10 Points GDPR Checklist - My processors take care of the issueIf your processor is located in Germany or at least in the EU, you should be able to get away with this statement in good conscience. But what if it is not in the EU? That's where things get more complicated. A company based in Turkey, for example, will have relatively little interest in EU law and even if you are accommodated here, it is doubtful whether there is sufficient legal security. Another uncertainty factor is Great Britain, which is still an EU country. If Brexit does happen, it is questionable whether the British will adopt the GDPR for themselves. And of course there is the USA, whose CLOUD Act creates great potential for conflict with the GDPR. Incidentally, in this case you are not only affected if you use a US processor, this also applies to their foreign subsidiaries.
You can find out more about the CLOUD Act here .
4. My customers are not interested in data austria number dataset protection (they share everything anyway)
10-point GDPR checklistAnyone who really believes that is not only being very naive about the issue of data protection, but is also acting with gross negligence. Of course there are always some who do not attach much importance to the issue, but this cannot be assumed in general. In the wake of the recurring data scandals, most people have become much more sensitive to the issue of data protection. Of course there are also people who spread their entire lives on social media, but as a rule only the best side is presented, i.e. very carefully selected information. In addition, responsible and transparent handling of data creates trust and that is the basis for your customer to continue to be your customer.
5. Buying consent through bribery or blackmail
10 Points List GDPR - Consent through BriberyVery clever providers might be tempted to obtain the consent of their prospects and customers through bribery (e.g. in the form of vouchers) or even use subtle blackmail techniques (e.g. certain payment methods only against consent).
However, this is clearly no longer possible with the EU GDPR (Article 7, paragraph 4). For example, Maximilian Schrems (an Austrian data protection activist) is currently suing Facebook because he believes that Facebook requires too much consent from the user to open an account, which is not necessarily required to operate a Facebook account.
However, there are grey areas as to what can still be seen as a convincing argument for consent and not yet as bribery. The best thing to do here is to ask your lawyer or wait for the first court rulings on the subject, because they will come (see Facebook).
6. Not being prepared for the right to information
10 Points List GDPR - Neglecting the Right to InformationHave you already received the first requests for information about the customer data you have stored? No? Then you have been lucky so far! Because according to the GDPR, everyone has the right to receive information about which data is stored about them - even if no data has been stored at all.
Of course you can manage to answer a single request, but what if there are more? Before it gets to that point, you should urgently think about how you can implement an information process in the company that is as automated as possible, and ideally today and tomorrow. Because, especially when there are multiple requests, a month, which you have to provide information according to the GDPR, is not long. Therefore, as much as possible should be digitalized and automated, if only to avoid burdening your own human resources with unnecessary tasks. The data transmitted to the requester must also be able to be processed digitally.