GDPR basics - definitions
What is the GDPR?
The GDPR is an EU regulation that should regulate the handling of personal data across the EU. It should give consumers more transparency and enable data subjects to stay “masters of their data”. Data subjects should know exactly why and what their data is used for. In addition, the handling of personal data should be standardized across the EU.
With the GDPR, the EU means business when it comes to professionalizing the data protection practices of many, especially small, businesses. There are two things that demonstrate this:
When does the GDPR come into force?
The General Data Protection Regulation came into force on 25 May 2018.
For whom does the GDPR apply?
The GDPR applies regardless of the company size:
- to all businesses and their branches in the EU that handle personal data.
- to all businesses outside of the EU, if personal data is handled in connection with the offering of goods or services within the Union, or if the behavior of EU citizens is monitored.
What does “data handling” mean?
According to the GDPR, the term “data handling” refers to any processes or operations performed on personal data, whether automated or non-automated. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Merely viewing data on a screen or piece of paper therefore already counts as data processing, even if no data is modified during processing.
Examples: Creating an email list, accepting a business card, managing a staff or applicant database.
What is “personal data”?
Personal data is information by which an individual person can be identified.
By definition, this is “information relating to an identified or identifiable natural person (‘data subject’)”, including any information that says something about a person.
- Email address
- Phone number
- Account information
- Location data
- Incidentally also the IP-address - but more on that later
- Order ID
- Transaction ID
- Tracking data that can be used to draw conclusions about the person concerned.
It is possible to identify the data subject with this data as well as with a combination of individual data. Therefore, the EU considers the protection of these details to be especially important. As an entrepreneur or self-employed person, you are responsible for gathered data and you must be able to explain on what basis the data is processed and what protective measures you take.
The natural or legal person who decides the purposes and means of processing personal data. In the event of a fine, the whole company is therefore liable, not the manager and absolutely not just the data protection officer. In our context, Digistore24 is responsible during purchase. After data is transferred to the vendor, the vendor is responsible for data processing beyond the product delivery, as they determine the purposes and means of the data processing from this point on.
A natural or legal person who processes personal data on behalf of a controller. For example, telemarketing agencies as well as server hosts, external CRM systems, and also email marketing systems such as Klick-Tipp.
Note: You need a data processing agreement with processors. In addition, if the processor is located outside of the EU, also check if an adequacy decision exists, for example if the company is Privacy Shield certified. If that isn’t the case, you need a ‘Model Contractual Clause’ contract, published by the European Commission.
A natural or legal person, other than the data subject, controller, processor, and the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Note: If you transfer personal data to third parties, you must explicitly inform the data subject about this. Generalised statements such as “our partners receive your data to process it” are not sufficient. The data subject can also have their data deleted, transferred, changed and seen by a third party.
Who is the “data subject”
To put it simply, data subjects are natural people whose data is taken and processed.
Note: Here, it is irrelevant whether the natural person is running a business, self-employed, or a private individual.
The term “consent”
We can speak of consent, if the data subject, willingly and completely informed, agrees to the processing of their data for a particular purpose. This permission may be given in writing, electronically, or verbally.
Note: This consent must include a proactive action on the part of the data subject such as ticking a box. Furthermore, the giving of consent must not be tied to a “reward” in anyway (“coupling prohibition”).
“Explicit” consent is only required when processing sensitive data. More about that later.
Conditions for consent
The consent itself must be documented in plain text and securely stored. In principle, the consent must be in a clear and comprehensible written form. Furthermore, blanket consents are not allowed to be issued, but instead separate permission must be given for each processing purpose. For example, email marketing is a different processing purpose than making customer profiles that automatically evaluate a data subject based on personal data (e.g. tracking data).
The data subject must, at any time, have a withdrawal possibility through which they can withdraw their purpose-bound permission to process their data from the data processor (“controller”).
Note: Personal data collected before 25 May 2018 may continue to be processed provided that there is a demonstrable consent from the data subject or unless the processor or third party has a legitimate interest that outweighs the data subject. Find out more later.
Profiling is defined as any form of automated processing of personal data that evaluates personal aspects of a natural person which produces legal effects concerning the data subject or similarly significantly affect them. This could be analyzing or predicting aspects of the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.
Shufa (credit rating agency) should be mentioned as an example, as their profiling of the data subject affects them in a significant way.
Note: I personally estimate that personalized advertising is not profiling in the sense of the definition above. In my opinion, it doesn’t legally affect the data subject or affect them in a similar way.
"Data protection officer"
The data protection officer is the person in a company responsible for overseeing the data protection strategy and implementation to ensure GDPR compliance. They represent a link to authorities and are a direct point of contact to them. Businesses need to appoint a data protection officer if their core activities consist of the regular and systematic monitoring of individuals on a large scale, or, the extensive processing of sensitive special category data or personal data relating to criminal convictions or offenses. In addition, the individual requirements of the respective country must be observed in each case. The data protection officer is responsible for GDPR compliance at your company, but not responsible in the sense of being liable.
Note: I definitely advise you to work together with an experienced external data protection officer, as they can give you important assistance with the implementation, as well as the continuity of GDPR compliance. Moreover, it looks good to authorities and your public image if you have a data protection officer. At Digistore24, we have a whole data protection team comprising of certified data protection officers as well as several external data protection officers who provide us with advice and assistance. This way, we can guarantee optimal protection of both your data and that of your customers.
Note: If you have formally appointed a data protection officer, you must report this to the authorities, otherwise you may face expensive fines. If you want advice from a data protection officer without officially hiring them, you can simply refer to them as a “privacy coordinator”. This doesn’t have to be reported to the authorities.
Important for employers
As an employer, if you also store health data, trade union memberships, religious affiliation, or political opinions, you are processing “special category data”. Such data must be specially protected and employees should have restricted access rights. I advise you to store as little special category data as possible.
Overview of the 7 principles relating to processing of personal data (Article 5, GDPR)
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals (“lawfulness, fairness and transparency”).
- The processing may only be carried out for pre-defined and documented „purpose limitation“.
- It must be limited to the amount of data collection and processing absolutely necessary (“data minimization”).
- It must be factually correct and up to date (“correctness”).
- The data subject may only be identifiable as much as is absolutely necessary for the processing purpose (“storage limitation”).
- Data must be adequately protected (“integrity and confidentiality”).
- The controller (for example the manager of a company) must be able to demonstrate compliance (“accountability”).
Note: According to legislators, violations of the principles above should carry the maximum penalty.
Lawfulness of processing (Article 6, GDPR)
In principle, any processing of personal data is forbidden. For entrepreneurs it is relevant here that justification for processing data does exist. Essentially, there are 4 justifications here that are important for you:
- Consent: The data subject has expressly given consent to the processing of their data.
- Contract: Processing is based on a contract e.g. purchase contract.
- Legitimate interest: Processing occurs in order to safeguard a legitimate interest of the controller.
- Legal obligation: There is a legal obligation to process the data.
Note: The basis for authorization “legitimate interest within the meaning of Article 6, clause 1 f” is very vague, but the main argument is if you, for example, contact your customers via email, without obtaining their consent. The safe option is to only write to customers if there is consent on the part of the customer or affected party (in the form of a double opt-in).
As already mentioned, the penalties for serious offenses, such as the violation of the principles relating to data processing (Article 5, GDPR), should be imposed.
For lesser offenses, such as forgetting to create a data processing directory, the penalty is foreseen to be up to half the maximum penalty sentence, so 10 million Euros or 2% of the previous year’s sales.
Note: I have completed my training and written examination to become a certified data protection officer in Austria. During the training, I already experienced from insiders that Austria wants to impose penalties for violations of the GDPR very carefully. This has since been confirmed in the press. Germany will be more strict (no surprise), especially since the GDPR is based on German data protection laws from where the regulations therefore originate. Bulgaria had virtually no data protection law at all before the GDPR and therefore, the status of the authorities’ changes is unclear.
Authorities, for example in Germany and Spain, have upgraded and excellently prepared complaint processes. Opt-in forms were created as we are already familiar with in internet marketing. As a result, complaints can be brought before the authorities, and companies as well as self-employed individuals can be penalized.
An example: https://www.lda.bayern.de/en/complaint.html
Note: When considering the topic of data protection, the whole setup leads me to presume that, in case of violations, many penalties are imposed in a media-savvy way. Many companies who neglect data protection will be cautioned.
Downloads / Learning materials
Download the complete regulation (PDF)
Switch quickly and easily to all lessons of the course.