The Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI) has used Safer Internet Day 2024 to clarify persistent data protection misconceptions.
Here are a few misconceptions:
- Data protection wants to prevent digitalisation
No. Digitalisation, but legally compliant and with data protection.
- With consent, everything is permitted.
Consent is only given for a specific purpose. Personal data may not be used for any other purpose.
Consent must always be voluntary and informed; it can be withdrawn at any time.
- If data is pseudonymised, the GDPR does not apply.
No, because pseudonymised data can be traced back to its source data using additional tools.
- GDPR does not apply to private individuals, but only to companies, public authorities and businesses.
No. The controller can be any natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR). Private individuals can also be held responsible under data protection law.
- GDPR only applies to electronic data processing.
Not true. The GDPR also applies to the analogue processing („paper form“) of data (Art. 2 para. 2 GDPR).
- GDPR is so strict
This is not the case. The regulations on the processing of personal data in the GDPR have not only remained largely the same as the previous Data Protection Directive and its implementation at the time, but the General Data Protection Regulation has also largely harmonised data protection law.
This has made it much easier to move data within Europe (EU/EEA), which is a stated, unfortunately often overlooked goal of the GDPR. In addition, the GDPR also applies to controllers outside the EU/EEA if they process data of individuals within the EU.
- Only major „data breaches“ must be reported to the supervisory authority.
This is not the case. A data breach must be reported to the supervisory authority in the event of a personal data breach, if possible within 72 hours of the breach becoming known.
According to Art. 4 No. 12 GDPR, a personal data breach is a breach of security which, whether accidental or unlawful, leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The controller is obligated to demonstrate this in accordance with the principles of accountability. Given the rarity of cases with no risk, notification in accordance with Art. 33 GDPR is typically unavoidable, even for minor incidents.
- The audit of the implementation of the GDPR, in particular the security of processing in accordance with Art. 32 GDPR, is only to be carried out once at the beginning.
This is not the case. According to the GDPR, the technical and organisational measures (TOM) must not only be implemented once, but a procedure must be provided for the regular review, assessment and evaluation of the effectiveness of the TOM (Art. 32 para. 1 lit. d GDPR).
The current appropriateness of the TOM is based on the state of the art.
The occurrence of data breaches in particular can lead to existing processes and technical implementations having to be re-examined.
- Consent must be given to a privacy policy.
No. A widespread misconception in connection with consent concerns the privacy policy.
With a data protection declaration – the term „data protection notice“ is better – the controller fulfils its duty to inform the data subject, including employees, customers, users and business partners.
As implied by their name, these information obligations primarily aim to inform the data subject and provide details regarding the purposes of the processing, recipients of the data, storage period, etc. (Art. 12 ff. GDPR). Confirmation of knowledge or consent is not mandated and should not be requested, as per civil and contractual law considerations.
Further errors in data protection – TLfDI press release (only available in German): https://www.tlfdi.de/fileadmin/tlfdi/presse/Pressemitteilungen_2024/240202_PM_SID.pdf
We will pleased to help you – E-mail consulting@adorgasolutions.de .