- Acquisition of a basic knowledge of data protection and building a foundation for data protection compliance
In order to be compliant with data protection from the start, it is worthwhile to have a basic knowledge of the General Data Protection Regulation (GDPR), as this must be observed from the start. This prevents that a lot of effort has to be made for adjustment processes afterwards or that there are even high fines.
We are happy to help you acquire this basic knowledge with specialist articles on our website. Above all, it should serve to get a general overview and to understand the principles of the GDPR.
In order to build a good foundation for the right data protection, it helps to understand the business processes already during the planning and development and to document the collection, storage, use and deletion of personal data in the various areas or departments. This makes it easier to create documents, such as the processing directory, later, as the way in which the data is processed is already known.
It is also important to note here that high technical security standards in IT alone are not sufficient for data protection compliance.
- Appointment of a data protection officer
Many also ask, especially when the company is slowly starting to grow, when do you need a data protection officer. In general, it is only required to appoint a data protection officer if your start-up has 20 employees or more who are constantly dealing with personal data. However, if your start-up uses sensitive data or special personal data, a data protection officer must be appointed from the start. This is the case, for example, when using health or financial data. Overall, it is very advisable to appoint a data protection officer as early as possible, as this ensures that the provisions of the GDPR are optimally implemented right from the start.
Furthermore, the question arises here as to whether an internal or external data protection officer is better, with an external one usually being the more cost-effective option.
- Use cold calling, newsletters & Co for growth in compliance with data protection regulations
During growth, start-ups must above all ensure that at least 20 employees who are constantly in contact with personal data are obliged to appoint a data protection officer.
Cold calling and the like are very important and popular, especially at the beginning of growth. In the case of advertising emails that are sent via a type of newsletter, the customer's consent to the sending of the newsletter must be clearly documented and it must be pointed out in each newsletter that one can object to the sending at any time.
If there is no e-mail address or similar for the first contact, i.e. if it is a cold call, e-mails must never be sent automatically. However, you can write to individual addresses if there is a “legitimate interest”. It is best to include a link to the data protection declaration. In the case of initial contact via social media, telephone or networking, consent must first be obtained for the use (e.g. sending of the newsletter) before the contact details are entered and used. However, these may be further written down individually.
- Process and pass on personal data securely and correctly
The processing of data includes any use of this, be it collection, storage, disclosure by transmission or deletion, except when the data is anonymous.
Data may be processed if one of the following circumstances applies (Article 6 GDPR):
- Consent of the person concerned
- Fulfillment of the contract
- Legal obligations (e.g. archiving tax-important documents)
- Protection of vital interests of people
- Legitimate interests
Processing on the basis of legitimate interests and consent are the most important forms of permission, whereby technical and organizational measures can facilitate processing, as the data subjects' interest in protecting the data decreases as they are otherwise specially protected.
A growing start-up in particular brings with it not only more customer data but also more employee and applicant data. Employees must be specially protected according to §23 BDSG, which means that there is always an imbalance in the processing of employee data to the detriment of the employees. These must be adequately protected, including those of employees who leave the company. Their data must be deleted accordingly after leaving.
Special personal data are also subject to extra protection, which is why the express consent of the person concerned is required here.
When passing on the data to third parties, the following things must be observed:
- Do those affected agree to the disclosure
- If the transfer is necessary for the fulfillment of the contract
- there is an order processing contract
- Are the data processed in a third country?
- Data protection-compliant online presentation
In addition to the mandatory data protection declaration on the website, a company must pay attention to a few other things with regard to the data protection-compliant presentation on the Internet. In the data protection declaration, reference must first be made to processors, who are also generally used on the website. These can be marketing and analytics tools such as Google Analytics, but also payment service providers such as PayPal and many more. It is important to conclude an order processing contract with them and to create an overview of the various order processors (order processing directory).
Furthermore, according to Section 5 of the Telemedia Act, the imprint is also mandatory and must absolutely contain the full name and address, as well as information on how to contact us.