Data protection law

Data protection law / Datenschutzrecht

April 04, 2022

Since the "Regulation (EU) 2016/679 of the European Parliament and of the Council", known as the General Data Protection Regulation (GDPR), came into force on 25 May 2018 at the latest, email inboxes have been overflowing with requests for consent to the new data protection regulations and companies have suddenly been increasingly called to account, no one has been able to avoid "data protection".

However, it has probably become a reflex for many internet users to click away cookie banner that pops up when they open a website, and few people read the data protection statement that is now on almost every website carefully. Even "offline", the information leaflet on data protection, for example when it is sent as an attachment to letters or is displayed at the entrance to events, is nodded off rather casually.

Data protection law

Due to the often annoying circumstances, it may be forgotten what is actually behind the data protection requirements: the protection of data and informing data owners about their rights. Because the possibilities of losing control over one's own data have increased rapidly in the context of digitalisation.

Legal basis

Data protection law is an expression of the general right of personality, which has its legal basis in Article 2(2) and Article 1(1) of the German Constitution. At European level, the protection of personal data is guaranteed by Article 8 of the EU Charter of Fundamental Rights. An important part of data protection law is derived from the right to informational self-determination (a combination of the general right of personality with the protection of one's own privacy). According to this right, every person should have the power to determine the use and disclosure of his or her own personal data. The principle of informational self-determination was laid down by the German legislator in the Federal Data Protection Act (BDSG). The aim of the law is to create a balance between the handling of personal data and the encroachment on personal rights. Further important regulations have been created at the European level with the General Data Protection Regulation (GDPR), which is now directly applicable in the member states. In addition, there are data protection requirements from the Telecommunications Telemedia Data Protection Act (TTDSG), which has been in force since 1 December 2021, as well as the EU ePrivacy Regulation, which has still not been adopted, and the case law of the ECJ and the Federal Supreme Court.

What is personal data and when is there processing?

According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person. A person is considered to be identified if his or her identity can be derived directly from the data obtained or from a combination of the data obtained with other personal data or other information. Personal data includes, for example, name, contact data (e.g. address, e-mail address), bank account details, national insurance number, date of birth, health data, but also pictures, location or movement data or IP addresses. This includes all data by which the person whose data is being processed (the so-called data subject) is identified or identifiable.

Processing of personal data within the meaning of Art. 4 No. 2 GDPR includes almost any form of exploitation. This includes, for example, collection, organisation, storage, adaptation or modification, use, dissemination, but also deletion. Even reading an email or receiving a business card is data processing. It is irrelevant whether the processing takes place digitally or in paper form.

Under what conditions may personal data be processed?

With regard to data processing, a so-called prohibition with reservation of permission applies. This means that the processing of personal data is generally unlawful unless the processing is based on one of the legal grounds listed in Art. 6 (1) a) - f) GDPR.

According to Art. 6 (1) a), data processing is permitted if it is based on the consent of the data subject. The consent must have been given voluntarily and for a specific case. It must be clear and understandable and the data subject must have been informed about the possibility of withdrawing consent before giving it. Art. 7 and 8 GDPR regulate further conditions for effective consent. According to paragraph 1 b), processing is also permitted if it is necessary for the performance of a contract to which the data subject is a party or if it is necessary for the performance of pre-contractual measures taken at the request of the data subject. Pursuant to paragraph 1 c), processing is allowed if it is necessary for compliance with a legal obligation to which the controller is subject. Pursuant to paragraph 1 d), processing is also allowed if it is necessary to protect the vital interests of the data subject or another natural person. According to subsection 1 e), processing is allowed if it is necessary for the performance of a task carried out in the public interest on behalf of the controller or in the exercise of official authority. Finally, according to para. 1 f), processing is allowed if it is necessary for the protection of the legitimate interests of the controller or a third party, although a balancing must be carried out with the interests, fundamental rights and freedoms of the data subject, which regularly prevail if they are particularly worthy of protection.

Before any data processing, it must be checked whether one of these cases exists. Otherwise, the processing is unlawful.

In addition, the principles listed in Article 5 of the GDPR apply to all data processing: Thus, the requirement of lawfulness and transparency of data processing applies (para. 1 a)), as well as the requirement of being bound to the purpose for which the data was collected (para. 1 b)). In addition, it is stipulated that the processing must be limited to a reasonable and significant extent, the so-called principle of data minimisation (para. 1 c)). In addition, the principles of accuracy (para. 1 d)) and storage limitation (para. 1 e)) apply. The requirement of integrity and confidentiality (para. 1 f)) states, among other things, that appropriate security of personal data must be ensured during processing.

The data controller is obliged to comply with these principles and must be able to prove this, if necessary, so-called accountability (Art. 5 para. 2 GDPR).

Special categories of personal data according to Art. 9 GDPR

Art. 9 of the GDPR lists categories of data that the legislator classifies as particularly sensitive and therefore wishes to provide special protection through stricter regulations for processing. According to Article 9(1) of the GDPR, this includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation.

The prohibition with reservation of consent also applies to these data. The exceptions of Art. 9(2)(a)-(j) of the GDPR, which may allow the processing of these sensitive data, are, however, even more limited than with regard to "simple" data.

According to paragraph 1 a), consent is only suitable as a basis for permission if it is "explicit". According to para. 1 b), processing is permitted in the context of labour and social law if and to the extent that it is necessary for the controller or the data subject to comply with the rights and obligations there (e.g. payment of salary and tax contributions, etc.). Processing to protect the vital interests of the data subject or another natural person is only permitted under paragraph 1 c) if it is necessary and the data subject is unable to give his or her explicit consent for physical or legal reasons. According to paragraph 1 e), processing is allowed if it relates to personal data which the data subject has manifestly made public. According to paragraph 1 f), processing is allowed, for example, if it is necessary for the establishment, exercise or defence of legal claims or in the case of acts of the courts in the course of their judicial activities.

All in all, when processing these particularly sensitive data, a special degree of care must be taken.

Job processing

In practice, data controllers often use external service providers to carry out a wide variety of tasks. These service providers often process personal data on behalf of the data controller, which the data controller has received from its customers, employees, etc. This can be, for example, the external payroll office, but also the external programmer of the website. This can be, for example, the external payroll office, but also the external programmer of the website or the service provider for sending the newsletter. These persons are then referred to as processors within the meaning of Article 28 of the GDPR.

In this case, the data leave the direct sphere of the actual responsible person, but they continue to be processed on their behalf and according to their instructions. Separate information or consent of the data owner is therefore not required. However, as a rule, a so-called contract processing agreement must be concluded between the controller and the processor. This contract defines the various duties and responsibilities with regard to data processing. In this way, the controller can ensure that the processor also complies with the required data protection standards.

Essential obligations in the context of data processing - online and offline

The so-called TOMs, the technical and organisational measures for the protection of data, are an expression of the principles of Art. 5 GDPR as well as Art. 32 GDPR, which contains specific requirements for the security of processing.

Accordingly, the controller is obliged to establish an appropriate level of protection for the processed data. The question of what is "suitable" cannot be answered in a blanket manner. When assessing each individual case, various factors must always be taken into account, such as the state of the art, the implementation costs, the type, scope, circumstances and purposes of the data processing, as well as the probability and severity of the risk of a data breach. According to Art. 32(1), measures to achieve the level of protection include pseudonymisation and encryption ( paragraph 1(a)), permanent assurance of the confidentiality, integrity, availability and resilience of systems and services ( paragraph 1(b)), the possibility of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident ( paragraph 1(c)), and a procedure for regularly reviewing, assessing and evaluating the effectiveness of the technical and organisational measures (paragraph 1(d)).

Which measures are suitable and necessary depends on the individual case. These may include: up-to-date software, virus scanners and firewalls; secure passwords; fast-acting screen savers; access restrictions - digital and in the office; training and instruction of employees; regular evaluations of the level of data protection; the conclusion of and monitoring of compliance with order processing contracts, etc.

The other essential obligations in the context of data processing can be roughly categorised into documentation obligations and information obligations:

The documentation obligations include the creation and maintenance of a so-called processing directory within the meaning of Article 30 of the GDPR. In it, the processing company documents the processing processes, in particular the categories of data, the data subjects, the purposes of the processing and the deletion periods. The directory must be kept up to date at all times and presented in the event of an audit by the data protection authority.

The TOMs applied must also be documented, kept up to date at all times and must be able to be presented to the data protection authority upon request.

The information obligations pursuant to Art. 13 GDPR are primarily expressed in the creation and provision of the data protection declaration. This can be done in the form of a statement on the website or in the form of general information on data processing when contact is made by other means, for example as an attachment to a letter, as a notice in a public place or similar. However, the mission is always the same: the data subjects should be informed as early as possible about what data is being processed, on what basis of authorisation, for what purpose, for what period of time and who the data controller is. In addition, the data subjects should be explicitly informed of their legal rights.

The well-known cookie banner is also based on these information obligations. However, its type and structure as we currently know it has also been shaped by the EU ePrivacy Regulation, which has not yet been adopted, and the case law of the ECJ ("Planet49" of 01.10.2017, ref. C-673/17) and subsequently the BGH ("Cookie Consent II" 28.05.2020, ref. I ZR 7/16) and has now been standardised in Section 25 TTDSG.

In addition, from a company size of approx. 20 persons, the appointment of a data protection officer is generally required.

Violations of the GDPR

Unlawful data processing always exists if there is no legal basis for the processing within the meaning of Art. 6 (1) or Art. 9 (2) GDPR. Data processing is also unlawful if the principles of Art. 5 GDPR are violated.

In view of the fact that the declared objective of the GDPR is to protect natural persons, their data, rights and freedoms in connection with data processing, a breach also occurs if no appropriate measures have been taken to protect the data and the documentation and information obligations have been violated.

According to Art. 4 No. 12 GDPR, a breach of the protection of personal data is understood to be any interference with the security of the data, including the destruction, loss or alteration of the data, as well as any unauthorised disclosure or access.

In this respect, it is important to note that it does not matter whether the breach is intentional or unintentional, or even whether it occurs without any action on your part, e.g. through a hacker attack. It is also irrelevant whether the affected person has suffered noticeable damage beyond the actual breach. For example, a breach already exists if sufficient protection is not guaranteed within a company and an employee of another department has access to data of a customer for which he is not responsible internally.

Rights of data subjects

For those affected by data processing operations, the GDPR provides for a variety of rights: These include the right to withdraw consent to data processing at any time once it has been given (Art. 7(3) GDPR). Furthermore, the right to obtain information regarding the data processed (Art. 15 GDPR), to rectification (Art. 16 GDPR), to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR), the right to object (Art. 21 GDPR), the right to automated decision-making in individual cases (Art. 22 GDPR) and the right to complain to the competent supervisory authority (Art. 77 GDPR).

These so-called data subject rights are available to any person affected by data processing. They exist regardless of whether the data processing was lawful or unlawful.

According to Article 82 of the GDPR, data subjects of unlawful data processing also have the possibility to assert claims for damages against the controller. However, this requires that the data subject substantiates and proves a material or immaterial causal damage in addition to the violation.

Risks for data controllers

Data breaches and other violations of the obligations of the GDPR are not to be taken lightly.

First of all, the assertion of data subject rights can be associated with considerable (time and also financial) effort for data controllers. Extensive claims for information or deletion can often drive companies to the brink of despair.

In addition, there is the risk of warnings from competitors or consumer protection associations, for example because of faulty data protection declarations and cookie banners on websites.

Finally, an audit by the competent data protection authority must always be expected. In the course of such an audit, the processing operations in the entire company are scrutinised and checked for their conformity with the GDPR. If violations are found, there is the threat of severe fines.

However, the risks and the associated effort can be minimised considerably by actively dealing with the data flows in your own company, obtaining an overview and taking and continuously implementing some effective measures. We would be happy to support you in this.