What you should know about data protection

Take a moment and make yourself familiar with basic data protection topics such as

Applicability: When does data protection law apply and what are (sensitive) personal data?

Data transfer: Which legal types of data transfer exist and what must be done in case of a crossborder transfer?

Data subject involvement: When is consent a suitable legal basis and which rights does the individual have?




TRANSPARENCY


According to Art. 13 Para. 1 S. 1 GDPR it is the controller who has to provide the data subject with certain information about the data processing.

There may be several controllers that process personal data either in a joint controllership (Art. 26 GDPR) or in a separate controllership. While the controllers of a joint controllership may define that only one controller is responsible for the information (cf. Art. 26 Para. 1 S. 2 GDPR), separate controllers have to inform the data subject regardless of the other controller’s information provision.

Primarily, the GDPR differentiates between the case where personal data are collected “from the data subject” (regulated in Art. 13 GDPR) and the case where personal data “have not been obtained from the data subject” (regulated in Art. 14 GDPR).

Unfortunately, the law does not specify when data is collected “from the data subject”. The lack of any restricting criteria speaks in favor of a broad understanding. However, a too broad understanding risks being unpractical for many modern data processings where the data subject, although undoubtedly being the source of the information, is not aware of the data processing, e.g. when accidently pictured by a hidden camera.

Therefore, Art. 13 should be deemed applicable only for those data processings in which the data subject, in a certain context, actively provides data (e.g. by passing the entrance of a supermarket that is filmed by CCTV). Constellations, in which it is the controller, pursuing a legitimate purpose, who approaches the data subject and as such initiates the involvement of the data subject in a data processing should be considered as extrinsic collection.

Employee Data Protection


A dedicated employee data protection act does not exist in German law. However, Section 26 of the Federal Data Protection Act (“BDSG”) addresses the processing of personal data for purposes of the employment relationship.Following to Section 26 (7) BDSG, this includes oral data processings such as team meetings.

According to Section 26 (1) S. 1, personal data of employees may be processed if this is required for the decision about the establishment, the performance or the termination of an employment relationship or for the fulfilment of rights and duties of interest representations for employees resulting from a law, a collective or a works agreement. Furthermore, within the narrow limits set by Sec. 26 (1) S. 2, personal data may be processed for the detection of offences committed by employees.

Section 26 Para. 3 allows for the processing of sensitive personal information about the employee (such as health data) beyond the limits stipulated in the GDPR, while Para. 4 clarifies that the processing of employee data – including sensitive information – may be based on collective agreements, a suitable processing base for many companies with a works committee.

Generally speaking, neither the GDPR nor the BDSG prevent employers from asking their employees for consent. However, according to Art. 7 (4) GDPR, consent must be “freely given”. A consent that does not fulfill this requirement cannot be deemed valid but might rather be considered as a violation of Art. 5 (1) (a) GDPR as it could motivate the employee to share data with their employer without legally being obliged to do so.

In order to determine whether or not consent may be regarded freely given, according to Section 26 (2) BDSG, the dependency relationship between employer and employee as well as the circumstances under which the consent has been obtained must be taken into consideration. Circumstances that speak in favor of a freely given consent may, according to Section 26 (2) S. 2 BDSG, prevail if the employee benefits of a legal or economical advantage or if employee and employer pursue common interests with the data processing.

By way of derogation from the general GDPR consent requirements, Section 26 (2) S. 3 deems necessary written or electronic consent for employee data processings.



Sensitive Data


Art. 9 (1) GDPR provides for a conclusive list of so-called special categories of personal data. These are: personal data revealing the person’s racial or ethnic origin, their political opinions, religious or philosophical beliefs, their trade union membership as well as data concerning the person’s health or sex life resp. sexual orientation and the processing of genetic or biometric data for the purpose of uniquely identifying a natural person.

While normally only the aforementioned data categories are being called “sensitive”, special regulations apply as well to personal data relating to criminal convictions and offences (Art. 10 GDPR). Furthermore, the sensitivity of particular data categories such as location data, data about the economical resp. financial situation of the data subject, their personal preferences, interests, reliability and behavior may, in light of a certain purpose or context, also be regarded as sensitive. This is particularly the case where such data is used with the intention of profiling as defined in Art. 4 No. 4 GDPR.

The so-called special categories of personal data listed in Art. 9 (1) GDPR may only be processed if one of the exemptions mentioned under Art. 9 (2) are fulfilled.

An important exemption is the data subject’s consent (Art. 9 (2) (a)). This must be given explicitly which means that the individual sensitive data categories are to be listed in the consent form.

According to Art. 9 (2) (b), the processing of sensitive data is also legitimate, if it is required “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”. In a similar way, Art. 9 (2) (h) opens the door for individual national regulations if the processing is necessary for “preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”. The German BDSG provides for respective regulations inter alia in Section 22.

Finally, sensitive data may be processed if “manifestly made public by the data subject” (Art. 9 (2) (e)).

Data Transfer


The increasing diversification of technical and operational know-how in business life often requires the involvement of service providers or other cooperation partners.

While for some business relationships the exchange of mere contact data related to the business partners themselves suffices (to enable communication), the focus of other relationships lies on the processing of personal data itself. This is particularly the case where personal data needs to be collected, structured and/ or analyzed by a service provider to meet marketing, sales or other needs. Storage capacity for a growing amount of personal data is another prominent reason for many companies to entrust a contractor with access to personal data.

If such services are being provided only for the principal’s purpose(s) and the sovereignty over the definition of essential processing circumstances such as retention periods, data categories, data subjects and access rights, remains, contractually safeguarded, with the principal, the cooperation must be considered as a controller-processor-relationship according to Art. 28, 29 GDPR.

In contrast, a joint controllership (as defined in Art. 26 GDPR) characterizes that both partners, having agreed contractually on essential processing circumstances, pursue their own business goals which do not need to be identical but must be defined together.

The “common horizon of meaning” that is characteristic for both the controller-processor-relationship and the joint-controllership is lacking in a separate controllership: Here, both parties may adjust essential processing circumstances as well as their respective purposes independently of the other partner – the processing horizons are not connected to eachother.

According to Art. 28 Para. 3 S. 1 GDPR, the processing of a service provider in the role of a data processor “shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Moreover, the contract must, inter alia, contain regulations on the involvement of subprocessors – entities that are commissioned not by the principal but by the processor for the achievement of the purposes set forth in the data processing agreement. Art. 28 Para. 2 GDPR stipulates that the controller must approve such subprocessors either by giving specific authorization or by having the contractually granted possibility to object an intended involvement based on the processor’s prior notification.

Last but not least, the processor, according to Art. 29 GDPR, “shall not process […] data except on instructions from the controller, unless required to do so by Union or Member State law.”

An agreement must also be concluded by the parties of a joint controllership in order to determine “in a transparent manner […] their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14” (Art. 26 Para. 1 S. 2 GDPR).

Art. 26 Para. 3 clarifies that, independently of the agreement’s role description, the data subject “may exercise his or her rights under this Regulation in respect of and against each of the controllers.”

On that point, the joint controllership does not differ from the separate controllership where, other than for the controller-processor and the joint-controller-relationship, dedicated regulations on data protection are not needed despite being recommendable from an organizational point of view.

Transborder Data Flow


According to Art. 45 Para. 1 GDPR, “[a] transfer of personal data to a third country or an international organisation may take place where the [European] Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”

The Commission has adopted a so-called “adequacy decision” so far with respect to the following countries: Andorra, Argentinia, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom. Data transfers to such countries are treated equally as transfers within the EU/ EEA.

On the contrary, transfers to so-called unsafe third countries – countries that, from the EU’ Commission’s perspective do not provide an adequate data protection regime – regularly require a special “safeguard” to ensure a compliant processing.

Among the possible safeguards for data transfers to unsafe countries listed in Art. 46 Para. 2 GDPR are the so-called “Standard Data Protection Clauses” adopted by the European Commission. The Clauses contain mandatory rules partly individually designed for the four possible transfer constellations: EU-controller to non-EU-controller, EU-controller to non-EU-Processor, EU-processor to non-EU-processor and EU-processor to non-EU-controller. For instance, the Clauses’ module for EU-controller to non-EU-processor must be chosen where the solutions of a US IT service provider are sought, provided that the latter is able to access the controller’s personal data in the course of the service provision.

A suitable alternative to the Standard Data Protection Clauses regarding data transfers occurring between companies of the same business group are the so-called “Binding Corporate Rules” for which Art. 47 Para. 2 GDPR stipulates basic content requirements.

Neither the Standard Data Protection Clauses nor the Binding Corporate Rules need to be put in place if a derogation according to Art. 49 Para. 1 GDPR applies. Important examples for such derogations are the data subject’s explicit consent to the transfer (Art. 49 Para. 1 lit. a GDPR) and the transfer’s necessity “for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request” (Art. 49 Para. 1 lit. b GDPR).

Territorial Scope


The GDPR also applies, according to Art. 3 (2), to controllers or processors not established in the EU if they are processing personal data of data subjects in the EU with the intention of offering them chargeable or non-chargeable goods or services. As a consequence, the GDPR applies to non-EU companies that are promoting their products to people living in the EU, e.g. by offering a respective delivery destination.

Furthermore, the requirements of the GDPR must be fulfilled by controllers or processor who monitor the data subject’s behavior – e.g. by performing website tracking – if this behavior takes place within the EU (Art. 3 (2) (b)). Finally, the GDPR applies where Member State law is applicable by virtue of international law (Art. 3 (3)).

Data processings conducted by controllers or processors outside of the EU/EEA must comply with the GDPR if the data processing takes place “in the context of the activities” of a controller’s resp. processor’s establishment’s activities (Art. 3 (1)). Hence, as long as the processing is organized and maintained by an EU/EEA-based establishment, the GDPR applies.

Material Scope


A data processing, as defined in Art. 4 (2) GDPR, means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. Art. 4 (2) contains a non-conclusive list of examples for such an operation including the collection, recording, storage, disclosure by transmission and dissemination of personal data. Not only “constructive” operations, but also the erasure and destruction of personal data are mentioned as possible operation forms.

While the GDPR applies undisputedly to all electronic data processings (“wholly or partly by automated means”, Art. 2 (1)), non-electronical processings are only covered if the data (is to) form part of a filing system. The term filing system is defined in Art. 4 (6) and means “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.

The data protection’s purpose is to enable the person’s impartial and unworried participation in social life by regulating the use of personal information by entities that may potentially hinder the person from expressing themself and actively taking part in social life, e.g. by spreading political opinions or engaging in economical activities. Such “hindering entities” may be public offices, credit agencies or employers.

In spaces, where such risks do not prevail – among family members, friends or even close colleagues – the GDPR does not apply if the processing of personal data is conducted “by a natural person in the course of a purely personal or household activity” (Art. 2 (2) (c)). As a result, data protection law must not be complied with as long as friends, family members (or other intimate conversation partners) keep the information private. However, where the intimate conversation circle is broken by one or several communication partners and information is disclosed to third parties, the GDPR applies again.

Personal Data


According to Art. 4 Para. 1 GDPR, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. The legislative text mentions the person’s name only as one example for an “identifier”. Hence, not only the name, but everything that contributes to the individualization of a person must be considered personal-related.

Furthermore, data may be personal-related even though the person’s civil identity – name, address, birthdate etc. – remains concealed. In other words: The identification of a person is not a prerequisite for the assumption of personal data; an individualization suffices. A prominent example for an individualization without identification is the tracking of website browsing activities by means of cookies, canvas fingerprinting or other technologies: The targeted advertising based on individual tracking profiles is possible without knowledge of the person’s civil identity.

Sometimes, the person’s name is not only not necessary but even useless for the individualization – and is therefore not personal data. This can be the case for very common names such as “Müller” or “Meier” if those are mentioned in a context where it is impossible to assign them to particular persons.

As a result, it is only the context in which a particular data is being communicated that allows for a definite assertion as to whether data is personal-related or not.

Data must be considered anonymous if it has no (more) potential to individualize a person. This typically holds true for statistics whose purpose is to evaluate behavior or characteristics of a group but not of individual data subjects.

However, even statistical data may be personal-related if the selection criteria for the group’s composition unveil a group member’s identity. This is possible if particular criteria (e.g. “female” or “older than 60 years”) occur only once within the group. In this case, the aggregation method used to conduct the statistical analysis proves ineffective in terms of anonymization.

While the “aggregation method” aims at diluting the individual character of a dataset by compiling it with datasets of other data subject’s, the “removing method” focuses on data elements within a dataset: The removal of identifiers such as the person’s name or the person’s birth date may lead to a “paling” of the dataset. In many cases, a combination of the aggregation and the removing method is required to successfully achieve anonymity.

A third method that can generate anonymity is encryption. Like the other two methods, the effectiveness of encryption depends heavily on “objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments” (Recital 26 S. 4 GDPR).

Therefore, if an anonymization method such as MD5 has failed to resist attempts of reidentification, it must be considered ineffective from that time on. This is why technical developments such as the emergence of new hacking strategies demand a continuous check as to whether a once selected encryption methods still upholds anonymity.

Marketing


From a data protection point of view, consent for marketing operations is generally required if the company’s legitimate interests (Art. 6 [1] [f] GDPR) do not override the fundamental rights and freedoms of the data subject. This is particularly the case where the data categories used for the marketing operation are to be considered highly sensitive. The latter is regularly the case with special categories of personal data (such as health data) or location-based marketing.

A risky and therefore consent-requiring marketing operation prevails as well if the data subject’s profile serves as marketing base. A profile might enable the analyzing and/ or predicting of aspects concerning the person’s economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (Cf. Art. 4 No. 4 GDPR). As a result, where website tracking relies on data concerning the person’s search history or shown interests, consent is required even in the absence of highly sensitive data categories.

Finally, the sensitivity of marketing operations may result from the applied marketing method: Other than written marketing, “lively” vocal advertisement must usually be considered more intrusive and requires the person’s prior approval.

Recital 47 (7) GDPR states that, “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” according to Art. 6 (1) (f) GDPR. This statutory clarification must, however, not be overestimated as the existence of a legitimate interest itself does not necessarily lead to an overriding interest.

In accordance with competition law that applies to the marketing activity as such, the mere usage of the person’s postal address for paper mail advertising may take place without the person’s consent if, as provided for in Section 7 (2) No. 1 UWG, it is not obvious – e.g. in light of an adblock sticker on the mailbox – that the person does not want to be advertised. In addition, a marketing activity without the prior consent of the person may, pursuant to Section 7 (3) in connection with Art. 6 (1) (f) GDPR, take place where (1) the person’s e-mail address has been obtained from the person in the context of the sale of a product or service, (2) the address is meant to be used for direct marketing of one's own similar products or services and (3) the person has not objected to the address’ usage. If these three conditions are fulfilled, the person may be advertised without prior consent provided that the right to object at any time is transparently commmunicated to the customer in the moment of data collection and then always when being used.

Data Subject Rights


Depending on the individual processing circumstances, the data subject has, inter alia, the following rights: right to access (= What kind of data do you process about me?, Art. 15 GDPR), right to rectification (= You are processing incorrect data about me – please correct it!, Art. 16 GDPR), right to erasure (= I want my data to be deleted!, Art. 17 GDPR), right to restriction (= Stop using my data for operational purposes!, Art. 18 GDPR), right to data portability (= I want my data to be extracted in a structured, commonly used and machine-readable format in order to transmit it to another company, Art. 20 GDPR), right to object (= Stop using my data for marketing purposes or other legitimate reasons!, Art. 21 GDPR), right to withdraw consent (Art. 7 Para. 3 GDPR), right to lodge a complaint with a supervisory authority (Art. 77 GDPR) and right to compensation (Art. 82 GDPR).

All rights – except for the right to withdraw consent and the objection against direct marketing – are limited. For instance, the answering of an access right request may, according to Art. 15 Para. 4 GDPR, “not adversely affect the rights and freedoms of others”. “Others” include the data controller insofar as business secrets are concerned.

Despite often being claimed as an absolute right, the so-called “right to be forgotten” does not need to be satisfied where the processing is still necessary to fulfil a legitimate and overriding business interest.

Furthermore, some of the rights, namely the right to data portability, the right to object and the right to withdraw consent apply only if the respective processing is based on a particular legal basis.

Restrictions to the above-mentioned data protection rights may not only be found in the GDPR but also in the German Federal Data Protection Act, Sections 34 seq.



Your Business Sector – additional data protection requirements?




Medical treatment regularly requires the processing of information about the biological and / or psychological state of patients. To ensure an adequate and promising treatment, it will often be necessary to share the collected health data with other health-practitioners such as more specialized doctors or hospitals.

Furthermore, the specialization of modern health industry entails the involvement of service providers that are taking over payment transactions and / or other interactions with the patient.

The increasing digitalization, triggered partially also by modernized statutory regulation, allows for a more flexible communication with patients via "doctor's consultation apps" or health portals enabling the patient to easily upload sensitive files about their state of health.

The GDPR considers health data as special personal information that may be processed only under exceptional circumstances.

Both the GDPR and the Federal Data Protection Act provide for excemptions enabling the collection of health data for treatment purposes. However, doctors and other responsible parties should carefully assess to which extend the involvement of individual service providers – e.g. cloud-storage or health app providers – complies with data protection law, especially when it comes to data transfers to so-called unsafe third countries.

Another compliance duty of often underestimated importance is the notification of patients regarding the processing of their data. This notification must take place not only on time (= before the processing has started) but also in a way that is suitable to indicate the potential risks resulting from digital health solutions such as health trackers or the transmission of data via unencrypted messaging.

Modern online-shops are comprised of many different data processings that either enable shopping activities and / or provide for an attractive shopping experience. Personal data is required to take orders from customers and, subsequently, deliver ordered products to the designated recipient(s).

The anonymity of the internet increases mistrust between potential customers and shopowners. As a consequence, the latter has a deep interest in delivering products only to reliable and solvent customers. The risk of fraud may, in case of purchase on account, be minimized by solvency checks that preceed the order confirmation and require the processing of sensitive financial information about the customer.

The shopping experience may be enhanced by integrated social plugins that enable the customer to use the payment functionality of social networks or other tech companies instead of the payment features provided directly in the webshop.

Last but not least, the webshop's performance may be measured by a huge variety of analytics tools allowing for detailed insights into the customer's shopping habits.

The GDPR provides for different legal bases enabling the processing of webshop customer data. Dealers should assess carefully whether, from a data protection perspective, a processing triggered by the webshop may still be considered necessary for the fulfilment of a service requested by the customer or whether the customer's consent must instead be obtained.

As the GDPR expects the responsible party – here: the shop-owner – to be able to prove that the data subject (customer) has consented, respective consent forms should be part of an overarching consent management system that allows for the automated receipt, verification and withdrawal of consent. Even for cases in which consent, from the GDPR perspective, is not considered to be necessary as overwhelming legitimate interests of the shopowner would legitimize the data processing as well, other laws – such as the German TTDSG – might require consent.

Independently of the legal bases, privacy notices must be implemented into the website covering all of the shop-specific features including tracking and targeting technologies that are invisible to the customer.

At least two major events in the relationship between insurance and the insured require the collection and evaluation of comprehensive datasets.

The need for detailed information arises for the first time when insurance is requested: The insurer has a deep interest in satisfying both economical and legal duties that may, in the case of statutory health insurances, result from legal provisions and / or insurance terms. Private health insurers must ensure that the risks brought by new insurees into the insurance pool are reflected in the individual insurance conditions so that newcomers are prevented from becoming a burden for the insurance community. This may, reliably, only be guaranteed by means of meaningful information about the person's health.

The mistrust resulting from the naturally opposed interests of (potential) insurees and the insurer reinforces the insurer's wish to directly request health reports from health practitioners such as doctors or hospitals.

The involvement of third parties in the examination of the person's health situation may, again, be deemed necessary if a damage case occurs. Different means and technologies are imaginable which would allow the insurer to verify the existence and / or severeness of the damage case claimed by the insured.

Several national laws such as the VVG (for private insurers) and the SGB V (for statutory health insurers) regulate the collection and exchange of personal data between data subjects and insurer as well as between insurer and medical practitioners. Such laws are deemed special provisions in relation to the genuine data protection provisions in the GDPR or the Federal Data Protection Act that deal on a more abstract level with the processing of health data. Where consent requirements are stipulated in special provisions, the respective consent requirements / conditions outlined in the GDPR usually apply.

As a result, insurers must consider the whole legislative landscape when assessing the admissibility of data processings concerning the insured.



The renter-tenant relationship may be divided into different phases that all require the processing of personal data about the tenant.

It starts with the selection of potential tenants: To cope with the high demand of living space in popular areas, landlords understandably wish to conduct a preselection of sometimes many hundreds of interested persons. The more detailed the information about the potential renter, the easier the preselection. From the landlord’s perspective, there is almost no information that could not be of relevance for the preselection.

However, while some data may be considered crucial (e.g. information about the approximate income to draw conclusions about the renter’s financial stability) other data such as hobbies or family status will regularly be of less importance for a well-founded decision.

The more crucial the information the higher the landlord's need to verify its correctness before offering the renting contract to a selected candidate. This often requires the involvement of third parties such as credit agencies (proof of creditworthiness), employers (salary statement) or current landlords (rent payment certificate).

Once a suitable renter has been found, the carrying out of the renting contract might require the processing of consumption data (heating, water), to provide for a correct utilities statement.

The conflicting, often even opposed, interests of landlords and (potential) renters with respect to the processing of partly sensitive information about the renter’s financial circumstances and living preferences, regularly require a balancing of interests.

For an appropriate balancing, a clear distinction between "essential" and "non-essential" needs of the landlord regarding the selection of reliable and solvent renters must be established.

While it is, on the one hand, obvious that a landlord must be able to conduct criteria-based selections, the sensitivity of some of the information requested and the potential risks for discrimination and / or denial of existential living needs resulting from detailed renter profiling must also be taken into consideration.

In contrast, a balancing is of course not necessary where data is undoubtedly required for the fulfilment of the renting contract. This might apply (as the case may be) to contact and consumption data.



If the granting of a loan to a natural person is at issue, it is in the fundamental interest of the credit institution to ensure its own financial flexibility and deposit protection. In order to be able to grant even higher loans despite the risk of default, an individual risk assessment of the potential borrower is required.

In addition to the creditworthiness of the applicant, the applicant's reliability - i.e. the likelihood of misuse / fraud by the person - is also an important decision-making criterion for the credit institution. Data on creditworthiness and reliability are extremely sensitive, as they potentially allow the data subject to be stigmatized. It is therefore all the more important that the score values on which risk assessment is often based are calculated by means of scientifically reliable calculation methods. The financial institution either uses its own empirical values for scoring (so-called internal scoring) or tasks a credit agency with the (automated) generation and provision of score values (so-called external scoring). The negative or positive data on which the scoring is based are themselves often highly sensitive since they inform about the previous payment behavior of the potential borrower and - in the case of external scoring - are based on empirical values from a large number of so-called submitting companies.

Numerous sector-specific regulations - including those in the German Banking Act (KWG), the German Securities Trading Act (WpHG), and the German Money Laundering Act (GWG) - enable or require the creation of creditworthiness and / or reliability profiles. In some cases, it is specified in detail which individual data categories may / must be processed for which purpose and from which sources the data may be obtained. The respective regulations do not always aim at ensuring legitimate interests of the financial institution, but, as in the case of relevant provisions of the German Civil Code (BGB), at protecting the consumer from financial overload.







Assessment

You want us to analyse the individual data protection requirements affecting your own business? Book us for a data protection compliance assessment.

Unbenanntes Dokument