Whoever you think needs definition

GDPR: This is what website operators and entrepreneurs need to know about the General Data Protection Regulation!

Authors:Attorney Sören Siebert, lawyer Bea Brünen, attorney Lev Lexow

Last update: 25.02.2021

1. What is the GDPR and who does it apply to?

The EU General Data Protection Regulation (EU GDPR) is a new one EU regulation - a regulation that applies throughout the EU. The regulation regulates data protection law - i.e. the How companies handle personal data - uniform throughout Europe. Many of the current regulations of the German Federal Data Protection Act (BDSG) will then no longer apply or the BDSG will be revised at the same time.

Video: General Data Protection Regulation GDPR simply explained!

Get to know the General Data Protection Regulation - GDPR. [Created by https://www.erklaerhelden.de/]


1.1 What is the goal of the GDPR?

The General Data Protection Regulation unifies data protection law within the EU, because different data protection laws and thus different standards have applied everywhere up to now. In the future, entrepreneurs can therefore rely on the fact that a (predominantly) uniform data protection law applies within the EU. The regulation also applies to companies based outside the EU if they process data from people from the EU.

Second goal of the regulation: Data protection law should become more data protection-friendly for the users concerned. The citizen should Sovereignty over his data get back as far as possible. Together with significantly higher fines, this is to ensure that cloud services or social networks, for example from the USA, have to adhere to the rules.

1.2 Who does the GDPR apply to?

... the new regulation only affects shops, really large companies with thousands of customer data or processors. Unfortunately not, the GDPR really does concern EVERYONE Companies that are active on the Internet: user tracking, customer data, newsletters or advertising emails, advertising on Facebook, their own data protection declaration, many things will change due to the new regulations.

The data protection regulation applies to:

all companies based in the EU.

However, companies outside of Europe must also adhere to the new regulations. But this only applies if you:

  • have a branch in the EU or
  • process personal data of EU citizens

The most important connection point in the scope of the General Data Protection Regulation: personal data. This is all information that relates to an identified or identifiable person. A person is "identifiable" if they can be identified directly or indirectly, especially by means of assignment to an identifier such as a name, an identification number, location data or other special features. The possibility of identifying a person is sufficient here!

Personal data are e.g .:

  • Surname
  • address
  • E-mail address
  • Phone number
  • birthday
  • Account details
  • License Plate
  • Location data
  • IP addresses
  • Cookies

1.3 Since when has the EU GDPR been in effect?

The GDPR has already been talked about everywhere, but there was irritation about the official start.

The GDPR came into force on May 25, 2016. BUT: Companies and website operators in the EU member states have only had to apply the data protection regulation in a binding manner since May 25, 2018.

Doesn't the regulation have to be implemented first?

Some website operators may ask: Doesn't Germany have to implement EU laws in national law? The General Data Protection Regulation is a regulation. The member states do not have to implement regulations. They apply directly (but this is different with EU directives). However, the member states also have leeway in some areas, so that there will not be a 100% uniform legal situation.

The GDPR will then replace the well-known Federal Data Protection Act (BDSG) in many parts. The BDSG is currently also being adapted for this reason.

Link tip:

If you want more information on this, the following article may be of interest: https://www.bundesregierung.de/Content/DE/Artikel/2017/02/2017-02-01-datenschutz.html

Attention website operator: The regulations of the Telemedia Act (TMG) that are important to you are also partially superseded by the General Data Protection Regulation.

But there will be more changes to come here in the future! Since the GDPR is not specifically designed for telemedia, there will probably be a more specific regulation in the future: the new e-privacy regulation. This should come into force in 2018 with the GDPR, but has been postponed to 2019. We will keep you informed about this.

2. Important for all entrepreneurs, website operators and dealers

The General Data Protection Regulation does change some things in data protection law. However, since a very high level of data protection has already applied in Germany, entrepreneurs, website operators and retailers will not face as many changes as in some other EU member states. The entrepreneurs from Germany have an advantage here if they have already taken care of data protection.


2.1 Principles of data protection

Many of the well-known principles of data protection law have not changed. You should know the following principles:

Prohibition with reservation of permissionIn plain language: The collection, processing and use of personal data is strictly prohibited unless you have permission. This can arise from:
  • Law, e.g. from the BDSG, TMG, EU-DSGVO
  • Consent of the data subject
Data economy

In plain language: You are only allowed to collect and process as much data as you actually need.

EarmarkingIn plain language: You may only process data for the purpose for which you collected it.
Data accuracyIn plain language: data must be kept correct and up to date in terms of content and factual content.
Data security (Article 32 GDPR)The principle of data security now explicitly described in the GDPR includes that data processors take suitable technical and organizational measures, taking into account the state of the art, the implementation costs and type, scope and other circumstances and the risk analysis, in order to ensure a level of protection appropriate to the risk To ensure data.

In plain language: The level of protection that you must guarantee is based on the need for protection of personal data. Which measures are then "appropriate" is based on the state of the art, the necessary implementation costs, the circumstances, etc.

Right to be forgotten (right to erasure)

Many companies know that the right to be forgotten is not entirely new. The ECJ has decided that EU citizens can, under certain conditions, demand that search engines no longer show certain search results.
The right to be forgotten is therefore a claim that personal data must be deleted or blocked if there is no longer any authorization to use the data.

Danger: However, users can not only assert their right to be forgotten against search engine operators! The claim can be made against any body that processes personal data.

For the first time, there is an independent regulation on the right to be forgotten in the GDPR: Article 17.

This also lists the specific reasons when you as the data processor then have to delete the data. The most important cases are:

  • The purpose for data processing no longer applies (Art. 17 letter a)
  • The person concerned has withdrawn his consent (Art. 17 letter b)
  • The data processing was unlawful (Art. 17 letter d)

Here you can find all legal regulations:

R.real to data portability (data portability)Also new is the right to data portability, which is now regulated in Article 20 of the GDPR.

But what can users achieve with it? The new law gives you the opportunity to "take" your data with you to another provider. Users can then request the data controller to pass on their personal data to another controller in a ´common format´.

For example, data portability is important for:

  • Switching to other (social) networks
  • Change of bank
  • Change of employer

The implementation of this new law can be tough. It is best to get individual advice on this!

accountabilityThe EU GDPR now also provides accountability (Article 5 (2) of the General Data Protection Regulation). On request, data controllers must therefore be able to demonstrate compliance with all data protection principles.

Practical tip:

So set up an effective data protection management and document compliance with data protection requirements. In this way, you can prove the implementation of data protection law to the supervisory authority.

Attention: The impending fines are significantly higher than before!

Fines from up to 20 million euros can impose the supervisory authorities. Large companies and corporations face even larger fines: up to 4% of global group sales of the previous year.

So let us advise you!


2.2 Data protection, marketing and GDPR

Video: Introduction to the General Data Protection Regulation GDPR

Learn in the video Part 1: The basics of the General Data Protection Regulation - GDPR.

Consent for advertising purposes

User consents play a bigger role for retailers and entrepreneurs than many might believe. Think, for example, of the consent to receive newsletters.

But what does consent have to look like? We have put together the most important requirements for you here:


The consent in data protection is not tied to special formal requirements. Oral, written and electronic consents are permitted according to the General Data Protection Regulation.

Danger: When giving consent, you always have to think about the documentation. Oral consent can of course become a problem more quickly than if you have noted and saved the written or electronic consent in the system.

Opt-in or opt-out:

Get your consent with an opt-in box! The opt-out is generally not sufficient, so that checked boxes in particular do not result in effective consent.


The requirement of voluntariness is also particularly important. That means: You must not make the fulfillment of the contract dependent on the data subject giving consent if the consent is not required for the fulfillment of the contract.

Content requirements:

You must always obtain your consent for a specific purpose and list the processing purposes. General consents are therefore still not allowed.


You must be able to prove that you have been given consent to data processing! Always think of comprehensive documentation in connection with the EU General Data Protection Regulation.


As before, the person concerned has a right of withdrawal. He must therefore be able to revoke the consent given at any time with effect for the future.

What is new is that withdrawing consent must be as easy as giving consent.

What happens to "old" consents? Do you now have to challenge all customers again?

Dealers can breathe a sigh of relief here. The data protection consents obtained so far continue to exist under the GDPR. However, this only applies if you have adhered to the previous requirements of the BDSG and TMG. If the consent has not yet been validly given, it will not become effective under the GDPR.

In this context, it is important that the proof of consent is now written into the law. For example, those who send newsletters must now, according to the GDPR, also be able to prove the recipient's consent via double opt in. Up until now, this was purely a problem of proof, for example in the case of warnings for spam emails, but is now regulated as a legal requirement directly in Article 7 of the EU GDPR.

Consent for minors

Danger: Another new feature is that Article 7 of the General Data Protection Regulation has now regulated a uniform minimum age for consent. Consent from minors under 16 years of age (or under 13 years of age, if national law contains a corresponding provision) is only effective under the GDPR if the parents give their consent.


2.3 Do website operators have to adapt their data protection declarations?

The short answer: yes.

The long answer: yes.

All website operators, service providers, shop operators or entrepreneurs will be subject to changes in the data protection regulations with the EU GDPR.

The requirements for information and instruction of the data subjects are increasing due to the GDPR. The data protection regulations with all necessary information must therefore in the future

  • Precise
  • Transparent
  • Understandable
  • Easily accessible
  • Be written in clear and simple language
  • Name the legal basis for data processing

Further additional new regulations that must be observed:

On the one hand, there are new information requirements for pages that are especially for children judge. On the other hand, there is a real one with the GDPR Coupling ban. Consents may then no longer be linked to the download of certain content such as white papers or checklists. This also has an impact on the reformulation of the data protection declarations.

Without professional advice, it will hardly be possible for many website operators to meet these requirements and create a GDPR-safe data protection declaration. To formulate the necessary technical explanations precisely and at the same time understandable and simple will probably cause the biggest headache here.

Summarized: Almost all data protection declarations on websites have to be newly created or revised when the GDPR comes into force.

Practical tip: Get legal advice on the new version or revision of your data protection declaration. Samples, checklists and our new GDPR data protection generator can be found at eRecht24 Premium.


2.4 The data protection officer and the General Data Protection Regulation

There are also many questions from companies about the data protection officer (DSB) in connection with the GDPR:

  • When is a data protection officer mandatory?
  • What about the appointment of a data protection officer?
  • What tasks does a data protection officer have?
  • What training does a data protection officer have to have?
  • Are there any requirements for the certification of a data protection officer?
  • What about the costs or the termination with the data protection officer?
  • Can I appoint an external or internal data protection officer?

When is a data protection officer mandatory?

The General Data Protection Regulation regulates the obligation to appoint a data protection officer throughout Europe in Art. 35 ff GDPR. The obligation to appoint a data protection officer essentially results from 3 areas:

  1. You process special categories of data in accordance with Article 9 of the GDPR or
  2. Your "core activity" concerns "extensive regular and systematic monitoring of data subjects"
  3. there are more than 9 people (as employees or freelancers) involved in the automated processing of personal data.

If one of the points applies to you, you need a data protection officer.

If you need an assessment, you are welcome to commission our GDPR check.

Voluntary Of course, every company can appoint a data protection officer. For reasons of internal controlling, this can also be useful for many companies that do not have to appoint a DPO by law. But also when it comes to public image and marketing aspects, a data protection officer is certainly a good argument to signal to customers and supervisory authorities "We'll take care of it".

What tasks and responsibilities does a data protection officer have?

The data protection officer monitors compliance with the data protection principles in the company and maintains the processing directory. He is also the interface between IT marketing and management and the contact person for customers and data protection authorities for questions relating to the handling of personal data. As the person responsible, the data protection officer has all responsibilities for data protection issues in hand.

What about the appointment of a data protection officer?

Before the GDPR, the data protection officer always had to be appointed in writing.
According to the GDPR, the appointment of a data protection officer can now also be made in writing. A "signed contract" is no longer necessary, the GDPR only speaks generally of a "designation".

What training does a data protection officer have to have? Are there any requirements for the certification of a data protection officer?

There is no legal obligation to have a DPO training / certification carried out by certain providers.As an entrepreneur, however, if there should be a dispute at this point, you are obliged to prove that your DPO has the "necessary specialist knowledge".

If the worst comes to the worst, it will of course help if the DPO has legal training or a training certificate from TÜV, IHK, etc.

Should I appoint an external or internal data protection officer?

Both models have advantages and disadvantages:

The internal data protection officer is naturally "closer" to the business model and processes in a company. Disadvantage: Naturally, he will never be able to completely free himself from instructions from his superior. Not every internal employee can be employed as a data protection officer. Managing directors and often also the head of IT are not allowed to be data protection officers in their own company due to possible conflicts of interest.

In addition, questions about termination and protection against dismissal do not arise here, in contrast to an internal data protection officer.

With external data protection officers none of these dangers exist.

This may require more effort for "onboarding" or familiarization with company processes. In addition, the DPO is not always available immediately if there are questions or complaints.

Tip: We answer questions about termination and protection against dismissal by the data protection officer in our article "GDPR data protection officer".

Here companies and organizations can order an external data protection officer at low cost.


2.5 Attention when processing order data

First: The "order data processing" (ADV) is now called "order processing" (AV) according to the DGSVO.

Order data processing is of course not new and has so far been regulated in § 11 BDSG. But with the GDPR there are now uniform European requirements for data processors.

First of all, it is important for you to know: What exactly is ADV?

ADV is the "Collection, processing or use of personal data by a contractor (natural or legal person, authority, institution or other body) who processes the data on behalf of the person responsible)."
e.g .:

  • Use of an external customer center (e.g. call center)
  • external newsletter provider
  • Cloud computing
  • Use of external companies in marketing
  • External data center

Important: The ADV is the Client the primary contact for data subjects and responsible for compliance with data protection regulations.

But: According to the GDPR, what is new is that the contractor (i.e. the data processor) is jointly responsible.
Processors must, for example:

  • draw up a list of all categories of processing activities carried out on behalf of the customer (Article 30)
  • cooperate with the supervisory authority (Article 31)
  • Take technical and organizational measures to ensure data security (Article 32 (1) GDPR)

Tip: Read more in our article on order processing, including where you can request or download AV contracts from certain providers!

It is also new that the contract for the ADV no longer has to be concluded in writing. Processors and clients can now also conclude the contract in electronic form in accordance with the GDPR.

The individual requirements for the contract data processing are listed here:

tip: Check your contracts and contract templates again and adjust the specifications if necessary! This is the only way for clients and processors to be sure that they will also meet the new requirements.


2.6 Directory of procedures (directory of processing activities) according to GDPR

According to Article 30 GDPR, every person responsible must create and keep a so-called processing directory - or officially a "directory of processing activities". This will be familiar to data protection professionals; even under the application of the BGSG, certain companies were obliged to keep a so-called "directory of procedures".

What's new in the processing directory according to GDPR?

No more public procedure directory

First of all, the positive news: The procedure directory / processing directory according to GDPR no longer has to be public. Companies can no longer be required to disclose the data processing "on demand"; the "public procedure directory" according to BDSG no longer exists since May 25, 2018.

It is also important that the company management is responsible for the processing directory, not the data protection officer.

Obligation to submit data to data protection authorities

The processing directory according to GDPR is intended for purely company or internal use, but it must be submitted to the data protection authority upon request.

Written or electronic directory?

The GDPR says in Art. 30 Para. 3 that the list of processing activities must be kept in writing, but also allows the electronic form.

Who specifically has to keep a processing directory?

Now, unfortunately, things are getting complicated: Actually, according to Art. 30 (5) GDPR, only companies have to keep a processing directory

  • employ more than 250 people,
  • process particularly sensitive data in accordance with Article 9 GDPR,
  • the processing entails a risk for the rights and freedoms of the data subjects (video surveillance and the like),
  • process personal data on criminal convictions and offenses within the meaning of Article 10 or
  • if the data processing does not only take place occasionally

Processing directory also for online shops and small businesses?

A fierce dispute has already broken out about the attribute "data processing is not only carried out occasionally". Many lawyers and privacy advocates are of the opinion that the processing of customer data is a thing of the past essential part of every business model on the Internetif customer and user data is collected on a regular basis.

This means that every online shop and every service provider who concludes contracts with customers online must create a directory of procedures.

Others believe that “not just occasionally” requires data processing to be the actual business purpose or depends on the frequency and extent of data storage.

Here it depends on your willingness to take risks up to a binding specification or clarification by the courts. If you want to be 100% on the safe side, you should keep a directory of procedures. Especially since this can be done in 30 minutes with the right tools for most shops and smaller sites.

The solution was developed by lawyers from the law firm of eRecht24 founder Sören Siebert for processing data protection mandates and has recently also been available to small companies and lone fighters.

What belongs in the directory of procedures (GDPR)?

Essentially belong in the processing directory (for companies)

  • Company name and contact details
  • the purposes of the data processing
  • the categories of data subjects
  • the categories of personal data
  • the categories of recipients of the data
  • the transfer of personal data to a third country
  • Deadlines for deleting the various categories of data

We will shortly present the details of the specific contents of a procedure directory as well as tools and checklists for the creation, the procedure directory for order data processing, etc. in a separate article on eRecht24.


3. New data protection obligations for employers

In the course of harmonizing German law with the General Data Protection Regulation (GDPR), the legislator has also adapted employee data protection. The most important change from the employer's point of view is the increased fines of up to 20 million euros and the increased risk of employee lawsuits. However, the regulations force not only employers but all institutions that process employee data to adapt their internal data protection processes.


3.1 Who is affected?


First of all, of course, the new regulation affects the employers themselves. Employers are all entrepreneurs who employ employees. Temporary workers or trainees and many other groups of employees are also considered employees. And even applicants will be protected by the new regulations.

Recruiters, works councils, etc.

The new data protection regulations do not only affect employers themselves. Rather, they affect all departments that process personal data in connection with an employment relationship. These can also be recruiters, works councils, authorities and many more.


3.2 What is regulated?

The new regulations on employee data protection contain numerous duties and obligations that employers must comply with in the future. In detail:

Only the data that are "necessary" should be collected

In principle, personal data of employees should only be processed if this is necessary for the decision on hiring an applicant or for the implementation, exercise or termination of an employment relationship. Processing is also permitted if it is necessary for the fulfillment of legal rights and obligations, a collective agreement or a company or service agreement or for the purpose of criminal prosecution (these points are initially disregarded below).

Whether and when the collection of certain data is actually necessary must always be determined on the basis of the specific individual case. The conflicting employer and employee interests must be weighed up. This weighing must be made on the basis of previous jurisprudence practice, taking into account the provisions of the GDPR. In case of doubt, qualified legal advice should therefore be obtained.


3.3 How do you obtain effective consent from employees?

Anyone who wants to avoid the legal uncertainties surrounding “necessity” can obtain voluntary consent from their employees. In the event of a dispute, however, an alleged voluntary consent must be proven by the employer. This could be problematic. After all, which employee will refuse their supervisor's consent, or even in the run-up to hiring, if they want to keep or get their job? And it is precisely this relationship of dependency that must be taken into account by law.

Effective consent must also meet certain formal criteria. In principle, it must be in writing, i.e. H. be signed independently. However, since this is not always practical, electronic consent can also be obtained under special circumstances.

In addition, the employee must be informed in a suitable form that the consent can be revoked at any time. Ultimately, the employer must create certain conditions for the declaration of revocation. Obtaining consent should therefore be well prepared and followed up.


3.4 Burden of proof of the employer in the event of a lawsuit

In case of doubt, an employer must be able to demonstrate compliance with the obligations just mentioned (documentation obligations). Furthermore, employers will in future be confronted with stricter information obligations in the event of data protection violations and numerous other obligations (e.g. deletion obligations).

Tip: With regard to these obligations, employers should therefore thoroughly review their internal company processes and, if necessary, have them adjusted (keyword: compliance management).


3.5 Risks of data protection violations

The new regulations in the sanctioning of data protection violations bring a significant change. On the one hand, violations can now be punished by the data protection supervisory authorities with considerably higher fines of 2% of global sales or up to EUR 10 million. In the case of serious violations, even 4% or 20 million fines are possible.

Furthermore, employee lawsuits are likely to become more expensive, as immaterial damage can also be sued in the future. In addition, as already mentioned, the employer must prove compliance with data protection regulations in court. If he cannot do this, it is at his expense. Ultimately, this risk can only be minimized through suitable compliance management.


3.6 What should employers do?

Employers should check their internal company processes and develop a compliance strategy (or have them developed) with which data protection violations can be prevented.

In addition to adapting the processes, this also includes training and raising awareness among employees. Since this does not happen overnight, employers should start taking the necessary measures now at the latest. If you are not a data protection expert yourself, you should not do without qualified legal advice, as errors in data protection can become expensive in the future.


3.7 GDPR checklist for employers

Analyze the data protection-relevant processes in your company

  • Which personal data are processed how, when and why?
  • Which processing operations are problematic under data protection law?

Pay attention to a data protection-compliant contract drafting

  • Make clear agreements with business partners who have access to employee data (e.g. external billing centers).
  • Obtain effective consents from your employees.

 In-house compliance management

  • Adjust your internal company documentation and other processes relevant to data protection (compliance management).
  • Note the numerous new obligations (e.g. notification and deletion obligations).
  • Educate your employees about the new duties.


4. What penalties and fines are there for violating the GDPR? What about warnings?


4.1 Imposition of Fines

Above all, the immensely increased penalties and fines provided for by the GDPR are new. Previously, the scope of the Federal Data Protection Act for fines was 50,000 euros or a maximum of 300,000 euros for very serious violations. So far, data protection authorities have only very rarely maxed out the upper limit of the fines and in the case of permanent violations.

But that will very likely change. The GDPR sees Fines of up to 20 million euros or 4% of the worldwide turnover of the previous year in front. The high range of fines is a core component of the GDPR, in order to have an effective remedy at hand in the event of data protection violations against globally operating companies.

Important: Take inquiries / complaints from users seriously.
More importantly: Take inquiries / complaints from data protection authorities seriously.
Aim: Avoid fines according to GDPR as far as possible



4.2 One-Stop-Shop and Responsibilities

However, the responsibilities of the respective authorities have not yet been finally clarified. So the question of whether a state data protection officer, the federal data protection officer or the data protection officer is responsible in other EU countries or whether these responsibilities can also change if necessary. To avoid this confusion, the regulation provides for a "one-stop-shop" principle in Article 56 (1) of the EU GDPR.

In the case of cross-border data traffic, the supervisory authority at the headquarters or headquarters of a company should then be solely responsible for data protection violations. However, the question arises, for example, of how the different responsibilities of different authorities will affect the amount of the fines, for example.

Here one has to wait and see whether the responsibilities regulated in the regulation actually lead to a more data protection-friendly and at the same time simpler implementation.


4.3 Warnings and the GDPR

Data protection violations can - as the courts have repeatedly decided in recent years - be warned according to the GDPR.

In the event of violations of the GDPR, there is a risk of warnings and legal proceedings, because:

  • Data protection law is relevant to competition law!
  • Violations can also be warned according to the GDPR!


4.4 Who do you contact in the event of violations?

If the same law soon applies across the EU, who will be responsible for data protection violations in connection with the General Data Protection Regulation? Is there perhaps a central supervisory authority?

Anyone who sells internationally as an online retailer, for example, may have heard of the new "one-stop shop" in this context. This enables EU citizens to always turn to their own data protection authority if they have complaints - i.e. the data protection authority in their country.

Danger: This applies regardless of where the data protection breach happened.


5. Why you can't afford to ignore the new GDPR

The General Data Protection Regulation applies to all companies based in the EU. There are numerous changes that you as a business owner need to make. In the event of violations, you risk warnings or massive fines.

Practical guide to the new GDPR

At eRecht24 Premium you will find a practical guide to the relevant new provisions of the General Data Protection Regulation.
Inform now


6. The most common mistakes about the General Data Protection Regulation

1.The GDPR only applies to shops and large companies!

Not correct.

There is no limit to the applicability of the GDPR to "large" companies or shops. All websites, regardless of whether they are sole proprietorships or limited companies, must implement the GDPR when it comes to personal data in the company or on the website.

2. We do not process any personal data on our website!

Wrong 99% of the time.

Personal data is not just name, address or order data from shops. Google Analytics, contact forms, newsletter data, IP addresses from server statistics, plugins, Facebook Like Button, etc., everything is about personal data.

3. I still have time, there are transition periods!

Not correct.

The GDPR came into force in May 2016 and has been binding since May 25, 2018 without exception. So we are just at the end of the “transition period”.

7. GDPR checklist and frequently asked questions

Here you will find a checklist for the most important questions and answers of the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation - i.e. a regulation that applies throughout the EU. The advantage: Uniform data protection standards are created throughout the Union. The previous data protection patchwork will be a thing of the past.

Since when has the GDPR been in effect?

The GDPR was passed by the EU Parliament on April 14, 2016 and came into force on May 25, 2016. The EU member states have had to apply the GDPR in a binding manner since May 25, 2018. More information "

Do I have to pay attention to the GDPR at all?

If you are wondering whether you as an entrepreneur need to observe the new GDPR rules:

The General Data Protection Regulation applies to all companies based in the EU. But also non-European companies have to adhere to the new regulations if they have a branch in the EU or process personal data of EU citizens. More information "

Who can I contact in the event of violations or disputes?

The General Data Protection Regulation simplifies the procedure for data protection violations and disputes. Anyone who sells internationally as an online retailer has probably heard of the new 'one-stop shop' in this context. This enables EU citizens to always turn to their own data protection authority if they have complaints - i.e. the data protection authority in their country.

Danger: This applies regardless of where the data protection breach happened.

But the one-stop shop is also good for dealers and other entrepreneurs. You then only have to deal with a data protection authority. The competent data protection authority can then be found in the Member State in which you have your headquarters.

Does the GDPR also apply to the B2B area?

In many cases, yes. Even with companies, personal data (email addresses of employees, IP addresses of site visitors, etc.) are generated.

New written principle of data security (Article 32 GDPR)

The principle of data security now explicitly described in the GDPR includes that data processors take suitable technical and organizational measures, taking into account the state of the art, the implementation costs and the type, scope and other circumstances and risk analysis, in order to guarantee a level of protection appropriate to the risk.

New: right to be forgotten (right to erasure)

In the General Data Protection Regulation there is now for the first time an independent regulation on the right to be forgotten: Article 17 GDPR. This applies above all to cases such as the discontinuation of the purpose of data processing and the withdrawal of consent.

New: right to data portability (data portability)

Also new is the right to data portability, which is now regulated in Article 20 of the GDPR. The new law gives those affected the opportunity to "take" their data with them to another provider. You must therefore (be able to) make data records portable.

New: accountability

The GDPR now also provides accountability (Article 5 (2)). On request, data controllers must therefore be able to demonstrate compliance with all data protection principles to the responsible supervisory authority.

There are also innovations in terms of consent

Here is important for you: If the consents of your customers (e.g. for sending newsletters) corresponded to the previous legal regulations, these consents continue to apply.
However, there are still a few innovations in the area of ​​consent, so that you should find out more about this.

Do I have to adjust my privacy policy?

The requirements for information and instruction of the data subjects are increasing due to the GDPR. The data protection regulations with all necessary information must therefore in the future

  • precise
  • transparent
  • understandable
  • easily accessible
  • in clear and simple language

Together with the law firm Siebert Lexow, we have also created an extensive GDPR checklist for our readers, which you can download here free of charge:

Your 10 point check on the GDPR

The time for the implementation of the GDPR is running out: commission your personal website audit to implement the GDPR today.
Inform now

8. How to Find the Right Privacy Lawyer

Data protection law is a very special subject. A lawyer who does labor law or inheritance law in a normal office cannot help you with any questions about the GDPR.

You need a law firm that:

1. is mainly familiar with data protection law,

2. Is specialized in internet law and ideally this is

3. for several years.

The authors of this post - The partners of the law firm Sören Siebert (founder of eRecht24) and lawyer Lev Lexow (founder of Legaltrust GmbH) have been dealing exclusively with the topics of internet law and data protection for years.

The lawyers of the law firm Siebert Lexow have been advising and training medium-sized and large international companies for many months on all questions that arise in connection with the General Data Protection Regulation.

If you would like legal advice or need training on GDPR, please contact Siebert Lexow.