Since May 25, 2018, the EU General Data Protection Regulation (GDPR) has been in effect. Many companies are affected by these new legal regulations. There are still questions in many places. To get a better overview of the changes, apart from hard-to-understand legal explanations, we spoke with Marco Tessendorf, external data protection officer and director of procado Consulting, IT & Medienservice GmbH from Berlin.

The new EU General Data Protection Regulation (GDPR) is currently causing a lot of turmoil. For all non-lawyers: what exactly happened on May 25, 2018 and why does it affect us all?

First of all, not so much changes for companies that have already been dealing with privacy for some time. Most of the mandatory requirements have been mandatory for many years, but so far have not been taken seriously.

The GDPR is a kind of European law that, unlike the previous EU directive, is mandatory in all European countries. Actually, this regulation has been in force since May 2016; only the transitional provisions for the implementation of its requirements ended on May 25, 2018. For those concerned, this results in an extension of their inalienable rights (access, deletion, objection, …) and a better enforcement capacity (including a collective action right). For companies, this means more extensive information requirements, higher documentation requirements and an expansion of fines. In doing so, companies are potentially more vulnerable to competition under the rules of competition law, although I consider that, on a larger scale, rather unlikely.

What effects does the GDPR have on companies? What are the most important changes?

Businesses have a greater obligation to inform and document than before, and in a certain sense, the burden of proof reverses in favor of those affected.

Affected parties must be fully informed about various aspects of the processing of personal data prior to processing. This usually means that the privacy policy of the website, newsletters and information must be revised for those affected. Affected parties have, as before, extensive rights that cannot be excluded by contract, but now there are more. It can be assumed that those affected will now be more likely to exercise these rights. The best known are the right to access, deletion and objection. Added to this are the right to be forgotten and the right to data portability. Make sure that all employees in your company deal sensitively and reactively with such inquiries; there are binding deadlines.

What should be considered specifically for cloud software solutions?

Actually, nothing more than before. The use of a cloud solution is usually authorized with a data processing contract under data protection law. The person who passes on or allows access to personal data is responsible for the content and conclusion of this contract. The professional service providers often offer a corresponding sample contract. Inform your customers or employees that data is in the cloud and who the service provider is (information requirements), e.g., in your privacy policy.

When choosing your cloud provider, make sure that the data is hosted in Germany or at least in the EU. Everything else complicates things.

Thank you for the interview!

What GDPR means for us and our customers, and how Tandemploy implements the topic in practice, has been summed up briefly by Silja Nordmeyer-Andrez. Silja is a lawyer and supports the Customer Happiness team at Tandemploy.

“Data protection and data security are core topics for us. That is why all our employees are regularly trained on these topics. We let them know about the contribution they make to our data security. This includes not only the obligation to protect data within the legal framework (GDPR, new Federal Data Protection Act, Telemedia Act, etc.), but also the mindset that the responsible handling of data is the basis of our work.

This concerns, e.g., the selection of new tools. We first examine in detail whether and how data is processed by a tool before we decide for (or against) its use. Legal foundations such as the Privacy Shield are also regularly checked for their effectiveness and secured in many ways.

Thanks to the great support provided by procado, we developed conforming data processing contracts that we offered to our customers before the GDPR came into force. This included a detailed documentation of our technical and organizational measures.

Of course, we also like to work closely with our customers and provide all the information they need. You can be sure that we not only take data protection and data security seriously, but that they are an integral part of our work!”