information obligations
Posted: Sun Feb 02, 2025 4:09 am
The issue of information obligations has changed with the GDPR and caused a lot of uncertainty. You have certainly received an email from one or another provider about their new data protection conditions. It is certainly debatable whether these active information obligations are even necessary for existing customer relationships. In my opinion, there is no active obligation here, since the GDPR regulations did not yet apply at the time of collection. Nevertheless, you must at least point out the new-zealand phone number data requirements of the GDPR to all new customers and visitors. This primarily affects the data protection declaration on your website, but also applies to data processing in employment relationships, where personal data of your employees is also processed. If you have not yet created new data protection notices, you should address this immediately. A complete data protection declaration is the first business card for compliance with data protection law. There are a number of generators on the Internet that can help you. A paid generator is available from the company Avalex [1] , for example .
documentation of data security
In addition to legal aspects, you must also pay attention to technical data security in your company. This includes first of all documentation of the so-called technical organizational measures (TOM). You can find corresponding templates and "inspirations" in the appendices to the sample contracts for order processing.
Necessary implementations of data security include the definition of access and entry authorizations to data processing systems (keyword: authorization concept), the encryption of your website and the possibility of sending sensitive information securely - i.e. outside of regular email communication. Encrypting the website is now possible free of charge using Let's Encrypt [1] . Providers such as WeTransfer [2] or Teambeam [3] can easily transfer larger data securely.
Internal Organization
Data protection must of course reach those where data processing regularly takes place, namely your employees. Here you are required to sensitize your employees accordingly and create guidelines for handling personal data. This begins with training, which you can do online with the provider Iversity [1], for example . In addition, you must determine who is internally responsible in the event of a request for information or deletion. The question of what to do in the event of a data breach should also be clarified internally and set out in writing. The relevant websites of the supervisory authorities are helpful here, as they already provide quite useful templates. For example, the Bavarian State Office for Data Protection Supervision [2] or the Baden-Württemberg Supervisory Authority [3] .
If your company employs more than 10 people, you are still required to appoint a data protection officer. The contact details of the data protection officer must - and this is new - be published both in your data protection information and to the supervisory authority responsible for you. The role of data protection officer can be performed by an internal employee (caution: members of the management and senior management level may not be named) or by external service providers.
documentation of data security
In addition to legal aspects, you must also pay attention to technical data security in your company. This includes first of all documentation of the so-called technical organizational measures (TOM). You can find corresponding templates and "inspirations" in the appendices to the sample contracts for order processing.
Necessary implementations of data security include the definition of access and entry authorizations to data processing systems (keyword: authorization concept), the encryption of your website and the possibility of sending sensitive information securely - i.e. outside of regular email communication. Encrypting the website is now possible free of charge using Let's Encrypt [1] . Providers such as WeTransfer [2] or Teambeam [3] can easily transfer larger data securely.
Internal Organization
Data protection must of course reach those where data processing regularly takes place, namely your employees. Here you are required to sensitize your employees accordingly and create guidelines for handling personal data. This begins with training, which you can do online with the provider Iversity [1], for example . In addition, you must determine who is internally responsible in the event of a request for information or deletion. The question of what to do in the event of a data breach should also be clarified internally and set out in writing. The relevant websites of the supervisory authorities are helpful here, as they already provide quite useful templates. For example, the Bavarian State Office for Data Protection Supervision [2] or the Baden-Württemberg Supervisory Authority [3] .
If your company employs more than 10 people, you are still required to appoint a data protection officer. The contact details of the data protection officer must - and this is new - be published both in your data protection information and to the supervisory authority responsible for you. The role of data protection officer can be performed by an internal employee (caution: members of the management and senior management level may not be named) or by external service providers.