Data protection for independent mediators – Expert interview

What self-employed mediators need to consider in order to work in compliance with data protection regulations.

The expert interview with Attorney Maria Fetzer the Leipzig law firm SPIRIT LEGAL Lawyersdeals with pitfalls and missteps in the web presence of self-employed persons and companies as well as the first important steps towards GDPR-compliant websites and advertising presence.

1 Hello Maria, as a lawyer and expert in data protection law and therefore in the digital presence of self-employed people and companies: Which three serious but easily rectifiable missteps in the web presence of self-employed people and companies are found again and again in practice?

To summarise, it can be said that websites often lack transparency with regard to data protection. There is often a lack of transparent data protection information on the website that provides information about the actual processing operations and fulfils the requirements of the General Data Protection Regulation. People often cut corners here and resort to free samples from the internet in the expectation of receiving data protection-compliant legal texts for free. This takes revenge in view of the numerous current European court judgements (e.g. "Planet 49"), which must be taken into account when creating legal texts on websites. Particularly when integrating tracking tools (e.g. Google Analytics), care should be taken to revise the privacy and cookie banners accordingly and integrate them in compliance with data protection regulations. In addition, we are often confronted with missing or inadequate imprints, which can not only have consequences under competition law. The list is long, we could easily fill an entire day with this topic. 

2. if I have made a decision as an entrepreneur, Data protection now in light of the GDPR and further legislation (...) to pay more attention than before, what would you recommend are the five first steps I should take?

We can recommend the following steps:

1. Data Mapping: The company should analyse and compile the processing procedures and data flows taking place within the company and list them in a "record of processing activities". This should be structured in such a way that the categories of personal data processed, legal bases, recipients, any transfers to third countries and deletion periods can be seen. Model directories are already provided by numerous supervisory authorities.
2. Inventory analysis: As part of a status analysis, the status quo of the implementation of the requirements of the General Data Protection Regulation in the company should be analysed. In particular, weak points in the company (e.g. IT systems) and potentially critical systems, e.g. video surveillance systems with audio recording, should be analysed and checked for compliance with data protection principles. Such systems may even require a data protection impact assessment in accordance with Art. 35 GDPR. 
3. Data Contract Management: It is also essential to conclude data protection contracts (e.g. order processing contracts) with external service providers who process personal data on behalf of the company, for example. The devil is in the detail here and professional advice should be sought in advance before concluding such an agreement, in particular to minimise liability risks.
4. Data protection information: Companies should ensure that they provide applicants, customers and employees with transparent information about the processing that takes place within the company. This includes, in particular, information about the purposes of the processing, any recipients of the data, the storage period and the legal basis for the processing, see Art. 13 GDPR.
5. Check website for attack surfaces: Every website operator is recommended to check the use of tracking tools on the website, as web tracking is the focus of the supervisory authorities. The integration of third-party content or tracking tools on the website, such as Google Analytics, which process end device information and evaluate user behaviour on the website, are generally only possible with the express consent of the user. The website visitor must have the opportunity to find out how the respective tools work before using the website and to individually consent to or reject them. The supervisory authorities are extremely sensitive in this area and have already initiated the first fine proceedings. Negligence therefore does not pay off at this point, as the fines under the GDPR can reach significant sums.

3. which further steps and measures in data protection are absolutely important in the future, which are absolutely urgent and which can still be put in the "backlog" and implemented in the near future?

Probably the most important and often forgotten step is to sensitise employees to the protection of personal data. There is often a lack of awareness of the fact that even an email with contract documents addressed to the wrong recipient can be a reportable data protection incident, which may result in regulatory proceedings. In addition, the publication of photos of events or employees, e.g. on the website, should also be treated with caution. In the area of photographs, the interaction of various legal requirements must be taken into account, such as the general personal rights of the person depicted. Before publishing employee photos on the website, for example, the consent of the employees concerned must therefore be obtained and documented accordingly. It is also helpful to run through the internal processes in the event that data subject rights are asserted and to define fixed contact persons for processing such requests, for example if a customer exercises their right to information in accordance with Art. 15 GDPR. The company only has a comparatively short time window to process the relevant facts, as the information must be provided immediately, and in any case within one month of receipt of the request. The time component can already present a company with challenges.

4. which (advertising) activities should I rather or absolutely refrain from as a self-employed person today, not only because they are unlawful, but also because they are guaranteed to cause damage not only to the victims of data protection.

Clearly: direct marketing via email without the consent of the recipient or other authorisation, see Section 7 UWG. Here we are not primarily dealing with the GDPR, but with the Unfair Competition Act (UWG). This can result in warnings, regulatory proceedings and claims for damages by recipients. It is therefore always important to ensure that a suitable legal basis for sending promotional emails can be proven and that consent is documented accordingly, e.g. by means of the double opt-in procedure. In addition, for the reasons already outlined, the legal framework should be clarified before publishing photographs or video recordings for advertising purposes in order to avoid liability risks.

5. when people need concrete and serious advice, people like you are there to help. For self-employed people who want to find out more first: what can they do to find their digital strategy and then implement it?

The websites of the state data protection authorities, the Data Protection Conference and the European Data Protection Board already provide helpful information. They regularly publish resolutions, current statements and instructions on various data protection issues, such as video surveillance or web tracking. As a law firm, we also offer a free newsletter in which we regularly provide information on current developments.

6. what else is important or good to know if I, as a self-employed person or entrepreneur, need to align my digital strategy with data protection and competition rules, etc.?

It is important not to see the numerous legal requirements and specifications as an obstacle, but as an opportunity to stand out from the competition with a legally sound digital strategy and its implementation.