Data protection for independent mediators

What self-employed mediators need to consider in order to work in compliance with data protection regulations.

This article deals with the data protection requirements for their activities from the perspective of independent mediators, both in contact with clients and in the back office (with employees).

Overview

1. Legal basis for data protection in the mediation office

a. General Data Protection Regulation and Federal Data Protection Act

b. Applicability of the GDPR

2. Initial contact with clients and pre-contractual data processing

 here: Consent to data processing by the data subject

3. Online presence of mediators

here: Measures for the protection of personal data

4. The processing directory. Mandatory and due diligence requirements

here: Obligation to keep a processing register

5. Appointment of a data protection officer

6. Retention and deletion obligations

7. Data protection in favour of our own employees

8. What are processors - and what needs to be considered

9. The data breach - and what to do

10. The right to information of the person concerned, their own obligation to provide information and what this has to do with the confidentiality obligation arising from the mediation relationship.

Concluding tips for practice

…

top

1. legal basis for data protection in the mediation office

General Data Protection Regulation and Federal Data Protection Act

German data protection is based on the General Data Protection Regulation and the Federal Data Protection Act. The General Data Protection Regulation (GDPR) has been directly applicable in all EU member states since 25 May 2018. This serves to protect natural persons with regard to the processing of personal data, Art. 1 I GDPR. In addition to the GDPR, there is also the Federal Data Protection Act (BDSG), which came into force at the same time as the GDPR. In some articles of the GDPR, the individual member states are given the opportunity to enact deviating or more precise legal provisions. However, these must not contradict the basic principles of the GDPR. In principle, this means that the GDPR and the BDSG apply alongside each other, with the basic regulation taking precedence. 

[In addition to the GDPR, the ePrivacy Regulation should also come into force, which is intended to extend the protection of personal data to the communication channel. This is not expected to be enacted until 2020].

…

Applicability of the GDPR

The scope of application of the GDPR is opened if personal data is processed, Art. 2 GDPR. According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person. These are, for example, the name, address, date of birth, nationality, bank details or fingerprints. Processing in accordance with Art. 4 No. 2 GDPR occurs when personal data is collected, recorded, organised, arranged, modified, stored, retrieved, queried, processed, forwarded or deleted with or without the aid of automated procedures. The scope of the General Data Protection Regulation therefore always applies when handling such data. As a controller, you must comply with the principles for handling personal data listed in Art. 5 I GDPR. According to Art. 4 No. 7 GDPR, a controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers also include mediators. They may also be covered by the term "entrepreneur" in Art. 4 No. 18 GDPR. The processing of personal data is subject to consent in accordance with Art. 6 I a) GDPR. Consequently, processing is only lawful if the data subject has given their consent to the processing of their personal data for one or more specific purposes. Furthermore, the controller must comply with the data protection principles set out in Art. 5 I GDPR when handling personal data. These include transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

The violation of data protection regulations should not be underestimated, as high fines are sometimes imposed, Art. 83 GDPR. In addition, damages can also be claimed by the data subjects, Art. 82 GDPR.

Now that the legal requirements of the GDPR have been highlighted, the question arises as to how data protection can be implemented in practice in a mediation office. 

…

top

Initial contact with clients and pre-contractual data processing. 

Before a contract is concluded, data processing is lawful on the basis of Art. 6 I b) GDPR if this is done at the request of the data subject. However, it is unclear how long the data received may be stored. According to Art. 17 I a) GDPR, they must be deleted immediately if they are no longer necessary for the purposes for which they were collected or otherwise processed. The period must therefore be based on the principle of data minimisation and the purpose of the data processing and should be assessed on a case-by-case basis. For example, if contact has been made and the offer to conclude a contract is followed by 14 days without further contact, it can be assumed that there is no longer any interest and the data must be deleted. However, this period can vary again if one assumes different contracts and their complexity. It is also sometimes questionable how itemised bills, for example, are to be handled, as these cannot be accessed and therefore cannot be deleted. First of all, it should be noted that the telephone number is anonymised as it is not stored together with the name. The itemised bills are important for the controller itself and still serve the purpose of determining or checking the telephone costs, so that a case of Art. 17 III e) GDPR could be relevant.

Schwartmann/Klein (DS-GVO/BDSG) leads on the lawfulness of the processing of data in the pre-contractual relationship the following:

"Their processing, in particular their storage at the time of pre-contractual measures, is permitted in any case until the receiving party can recognise whether the transmitted data may be necessary for the fulfilment of the contract. However, the data must then be deleted if it turns out that it is not necessary for the actual fulfilment of the contract."

Problems with initial telephone contact

The initial telephone contact harbours its own specific challenges – now also in terms of data protection law. The obligation to provide information within the meaning of Art. 13 GDPR includes the obligation to provide contact details (data protection officer!) and the purpose of the data processing. It is controversial whether simplified information by telephone with a mere reference to a privacy policy on the website or in the draft contract is sufficient. Due to the media disruption (telephone/website), this is theoretically not easy access, as required by law, but since we no longer go online, but are constantly online, this is sufficient. Easy access to the privacy policy can be ensured by providing an Internet address or a QR code. If a contract is subsequently concluded, it is advisable to attach the information on data processing as an annex. 

…

top

Consent to data processing by the data subject

The data subject should give their consent to data processing in an informed manner for a specific case and unambiguously in the form of a declaration or other unambiguous action.

When giving consent, it is essential to ensure that the data subject is capable of giving consent and does so voluntarily. Voluntariness means that no coercion may be exerted on the data subject and that the data subject has a genuine choice. Consent should also be accompanied by the instruction that it can be withdrawn at any time. Persons under the age of 16 cannot give consent, Art. 8 GDPR. In accordance with Art. 8 I p. 2 GDPR, this can only be given by the holder of parental responsibility or with their consent.   Consent does not have to be given in writing, but it is recommended for evidence purposes, as the controller bears the burden of proof for the existence of consent, Art. 7 GDPR.

In this context, it is disputed whether consent can also extend to the type of communication if, for example, the mediator himself does not use encryption for email contact. On the one hand, it is argued that if consent to the "whether" of data collection is possible, this must apply all the more to the "manner" of data transmission.

On the other hand, it could be argued that Art. 4 No. 11, Art. 6 I a), Art. 7 GDPR only refers to the "whether" and not to the "how", and this cannot be waived due to the maintenance of an adequate level of protection in accordance with Art. 32 GDPR. As this relates to the risks and the risk remains even with consent. It should also be noted that consent can then only apply to the personal data of the consenting party anyway. However, in view of the threat of fines in the event of a breach of data protection regulations, it is better to use encrypted contact.

...

top

Online presence of mediators

With regard to a website that has been set up, it must be noted that this is also linked to a Privacy policy must be provided. This even applies if it is merely a presentation of the office and no data is requested (e.g. in the form of a form). The reason for this is that log files and cookies are automatically created by the web server and content management system when the website is accessed, which, in conjunction with the IP address, allow conclusions to be drawn about a person. If there is an option on the website to enter a electronic newsletter If you wish to subscribe to the newsletter, it is sufficient to click on the link to give your consent under data protection law. However, in order to fully comply with data protection requirements, a double opt-in method should be used, which means that a confirmation email should then be sent to ensure that third-party email addresses cannot be used. Ultimately, any doubts about existing consent are the responsibility of the controller, Art. 7 I GDPR. 

...

top

Measures for the protection of personal data

In order to ensure the appropriate protection of personal data against unauthorised third parties, suitable measures must be taken, Art. 24, 25 and 32 GDPR, which, among other things, take into account the current state of the art. Such technical and organisational measures are often referred to as "TOMs" for short. Essentially, measures should be taken that enable the following controls: Access control, access control, transfer control, input control, order control, availability control and that the earmarking/separation requirement is complied with. guaranteed is.

Firstly, clarification is required, which Risks and dangers in the specific organisation in order to then coordinate the respective special features with the necessary measures. Decisive factors are the type, scope and purpose of the processing or whether the costs for implementing a system are reasonable for the specific project. It is also important to ensure that the respective requirements are regularly reviewed, as they can always change, for example due to the expansion of operations or the constant development of technology. 

Technical and organisational measures (=TOMs ) in detail: 

• The Access control can be achieved through lockable filing cabinets or office rooms, the installation of security locks, video surveillance and the supervision of support staff. 
• With the Access control care must be taken to ensure secure storage, destruction and encryption. For example, meeting notes should not be left lying around openly or, if flipcharts are used, the edited sheets should be hung up and stored. All files, data carriers and the WLAN should be encrypted and password-protected, whereby the passwords should at least fulfil the general requirements. The systems should be protected with an appropriate firewall and updated regularly. When communicating, care should be taken to encrypt emails using transport encryption (e.g. TLS, SSL). This runs automatically and is supported by major email providers in Germany. Setting up end-to-end encryption (e.g. S/MIME or PGP) involves more effort, but also offers comparatively greater protection. With this variant, the emails must also be decrypted on the computers and email servers. Encryption using independent third-party software, known as a container solution, is also possible,

With the Forwarding of data the controller should always check whether data can be pseudonymised and always encrypt it.

• One Input control can be ensured by logging, which should be sufficient if a processing directory is kept. 
• To ensure that the data is only processed on order, the controller should always consider what contractual obligations it has entered into and issue the necessary instructions.
• The Availability of data can be controlled by having an emergency concept and a backup system in place.
• So that the Earmarking or separation requirement physical data separation and authorisation concepts should be in place. This means, for example, separate storage in different files or data carriers and that only certain people have access to them.

top
...
...

The processing directory. Mandatory and due diligence requirements.

Obligation to keep a processing register

Art. 30 GDPR requires every controller to keep a processing register. This can be done in writing or electronically in accordance with Art. 30 III GDPR. Art. 30 V GDPR grants an exception if fewer than 250 employees are employed, unless the processing they carry out poses a risk to the rights and freedoms of the data subjects, the processing is not occasional or special categories of data are processed Art. 9 I and 10 GDPR. This exception will not apply to mediators, as the processing of data is part of their typical business operations and is not merely occasional.

The register must be kept in such a way that it checked at any time can be used. The connecting factor is Art. 5 II GDPR, because the Accountability includes precisely that the provisions of Art. 5 I GDPR are demonstrably complied with. The directory must contain the information listed in Art. 30 I p. 2 GDPR.

Easy to see must be from the processing directory: Which data was collected, when, how and why, and when it should be deleted. To ensure that the register is easy to maintain, it should be clearly organised; the controller can use the template on the website of the German Bar Association or that of the State Commissioner for Data Protection.

The processing directory provides simple information about this:

Which data was collected, when, how and why, and when it should be deleted.

...

top

Appointment of a data protection officer

According to Section 38 I BDSG in conjunction with Art. 37 GDPR, the controller must appoint a data protection officer if more than 20 people are usually permanently involved in the automated processing of personal data. Regardless of the number of employees, a data protection officer must be appointed in accordance with Section 38 I BDSG if data processing is subject to a data protection impact assessment (Art. 35 GDPR) or the data is processed on a commercial basis for the purpose of transmission, anonymised transmission or for the purpose of market or opinion research. 

This will not be the case for typical mediation offices because they usually employ no more than 20 people.

...

top

Retention and deletion obligations

Furthermore, the controller must ensure that only necessary data is collected and processed for reasons of data minimisation. This is to prevent the uncontrolled collection of data. It may be advisable to anonymise certain data, if necessary after a certain period of time, so that it can no longer be assigned to a specific person. This depends on the purpose pursued. If the data is to be used for statistical purposes, such anonymisation is recommended. 

A special feature that arises in the comparison between mediation offices and law firms is that mediators are not subject to any retention obligation under the Mediation Act, whereas  the lawyer is obliged to keep his files for at least 6 years, § 50 I S. 2 BRAO.  However, both are subject to a 10-year retention obligation under tax law, §§ 14b UStG, § 147 I and III AO. In order to maintain an overview, deletion periods should be documented and automatic deletion should be technically implemented.

The "right to be forgotten" regulated in Art. 17 I GDPR generally stipulates the conditions under which personal data must be deleted immediately. The third paragraph contains exceptions to this right, for example if the processing is necessary to exercise the right to freedom of expression and information or if there is a public interest in science and research. 

Data protection also includes the proper disposal/destruction of data. This means, for example, that data carriers must be deleted in such a way that the data cannot be recovered. (Or that files are shredded so that they can no longer be reassembled and the data cannot be read). If erasure is impossible or disproportionate, data processing must at least be restricted, Art. 18 GDPR. This applies, for example, in the case of conflicting retention obligations, in which case the documents must be marked as restricted/blocked. 

top
...

Data protection in favour of our own employees

Data protection must be observed not only with regard to clients and mediants, but also with regard to the firm's own employees. This follows from Section 26 I sentence 1 BDSG, which stipulates that personal data of employees may only be processed for the purposes of the employment relationship. For example, their application documents and payslips must also be collected and processed in compliance with data protection regulations. The controller is also responsible for ensuring that its employees also adhere to data confidentiality and data protection-compliant handling. For example, personal data may only be processed on the instructions of the controller, Art. 29 GDPR.

...

top

What are processors – and what needs to be considered.

If the controller commissions external service providers in accordance with Art. 28 GDPR, so-called processors, it must ensure careful selection in accordance with para. 1. This includes, for example, service providers who destroy the files or maintain the IT system. A contract must be concluded that fulfils the requirements of Art. 28 III GDPR. Templates for such contracts can also be found on the website of the State Commissioner for Data Protection. 

...

top

The data breach – and what to do

The person responsible has a Reporting and notification obligation towards the competent supervisory authority and the persons concernedif there has been a breach of data protection, Art. 33 and 34 GDPR. This can be triggered, for example, by the loss of a data carrier (laptop, USB stick, smartphone, etc.) or by a mix-up of email addresses. It is irrelevant whether the controller is responsible for the breach. The breach is immediately and, if possible, report it to the competent supervisory authority within 72 hours of becoming aware of it, Art. 33 I S.1 GDPR. Art. 33 III GDPR contains a list of the information that the notification should contain. Notification or communication is only not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The judgement as to whether this exception applies must be made on the basis of an overall assessment. The decisive factor is the type of infringement or which data is affected and whether physical, material or immaterial damage is to be expected. This assessment must be carried out by the controller, who is responsible for proving that there is no risk of injury. If there is no risk because sufficient security measures have been taken, e.g. the data carrier has been encrypted, then the controller is not obliged to notify.

...

top

The right to information of the person concerned, their own obligation to provide information and what this has to do with the confidentiality obligation arising from the mediation relationship.

According to Art. 15 GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in Art. 15 I a)-h). This must to ensure that information is only provided to authorised persons. takes place. To ensure this, a copy of the identity card may be requested, whereby this may be redacted by the data subject except for the name, photo and address. According to Art. 15 III p. 1 GDPR, the controller must provide a copy of the personal data that is the subject of the processing. A reasonable fee may only be charged for further copies, Art. 15 III p. 2 GDPR. It is advisable to be prepared for requests for information. At best, this should be implemented technically in such a way that only data suitable for information is provided.

In the case of mediators, there is the particularity that they are generally obliged to maintain confidentiality towards their mediants, Section 4 Mediation Act. It is questionable how this relates to the right of access to personal data collected from a third party. According to Art. 14 V d) GDPR and Section 29 BDSG, the interest in confidentiality of the third party must be weighed against the information interest of the person concerned. However, in accordance with Section 29 I BDSG, this balancing will generally be in favour of the third party, i.e. the party who is guaranteed confidentiality. 

Pursuant to Section 29 III BDSG, the investigative powers of the supervisory authorities pursuant to Art. 58 I e) and f) GDPR do not apply to the persons named in Section 203 I and III of the German Criminal Code (StGB) or their processors if the use of these powers would lead to a breach of the confidentiality obligations of these persons. The persons include lawyers, Section 203 I No. 3 StGB, but mediators are not listed. They must therefore allow the supervisory authorities access so that they can assess the data processing.

Data protection is a complex and multifaceted topic, but you should not shy away from addressing it. Especially because of the threat of fines, it is important that everyone takes appropriate measures to protect personal data. Some of them are easier to realise than you might expect. In addition, once a system has been carefully set up, it is easier to maintain and expand, and this pays off in the long term.  

...

top

Concluding tips for practice:

1. The GDPR applies also for all analogue data processing in your company!
2. Your company can be requested by the authorities at any time, inform about the data protection precautions (Keyword: processing directory!)
3. Document all measuresthat you organise in your company with regard to data protection (further training, cover letters, task assignments, checklists, etc.)
4. Don't let this put you off!
5. Stay up to date.