The right way of implementing data protection guidelines
Start-ups often use technologies involving big data or cloud computing. This implies that personal data of customers and staff members is processed. Yet whenever this is the case, legal stipulations laid down in data protection law must be met, which is often overlooked in daily practice.
For this reason we recommend to tackle the topic of data protection as early as possible. First, it has to be established which data applications are actually in use. Or in other words: which data is processed for which purposes, who are the data subjects and who might potentially receive the data?
Based on this information, the legitimacy of data processing can be assessed. Customer consent is an example of a legal requirement that might apply. This is usually the case for web analytics tools (Google Analytics, etc.) and when profiling customer data based on big data. It can also be a prerequisite when you plan to store data abroad through a cloud provider (e.g. Google, Microsoft, Amazon) without applying for a respective authorisation by the data protection authority. In practice, vaguely phrased privacy policies pop up on websites or when installing an application, but the responsible parties are often not aware that this does not constitute valid consent.
There are also a number of formal rules to heed to be on legally safe grounds when utilising a data application. For instance, the data protection authority has to be notified, unless certain exceptions apply (for instance when “standard applications” are concerned). If sensitive data (e.g. health data) are processed, the data application is subject to prior checking by the data protection authority. This means that the application may only be put in use once it has been cleared by said authority.
Data transfer to a cloud
Based on cloud technologies, websites and smartphone applications can be easily and quickly implemented, doing away with the need of establishing a separate hard- and software infrastructure. As cloud providers such as Microsoft, Google or Amazon mostly operate their clouds abroad (outside of the EEA), such data transfers are usually subject to authorisation. Such rules are often overlooked in the race to transform a bright idea into an app before somebody else catches on and as a result customer data is stored in a cloud without the appropriate legal basis. And last but not least, a service contract abiding by the stipulations of data protection law has to be entered into with the respective (cloud) provider.
Employee data is another tricky subject. In companies with a works council, their processing often requires a works agreement, especially when the management plans to implement control measures that can have a bearing on human dignity (video surveillance). If there is no works council, individual consent takes the place of the works agreement as a requirement for legally introducing control mechanisms.
We also advise you to pay attention to the use of privately owned devices for professional purposes (“bring your own device”), as such a policy brings about numerous challenges with regard to data protection and labour law.
Administrative fines for violations
The potential consequences of violations underline how important it is for start-ups to take data protection seriously. A violation of data protection rules can result in administrative fines (of up to EUR 25,000), claims for compensation by the data subjects, injunctions and a prohibition to operate the data application imposed by the data protection authority. What is more, competitors can file for an injunction and damages citing “unfair competition” if your start-up culpably disregards data protection rules.
We will bring you up to speed on all aspects of data protection law, supporting you in the initial research as to which data applications are in use in your start-up and advising you on potential requirements of notification or even prior checking by the respective authority. Should a notification of your data application or authorisation for data transfers abroad be necessary in your case, we will be happy to guide you through the process and also help you draft suitable service contracts and legally sound declarations of consent. We will also be happy to verify whether additional declarations of consent must be obtained from your employees to enable the processing of personal data in your enterprise.
Do not put off looking into the topic of data protection: the EU’s General Data Protection Regulation will significantly increase fines, to a level that can push violators towards bankruptcy, from May 2018. Further information on the implementation of the GDPR is available under the following link: https://cms.law/en/AUT/DSGVO (written in german)