In times of digitisation, countless opportunities are emerging for businesses, as well as completely new risks. “Data is the oil of the 21st century”, many people say. To further control the commercialisation of personal data and to limit incidents such as Cambridge Analytical and Facebook in the future, the European General Data Protection Regulation (GDPR) came into force on 25 May 2018. This regulation affects every member state of the European Union and is therefore binding for everyone. The impact of the GDPR on the handling of data is immense. Since the entry into force, however, there has been great uncertainty concerning the interpretation of the regulation. We will shed some light into this darkness and clear up with 8 common misunderstandings in the coming weeks.
Can a missing or insufficient data protection declaration be admonished?
Does accepting a business card trigger the information obligation according to Art. 13 GDPR?
No. When accepting a business card there is no need for disclosure. This only needs to occur when the data given with the business card is first used, e.g. for storing the data. Then the business has to inform the affected person, how their personal data will be processed. For contacting a person in regards to pre-contractual measures consent is not necessary. Here too, the affected person must be informed about the data processing. This can be done orally which, however, raises the problem of provability.
To be continued…