Data Protection: “The obligations and the liability risk are increasing”

DOTMAGAZINE: Dr. Küchler, the new GDPR puts the focus on “Opt-in” rather than “Opt-out”. What does this mean in practice?

DR. KATHARINA KÜCHLER: The question of “Opt-in” or “Opt-out” revolves around which form of permission needs to be obtained from the affected parties for the processing of their personal data. Do they need to actively declare their agreement, for example by ticking a box, (Opt-in) or is the person or company doing the processing allowed to presume agreement if the affected party doesn’t contradict this by, for example, un-ticking a pre-ticked box (Opt-out).

The background to this is that in both the German Federal Data Protection Act and the GDPR, the principle applies of prohibition unless permission is granted. This means that the processing of personal data is in principle prohibited, unless there are grounds for justification. Such a ground can be a legal allowance, or in the absence of such, the permission of the affected person. For valid consent, the GDPR requires that this is obtained through an unambiguous confirmatory action, in which the affected person declares voluntarily, for a specific case, in an informed manner, and unequivocally that he or she is in agreement with the processing of his or her personal data (Recital 32 GDPR). Therefore an explicit Opt-in, with which the affected person declares their consent for the processing of their data, is required. Silence, pre-ticked boxes or lack of action by the affected person does not represent consent.

This is particularly relevant for the area of email marketing. Even in the existing legal situation, the Certified Senders Alliance recommends senders of email advertising should always obtain written consent in the style of a “Douple Opt-in” (for more information on Double Opt-In, see Rosa Hafezi's article "Email Marketing Without Breaking the Law"). This recommendation is now substantiated by the GDPR. Details on the topic of permissible email marketing can be found here.  

DOT: How important will it be in future to have good risk management?

KÜCHLER: The GDPR contains a range of obligations for documentation and proof (Accountabilities). Among others, companies are obliged to keep a catalog of all processing activities. Affected parties also have far-reaching rights to information and disclosure and Art. 35 GDPR contains the new stipulation that a data protection impact assessment must be carried out for all processing that could potentially result in a high risk for the rights and freedoms of natural persons. Given this abundance of obligations, companies need technical solutions, such as a data protection management system, that help to collect store, process, and analyze data securely.

DOT: What are the special issues with relation to contracted data processing involving service providers?

KÜCHLER: The new central norm for contracted data processing is Art. 28 GDPR. According to Paragraph 1, the person responsible (controller) for the choice of a service provider (processor) must check the suitability of the service provider. A contract needs to be made with the service provider regarding the extent of contracted activities. The contracted processors are bound by the instructions from the controller. Standard contracts will need to be amended to reflect the new requirements.

There are also major changes coming for the processor. The processor is now, according to Art. 30 Paragraph 2 GDPR, also obligated to keep a record of all processing activities for all categories of activities carried out on behalf of a controller. This is an obligation that has previously, at least in Germany, only applied to the controller. In addition, affected parties can now go directly to the processors with claims for compensation for infringements of the GDPR. As a result, the processors are given much greater responsibility in the GDPR than was previously the case. The number of obligations and the liability risks are increasing for them. These should be taken into account in the drafting of agreements for the processors.

DOT: And what can companies expect in the case of violations?

KÜCHLER: Companies will face harsh punishments for infringements under the GDPR. Art. 83 Paragraph 5 of the GDPR offers the supervisory authorities the possibility of imposing fines of up to 20 million Euro or, for corporations, up to four percent of the worldwide turnover of the preceding financial year. This means that data protection infringements should no longer be seen as trivial. Rather, they can damage a company considerably, alongside the damage to reputation.

Dr. Katharina Küchler studied Law and obtained her doctorate at the University of Cologne. Since June 2016 she works as Legal Counsel for eco- Association of Internet Industry, the largest Internet industry association in Europe and DE-CIX, a one hundred percent subsidiary of eco . Prior to joining the eco group, she worked for various companies in the ICT sector. At eco Dr. Küchler is also responsible for the data protection and has helped to create the eco External Data Protection Officer Service.

Data protection and what’s in store for companies with the forthcoming EU GDPR will be a focus of the December 2017 issue of dotmagazine – stay tuned!