We are privacy compliant without cookie banners. Further information in the privacy policy.

Home » Riscreen Compliance Blog » GDPR – Organisational and technical data protection – Part 4

GDPR – Organisational and technical data protection – Part 4

GDPR DSGVO

Table of Content

A guest article on the GDPR by:
Dr Oliver Hornung, Attorney at Law for IT & Digital Business and Partner of SKW Schwarz Rechtsanwälte

The following topics are covered in this series of contributions

  1. Objectives and principles.
  2. Rights of data subjects.
  3. Obligations for companies.
  4. International data transfers abroad.
  5. Technical and organisational data protection.
  6. Commissioned processing.
  7. Obligation to appoint a company data protection officer.
  8. New European data protection law also applies to website operators.
  9. Supervisory Authorities.
  10. Fines and Sanctions.
  11. Employee data protection.
  12. What is to be done for companies?

The GDPR clearly emphasises the importance of technical and organisational data protection. This includes the regulations on Privacy by Design / Privacy by Default, on commissioned processing, on notifications of data protection breaches and on company data protection officers.

Privacy-by-Design and Privacy-by-Default

The GDPR obliges data controllers to take data protection requirements for data minimisation into account already during the development of products and services (for example, type and scope of data collected, pseudonymisation and anonymisation, access rights and storage period). Furthermore, there is an obligation to make default settings in such a way that only those data are collected that are required for the specific purpose.

Data breach notifications

Personal data breaches must be reported to the competent supervisory authority without delay, if possible within 72 hours of the incident becoming known. An exception exists if the breach is not likely to result in a risk to the personal rights and freedoms of the data subject. Such a risk can be excluded, for example, by appropriate encryption, which prevents third parties from gaining knowledge of the data in the event of the loss of a data carrier, for example. However, if there is a likelihood that the personal data breach will cause a high risk to the personal rights and freedoms of the data subject, the controller must also notify the data subject without undue delay. Again, an exception applies if he has taken appropriate technical and organisational measures to ensure that third parties can be prevented from obtaining knowledge.

Hint: This text has been translated by an AI (German > English). Slight errors may occure.