Even just a few weeks after the deadline, the implementation of the General Data Protection Regulation (GDPR) is still a major issue in practice. The prospect of high fines or warnings from competitors has alarmed many companies and prompted them to address the issue of data protection for the first time. However, smaller companies with little budget in particular often fail due to the complexity of the legal requirements, which understandably causes frustration. The following article is intended to help you get started on the subject of data protection and, in addition to the GDPR basics, also provides concrete examples with recommended actions and links for implementing initial data protection management.
inventory of processes
Before you start implementing specific measures, the status quo must first be determined. To do this, you must first ask yourself the following questions: When and where does my company process personal data, such as names, email addresses or telephone numbers? For what purpose is the data processed and when is the information deleted? Are there other companies, possibly even outside Europe, that have access to my data? You should be aware that in addition to classic personal data, identifiable information such as customer numbers, device IDs or even the IP address are also protected data within the meaning of the GDPR. Any handling of this information is covered by data protection law.
You must then summarize your results in a document. Such an overview of data processing is not only helpful for later evaluation, but is also required by law. The so-called list of processing activities is specifically regulated in Art. 30 GDPR and can be requested from the responsible supervisory authority upon request. It is therefore a "necessary evil" when it comes to demonstrating compliance with the obligations under the GDPR.
What specific content the directory must contain el-salvador number dataset and how you should go about creating it is explained in detail on this overview page [1] . There you will also find a link to a free generator that will help you create the directory.
[1] https://www.datenschutzkanzlei.de/katal ... tigkeiten/
review of legal bases
After documentation comes the evaluation. The GDPR only allows the processing of personal data if this is permitted by law. Contrary to the frequently stated statement, data can also be used without the consent of those affected. In addition to consent, there are legal bases that allow processing for the purpose of executing a contract or even on the basis of a balance of interests.
So always take a close look at the purpose for which you have stored personal data in your company. If you cannot find a legal basis for data processing, the information must be deleted. For example, applicant data may not be stored for longer than six months without separate consent. Former customer data must also be deleted if the contractual relationship has ended and there are no legal retention obligations.
If you can already prove consent (e.g. in email marketing), this is still valid under the GDPR. So think carefully about whether you want to ask your customers for consent again. If the personal data you have collected is still required for the execution of the contract, storage is permitted without separate consent. Even use for advertising purposes is not necessarily dependent on the consent of those affected. For example, you can continue to base postal advertising on the legitimate interests of your company, provided the recipient has not expressed an objection to advertising.