Skip to content
Haufe Akademie

GDPR: Basics for operational practice

0
Law and Privacy notice Updated on from Jens Kränke 6 minutes

The Privacy notice General Data Protection Regulation, better known as GDPR, has fundamentally changed the data protection landscape in Europe and beyond and continues to pose major challenges for companies today.

In today's digital world, the protection of personal data is not only a legal obligation, but also an important aspect of gaining and maintaining the trust of customers, Employees and partners .

This practical guide is intended to serve as a comprehensive guide to help companies better understand the requirements of the GDPR and integrate them into their day-to-day business processes.

It is designed to support both newcomers to data protection law and experienced practitioners in creating and maintaining data protection-compliant structures and processes in their company.
In the first part of this guide, we will explain the basics of the GDPR and the associated rights and obligations. This will serve as a solid foundation for understanding the next steps and recognizing the need for data protection-compliant measures.

You will receive tips for the practical implementation of the GDPR in business practice. We provide you with specific recommendations for action, checklists and sample forms to systematically and efficiently implement the requirements of the GDPR.

Of the Privacy notice We offer you comprehensive assistance from impact assessments to information obligations and consents to the specific requirements for data transfer.

We want to build a bridge for you between the theoretical requirements of the GDPR and the practical implementation in day-to-day operations. Our aim is for you to not only understand the GDPR at the end of this guide, but also to be able to implement and maintain data protection-compliant processes in your company.

We look forward to accompanying you on this journey.

Overview

The GDPR is a comprehensive EU law that regulates the processing of personal data.

Article 6 GDPR sets out the legal bases for data processing, including consent and necessity for the performance of the contract.

Personal data is information that can be related to an identifiable person.

Article 15 GDPR grants individuals the right to information about their processed data, while Article 17 covers the "right to be forgotten", i.e. the erasure of data.

The GDPR means that companies must take compliant measures to Privacy notice to ensure and avoid fines.

The regulation is directly applicable in all EU member states, which is made clear by the name EU GDPR. Companies can expect significant penalties for GDPR violations.

Article 82 GDPR regulates the right to compensation for data subjects.

Companies are obliged to keep a register of procedures, as required by Article 30 GDPR, and to report data breaches to the supervisory authority in accordance with Article 33 GDPR.

The GDPR is also relevant outside the EU, as it applies to all companies that offer services in the EU or process the data of EU citizens.

For full GDPR compliance, companies must comply with the principles set out in Article 5, which include transparency, purpose limitation, data minimization and security.

Data protection officers play an important role by monitoring compliance with the GDPR and acting as contact persons for the data protection authorities.

What is the GDPR?

The Privacy notice The General Data Protection Regulation (GDPR) is a European Union regulation that governs the protection of personal data of EU citizens. It came into effect on May 25, 2018, and replaces the previously applicable Data Protection Directive of 1995.

The GDPR has several main objectives:

  1. Harmonization of data protection laws across the EU
    Before the GDPR, the various EU member states had different data protection laws, which led to confusion and inconsistencies. The GDPR has replaced these national laws with a single, uniform regulation.
  2. Strengthening the rights of individuals
    The GDPR has strengthened the rights of individuals in relation to their data. This includes the right to access their own data, the right to rectification, the right to be forgotten, the right to data portability and the right to object to the processing of personal data.
  3. Stricter requirements for companies and organizations
    The GDPR places high demands on companies and organizations that process personal data. They must ensure that they process the data securely and responsibly, and they must be able to prove this. There are also stricter reporting obligations in the event of data breaches under the GDPR

Why is the GDPR important for your company?

The Privacy notice -General Data Protection Regulation (GDPR) is of great importance for companies for several reasons:

  1. Legal compliance and penalties
    Companies that violate the GDPR can be fined heavily. These can be up to €20 million or 4% of the company's global annual turnover, whichever is higher. It is therefore crucial that companies comply with the requirements of the GDPR in order to avoid these risks.
  2. Trust and reputation
    When companies Privacy notice seriously and work in compliance with GDPR, this promotes the trust of their customers , business partners and the public. On the other hand, a breach of data protection regulations can cause significant damage to a company's reputation.
  3. Competitive advantage
    Companies that Privacy notice as a strategic advantage and be transparent with the data of their customers can stand out positively from their competitors.
  4. Data management
    The requirements of the GDPR may prompt companies to review and improve their data processing practices. This can lead to them using their data more efficiently and gaining better insights into their customers .
  5. International data transfer
    The GDPR also sets out the conditions under which personal data can be transferred outside the EU. It is therefore important for companies that operate internationally or work with partners outside the EU to understand and comply with these regulations.

Basics of the GDPR

In this article we will focus on the basics of Privacy notice General Data Protection Regulation (GDPR), which serves as the central set of rules for Privacy notice in the European Union. The GDPR is more than just a legal document – it is a crucial guideline for regulating and ensuring the protection and processing of personal data.

Understanding the basics of the GDPR is the first step to ensuring that your company is compliant. These basics range from the fundamental principles and definitions of the GDPR to the rights of data subjects. They provide a solid foundation for all other aspects and measures that are relevant in the context of the GDPR.

In the first part of this chapter, we will look at the most important principles of the GDPR, including the principles of lawfulness, fairness, transparency, purpose limitation and data minimization. We will then look at the definition of personal data and special categories of data and explain what is meant by data processing.

Another important aspect is the rights of data subjects, which have been strengthened by the GDPR. This includes the right of access, rectification, erasure (also known as the "right to be forgotten"), restriction of processing, data portability and the right to object to processing.

By understanding and applying these principles, your company can ensure that it meets the requirements of the GDPR and both protects the privacy of data subjects and makes its own business processes legally compliant.

Basic principles of the GDPR

The Privacy notice The General Data Protection Regulation (GDPR) is based on a set of fundamental principles that guide the handling of personal data. These principles are:

  • Lawfulness, processing in good faith
    Personal data must be processed in a lawful, fair and transparent manner. This means that companies must have a valid legal basis for processing data and must be transparent towards the data subjects.
  • Purpose limitation
    Personal data may only be collected for specified, explicit and legitimate purposes. Processing that is not compatible with these purposes is generally not permitted.
  • Data minimization
    Only as much data should be collected and processed as is absolutely necessary. Data that is not necessary should not be collected or should be deleted immediately.
  • Accuracy
    Personal data should be correct and up-to-date. Companies are obliged to delete or correct incorrect data immediately.
  • Storage limitation
    Personal data should not be stored for longer than necessary. As soon as the data is no longer required for its original purpose, it should be deleted or anonymized.
  • Integrity and confidentiality
    Personal data should be processed securely. This includes both technical security (e.g. against hacker attacks) and organizational security (e.g. access controls).
  • Accountability
    Companies must be able to prove that they comply with these principles. This means that they must keep records of their data processing activities and implement appropriate security measures.

Personal data

Personal data is information that relates to an identified or identifiable natural person ("data subject").

A natural person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This means that data that can be used to identify an individual is considered personal data. This can be a name, an address, a telephone number, an e-mail address, a social security number, an IP address or even a cookie on a computer, provided that this information can be linked to a specific person.

It is important to note that even data that cannot initially be directly assigned to a person can become personal if it is combined with other data. For example, a combination of zip code, date of birth and gender could be sufficient to identify a person.

Special categories of personal data (formerly known as "sensitive data") include information such as health data, political opinions, religious beliefs and genetic data. This data enjoys special protection under the GDPR and may only be processed under certain conditions.

Rights of the data subjects

The Privacy notice General Data Protection Regulation (GDPR) significantly strengthens the rights of data subjects with regard to their personal data.
The most important rights are:

  • Right to information
    Data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and further information, such as the purposes of the processing, the categories of personal data processed and the envisaged period for which the personal data will be stored.
  • Right to rectification
    Data subjects have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.
  • Right to erasure ("right to be forgotten")
    Under certain circumstances, data subjects have the right to demand that the controller erase personal data concerning them without undue delay. This is the case, for example, if the data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • Right to restriction of processing
    Data subjects have the right to request the restriction of the processing of their personal data if, for example, the accuracy of the data is disputed by them or the processing is unlawful, but they refuse to delete the data.
  • Right to data portability
    Data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
  • Right to object
    Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on a balancing of interests or is carried out in the public interest.
  • Automated decisions including profiling
    Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision is necessary for entering into, or the performance of, a contract between the data subject and a data controller, is authorized by law, or is based on the data subject's explicit consent.
  • Right to lodge a complaint with a supervisory authority
    Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of personal data relating to them infringes the GDPR.
Share the post on:

About the author

Jens Kränke

Management consultants for the areas Privacy notice , data security and auditing for large and medium-sized companies as well as public bodies.

Further contributions

Did you like this article?
Our free newsletters keep you up to date on company topics at
.
Simply register:
www.haufe.de/akademie/newsletter

We welcome feedback and suggestions at
service@haufe-akademie.de

Copyright by Haufe Akademie GmbH & Co. KG, Lörracher Str. 9, 79115 Freiburg. Reproduction only with the permission of Haufe Akademie .