After it was published in "EU GDPR (1): European General Data Protection Regulation explained in brief", this article goes into more detail: consent and the validity of the EU GDPR - both nationally and internationally - entail special cases. Personal data and which measures are now necessary for companies deserve special attention.
EU GDPR: Consent
The processing of personal data is prohibited in the first instance and is only permitted under the Reservation of consent for a defined Intended use permitted. The Reservation of permission is obsolete with an existing consent. Further Permits can be found in Article 6(1) EU GDPR.
Consent of a child according to the EU GDPR
For services and services (according to order processing in Article 6) that are provided to a child up to the age of sixteen are made directly, the Consent of the parents is required. The provider (as the responsible party) must obtain and document this consent in a legally secure manner.
See Article 8 "Conditions for the consent of a child in relation to information society services" (Chapter II: Principles).
The Consent of a child lawful within the meaning of Article 8 EU GDPR if he or she has reached the age of 16. Through the Specificationclause, the member state can Age to 13 years through national law.
National validity of the new data protection regulation
Through national regulations to ensure the protection of national rights and freedoms with regard to the processing of personal employee data, so-called Collective agreements under Article 88, for example in the German Works Constitution Act (BetrVG) can be determined.
Processing of special categories of personal data
In Article 9 EU GDPR, the EU Commission introduces a definition of categories in the evaluation of personal data: "The Processing of personal datawhich reveal the following personal orientations, and processing for the purpose of uniquely identifying a natural person, a natural person is prohibited."
To these Data for personal orientation according to the EU GDPR includes the following information:
- racial and ethnic origin
- political opinions
- religious or ideological convictions
- Trade union membership
- genetic data
- biometric data
- Health data
- Data on sexual life or sexual orientation.
Article 9 EU GDPR, "Processing of special categories of personal data", thus defines the special categories and distinguishes this data from other categories of personal data and prohibits their processing.
The The exception for processing is explicit consentand the necessary Processing for purposes in the public interest for archiving purposes, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1).
Order processing in accordance with the EU GDPR
Some terms have also been updated: Order data processing is now called Order processing. This is defined in Chapter IV in Articles 24 to 43 "Controller and processor" and also makes the processor liable for breaches of the regulation. Order data processing from the BDSG as amended in September 2009 has found its way into Chapter IV and V of the EU GDPR.
Order processing takes up a large part of the regulation. In Chapter IV "For data processing Responsible parties and processors" and in Chapter V "Transmission personal data to third countries or to international Organizations", the specifics of order processing are concretized.
In the EU GDPR no distinction is made between the online and offline-processing.
What measures companies should take with regard to the EU GDPR
Now there are also Considerations which in particular the interests of those affected and the sensitive nature of personal data. In future, companies will therefore have More room for argumentationbut must also take into account the resulting Legal uncertainty have to accept.
The TOMs (technical and organizational measures) in Article 28 also serve as the legal basis for such a cross-border transfer as a risk assessment, for example when reporting personal data breaches in accordance with Article 33.
Document your considerations and measures!
In particular, documentation on the Weighing uprespectively to the data protectionImpact assessment in accordance with Article 35, are an integral part of the Regulation, according to the interpretation of the recitals. All impact assessments, data security measures, customer information documents, information on the stored data, opt-in/opt-out function and consent or consents granted must be documented.
What was the motivation behind the European Directive of 2009 becoming the EU GDPR of 2016, a legally binding regulation? More on this in the next article: EU GDPR (3) - Where it comes from and where it is going.
(Cover picture: © Christian Kettling)