Since the introduction of the General Data Protection Regulation (GDPR), data breaches in companies have been one of the unfortunate events that can have cost-intensive and image-damaging consequences. Even small mistakes in day-to-day business can have a significant impact on the company. If customer data is incorrectly recorded under data protection law on the company website or storage media with personal data are lost or stolen, this can already have consequences under data protection law and have unpleasant consequences for the company.
How is a data protection breach defined?
If a data protection violation is recorded, the applicable data protection law has been disregarded in the company. For companies based in Germany, the Federal Data Protection Act (DBSG) and the General Data Protection Regulation (DGSVO) apply.
If a company is obliged to appoint a data protection officer and cannot provide an internal or external data protection officer, a basis for the first data protection violation is given. The company is concerned with the legal protection of personal data, which can be endangered, for example, by hacker attacks or accidental disclosure of personal data. At the same time, personal data must be processed in compliance with data protection regulations.
A data protection violation can be recorded if personal data is disclosed, manipulated or destroyed. In these cases, data breaches or data leaks are often reported in the media.
Whether a company has to report a data breach has to be considered individually. The data concerned must be evaluated with regard to the risk that has arisen for the person concerned. A report must be made in any case if the data protection breach has caused material, physical or immaterial damage.
The most common data breaches in companies:
The company has not appointed a data protection officer
If more than 20 people are constantly involved in the automated processing of personal data in a company, the appointment of a data protection officer is mandatory.
Many companies that stay below this number of people refer to this rule, but not only the number of people is solely responsible for the fact that a data protection officer must be appointed. If particularly sensitive data is collected, such as health data, the appointment of a data protection officer is essential. If companies only rely on the number of employees who constantly work with sensitive data, a data protection violation can easily occur.
Regardless of the appointment of a data protection officer, it must be noted for all companies that the provisions of the GDPR and data protection must be observed in principle.
The data protection declaration is incorrect or does not exist
If you come into contact with companies via the website, a correct presentation of the data protection declaration is mandatory if the website requires the provision of personal data. In some cases, however, it can be noted that the data protection declaration is missing, but the visitor IP address, the user location or the e-mail contact details are requested. These deficiencies in content automatically lead to a data protection violation.
A data protection declaration basically contains the full details of what information is collected and how long the data provided will be stored. The intended use of the data must also be evident from the data protection declaration. In the data protection declaration, it is imperative to use simple and generally understandable language. If the company is obliged to appoint an internal or external data protection officer, this must be listed in the data protection declaration.
Data protection violations in the storage and processing of personal data
- Storage of data or transfer of personal data
A classic violation of data protection occurs when personal data is recorded without prior consent having been obtained. One example on the Internet is when newsletters are sent without prior consent.
If companies use collected data from people in order to sell them to other companies or to gain another data advantage, this is an intentional violation of data protection regulations, unless these actions have been secured in advance under data protection law. In most cases, data protection violations in this area are subject to particularly high fines.
- Insecurity about personal data
These data protection violations can often be recorded in companies. Personal files are lost and can therefore also be viewed by unauthorized persons. Reports of this kind can often be found in the media under the heading "data scandals" - in many cases data access was obtained through a hacker attack which was due to inadequate security precautions. For large corporations in particular, such a data leak means a catastrophic loss of image and thus a loss of sales. However, the loss of a storage medium can also reveal personal data to third parties and is considered a data protection violation.
A classic among data protection breaches is sending circular emails to various participants. If the addresses of all mail recipients are not set in BCC but in CC, the sending causes access to the personal data of the recipient. Since this case often occurs in companies, retraining should be carried out internally.
Data protection violations resulting from personal contact
If a company has collected personal data, the company is also obliged to hand over this stored data to the person concerned. If a company ignores this request for personal data or does not provide it within a reasonable time frame, the responsible company is committing a data protection violation. In principle, an incoming request should be processed and provided promptly.
In many cases, however, it is not sufficient to just send the requested personal data. In most cases, information about data usage is also requested in order to provide the person concerned with a holistic overview.
Correct use of checkboxes on the company's website
Companies like to use and collect personal data for marketing purposes. Consent must be obtained as a legal basis, especially for contacts that are not yet active customers. These consents are usually requested on a form.
A company must carefully observe the legal basis - the purpose of the data collection must be specified by the company. In principle, the revocability of the given consent must be pointed out.
A desirable illustration within the Checkox would be that it is clearly defined for the user which measures he or she consents to. A checkbox that has already been filled in is not only ambiguous for the company's image, but it also excludes the active consent of the person concerned.
The responsibility within the order processing
In companies, it is often unclear who has to take on which duties and who is responsible. Many companies use customer databases, payroll accounting and a marketing newsletter. In many of these cases, an external processor will use the data. Here there is often a lack of clarity about the rights and obligations of the respective parties. In order to comply with data protection regulations, companies should draw a clear line between responsibility and order processing.
If you do not want to risk errors in order processing, the processing must be carried out on the instructions of the person responsible. The person responsible is responsible for the data protection declaration and must at the same time register the designated processor in a directory of processing activities. A so-called order processing contract (AVV) is now concluded with the contractor.
The GCU must contain all points from Art 28 of the GDPR. In particular, the service description must be clearly defined and which part of the service is to be performed by the named processor. Data categories must be clearly listed and subcontractors must also be named. In principle, data security must remain verifiable.
Often the person responsible does not fully check the technical and organizational measures (TOM). If these are available, the person responsible can find out how the data processing is organized by the processor and which protective measures are being taken. If a TOM is not taken into account, the company will overlook an essential part of an order processing contract.
Data protection violations - a conclusion
Data protection in companies is a complex topic that those responsible and employees have to deal with. In order to avoid a loss of image and the resulting loss of sales, companies should particularly invest in internal training and give employees a feeling for the correct handling of personal data. Fines and other consequences can be avoided through an implemented training concept.
No company can claim that it complies with all the rules in terms of data protection, but internal and external misunderstandings and ambiguities must be eliminated and data protection with all its consequences and consequences must always be kept in mind.