What kind of data is meant?
The German Data Protection Act (GDPR) refers to personal data. This is information about affected individuals (=natural persons) whose identity is known or identifiable. And a person is identified by address, telephone number, picture on photo, IP address, vehicle registration number, social security number...
All this and all connected data is subject to the Data Protection Act. For example, everything an employee processes for a business case.
Which aspects are covered by the law?
The technical format irrelevant (IT & paper), everything is covered:
- Databases in company software
- Excel, Word
- Video and audio recording, photo
As soon as a reference to a person can be established, the data is to be protected!
When can I use data?
- Use in the vital interest of the person concerned
- Legal authorisation or legal obligation
- Predominantly legitimate interests (e.g. performance of contract)
- The consent of the person concerned has been obtained
- Data is generally public or anonymous
What should I always take into account?
You should observe the following principles in your daily work: Integrity, fairness and transparency
Restricted use: use data only for specified, explicit and legitimate purposes and under no circumstances in a way which is incompatible with those purposes
Data reduction: Collect and process only as much data as is strictly necessary to achieve the purpose for which it was collected
Correctness: factually correct and up-to-date
Storage limitation: Data should be pseudonymised and / or deleted if possible as soon as there are no more storage obligations.
Integrity and confidentiality: organisational, administrative and technical security measures must be respected
Accountability: You must be able to justify all your activities!