processing and guarantees privacy. Without a legal basis or consent, the processing personal data prohibited. Only necessary data should be collected with the knowledge of the data subject, processed for a specific purpose and deleted when the purpose no longer applies. Technical measures against misuse are mandatory. Data subjects have rights of access, objection, rectification and erasure. Data protection in Germany is primarily governed by the GDPR and BDSG. which, among other things, stipulate lawfulness, purpose limitation, data minimisation and accuracy. Data protection prevents unauthorised data collection, processing and disclosure in order to prevent identity theft and safeguard the right to informational self-determination.
What are the data protection laws?
The Federal Data Protection Act (short BDSG.) is a central data protection law in Germany, which regulates data protection at national level when the GDPR grants a certain leeway in the implementation of data protection through opening clauses. It serves to supplement and concretise the GDPR and only intervenes with its specific provisions if the GDPR cannot be applied.
The Telemedia Act (TMG for short) is a central law in the field of internet law and the most important legal provision since the Telemedia Service and the Interstate Treaty on Media Services ceased to be in force. It contains regulations and obligations for providers of telemedia. This includes electronic information and communication services that are not subject to the Interstate Broadcasting Treaty or the Telecommunications Act. In general, the regulations apply to private, public or commercial providers of telemedia. One example of the obligations written into the TMG is the obligation to provide an imprint.
What does data protection mean for companies?
Companies must observe data protection principles to ensure GDPR compliance. This includes:
- Data Protection Officer: The appointment of an internal or external Data Protection Officer is mandatory in certain cases and serves the secure and efficient implementation of data protection requirements in the company.
- Processing activities: The detailed management of a List of processing activities is essential. This directory must clearly define responsibilities, the type of data processed and the respective deletion periods in order to ensure transparency towards data subjects and supervisory authorities.
- Privacy policy: Every data subject has the right to be informed about the processing of their data. Therefore, companies must provide an easily accessible and understandable privacy policy, especially website operators on their site. This right is based on the Right to informational self-determinationwhich is strengthened by the General Data Protection Regulation (EU GDPR).
- Data protection secrecy: All persons who come into contact with personal data in the company must be obliged in writing to maintain data protection secrecy and the confidentiality of company-related data. The controller in the company ensures this.
- Order processing contract (AVV): If external service providers process personal data on behalf of the controller, the conclusion of a legally compliant data processing agreement is mandatory. Data processing agreement (DPA) This is necessary in order to clearly regulate the rights and obligations of both parties and to guarantee the security of the data. HeyData offers support in this regard.
- Data protection measures: The implementation of suitable technical and organisational measures (TOM) is crucial to ensure the security of data in accordance with the requirements of the GDPR. This requires the development of a comprehensive company concept that includes, for example, secure access codes, user accounts and clear operational workflows.
- Data protection impact assessment (DPIA): In the case of processing operations likely to result in a high risk to the rights and freedoms of natural persons, it is necessary to carry out a risk assessment. data protection impact assessment in accordance with Art. 35 GDPR in order to assess these risks and define measures to minimise them.
- Deletion concept: Companies must have a Erasure concept develop and implement a system that specifies when and how personal data is to be deleted or anonymised as soon as the purpose of the processing no longer applies and there are no longer any statutory retention obligations.
- Sensitisation of the workforce: Data protection can only work if it is practised by all employees. Regular training and awareness-raising measures by the internal or external data protection officer are essential to raise awareness of the protection of personal data and promote compliance with data protection principles. In addition, processes for dealing with Data Protection Breaches be established.
Are there industry-specific differences in data protection?
At the latest since the introduction of the GDPR, there has been a uniform regulation on data protection. Anyone who works with personal data within the European Union will find regulations and obligations in the GDPR that must be followed. In addition, there may be special legal bases for certain industries that must be observed. Likewise, the GDPR applies to sellers from non-EU countries (so-called third countries) as soon as the customer is from the European Union.
What is the point of data protection or why is data protection so important?
Technological advances bring with them not only unimagined opportunities, but also many unimagined dangers. For example, websites collect data from users without their necessarily knowing it. This data can be very valuable for personal or economic reasons.
The processing of data on the Internet carries the risk of unauthorised persons gaining access to it. To protect customers from data misuse, but also to protect your company from attackers and fines, you should ensure that personal data is processed in compliance with the GDPR and is optimally protected.
How do consumers benefit from data protection?
Data protection obliges companies to treat customer data etc. with care. In doing so, data protection offers additional options for individuals, especially since the introduction of the GDPR. If your data in a directory is no longer up-to-date or incorrect, or if you do not want your personal data to continue to be stored in an online shop, this has now been explicitly regulated in the GDPR. By means of a request for information, various companies and service providers must hand over all of a person's stored data and process or delete it upon request.
Regular checks and inspections
Unfortunately, it is often difficult for the average consumer to understand to what extent companies in reality comply with their obligations in terms of data protection. For this reason, so-called "data protection data protection supervisory authorities which carries out such checks and investigates possible violations in the event of suspicious circumstances. In Germany, in addition to the Federal Commissioner for Data Protection and Information Security, there is a State Data Protection Commissioner for each federal state. In total, Germany has 17 supervisory authorities for data protection.
Companies of all sizes - from micro-enterprises to large corporations - are required to have a data protection documentation in accordance with the GDPR and, in the event of an inspection by the supervisory authorities, be able to demonstrate this. Therefore, it is recommended to select a person in the company, regardless of whether this is mandatory due to the size of the company, who takes care of data protection issues of all kinds.
What is the cost of a data breach?
Ask yourself the question, are you in any way involved with personal data.The answer to this question is yes, then you are obliged to implement this data protection in accordance with the regulations. If the answer to this question is yes, then you are obliged to implement this data protection according to the regulations. Due to the high penalties for data protection violations, you should take care of these issues in a timely manner. The General Data Protection Regulation provides for data protection violations fines are provided for. These can amount to up to 20 million euros or 4% of a company's global annual turnover, whichever is higher. However, prison sentences of up to 3 years are also possible if the data protection provisions are violated.
Who is liable for breaches of the Data Protection Act?
Many companies order a so-called Data Protection Officer and leave the topic behind from now on. However, such behavior does not relieve the company of liability in the event of damage. This is because the appointment as data protection officer does not necessarily mean the complete assumption of liability. In the case of simple violations, the managing director or another manager will still be held responsible.
The data protection officer or another employee can only be held accountable if intentional or grossly negligent conduct in the handling of personal data can be proven. As an entrepreneur, you are therefore always well advised to check for yourself from time to time whether the data protection provisions are being complied with in your company in the best possible way.
Video: Implementing a data protection management system with Robin Data ComplianceOS®
Implement data protection management system with Robin Data ComplianceOS®
Organisations have numerous obligations to fulfil in order to ensure compliance with the General Data Protection Regulation (GDPR). It often takes a considerable amount of time and money to build up the necessary expertise, gain a holistic overview of data protection and set up a data protection management system (DMS).
In the Robin Data Hacks on the topic of data protection management systems, we show you how you can implement your data protection digitally and systematically control, monitor and document the measures required by law when handling personal data.
The video is a recording of the Robin Data Hack. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.
What is the difference between data protection and data security?
The difference between data protection and data security is that data protection refers to the Informational self-determinationg and the protection of privacy is limited. The focus here is on personal data. In contrast, data security is broader and concerns all types of data that must be protected against unauthorised access, misuse and loss. The means for these measures are regulated in the TOM, for example the pseudonymisation. Data protection and data security can be summarised with the following questions:
- Data protection: May individual-related data collected and processed?
- Data security: What are the best measures to protect data from unauthorised access?
- AI regulation: regulation of artificial intelligence - 27 January 2025
- Continuous Auditing & Monitoring - 20 January 2025
- Internal control system: examples & checklist - 10 September 2024