Fact or fake ? 8 Questions regarding the General Data Protection Regulation

(Part 1/4)

In times of digitisation, countless opportunities are emerging for businesses, as well as completely new risks. “Data is the oil of the 21st century”, many people say. To further control the commercialisation of personal data and to limit incidents such as Cambridge Analytical and Facebook in the future, the European General Data Protection Regulation (GDPR) came into force on 25 May 2018. This regulation affects every member state of the European Union and is therefore binding for everyone. The impact of the GDPR on the handling of data is immense. Since the entry into force, however, there has been great uncertainty concerning the interpretation of the regulation. We will shed some light into this darkness and clear up with 8 common misunderstandings in the coming weeks.

Can a missing or insufficient data protection declaration be admonished?

Yes. Businesses should make their websites GDPR-compliant as soon as possible. Nearly anyone can access a virtual platform and search for data protection issues. This makes businesses vulnerable. The privacy policy should be easy to find (for example next to the imprint) and have its own tab. But even an existing data protection declaration can lead to a warning if it is insufficient. The district court of Würzburg (LG) had to decide on such a case (13.09.2018, Az. 11 O 1741/18). A lawyer had a privacy policy on her website. However, there was some required information missing, such as information about the person responsible and for the gathering and storing of personal data. A competitor then admonished her and the district court of Würzburg affirmed the injunctive relief in preliminary proceedings.


Does accepting a business card trigger the information obligation according to Art. 13 GDPR?

No. When accepting a business card there is no need for disclosure. This only needs to occur when the data given with the business card is first used, e.g. for storing the data. Then the business has to inform the affected person, how their personal data will be processed. For contacting a person in regards to pre-contractual measures consent is not necessary. Here too, the affected person must be informed about the data processing. This can be done orally which, however, raises the problem of provability.


To be continued…