The Thu­rin­gi­an State Com­mis­sio­ner for Data Pro­tec­tion and Freedom of In­for­ma­ti­on (TLfDI) has used Safer In­ter­net Day 2024 to clarify per­sis­tent data pro­tec­tion misconceptions.

Here are a few misconceptions:
  1. Data pro­tec­tion wants to prevent digitalisation

No. Di­gi­ta­li­sa­ti­on, but legally com­pli­ant and with data protection.

  1. With consent, ever­y­thing is per­mit­ted.
    Consent is only given for a spe­ci­fic purpose. Per­so­nal data may not be used for any other purpose.

     Consent must always be vol­un­t­a­ry and in­for­med; it can be wi­th­drawn at any time.

  1. If data is pseud­ony­mi­sed, the GDPR does not apply.

     No, because pseud­ony­mi­sed data can be traced back to its source data using ad­di­tio­nal tools.

  1. GDPR does not apply to private in­di­vi­du­als, but only to com­pa­nies, public aut­ho­ri­ties and businesses.

     No. The con­trol­ler can be any natural or legal person, public aut­ho­ri­ty, agency or other body which de­ter­mi­nes the pur­po­ses and means of the pro­ces­sing of per­so­nal data (Art. 4 No. 7 GDPR). Private in­di­vi­du­als can also be held re­spon­si­ble under data pro­tec­tion law.

  1. GDPR only applies to elec­tro­nic data processing.

     Not true. The GDPR also applies to the ana­lo­gue pro­ces­sing („paper form“) of data (Art. 2 para. 2 GDPR).

  1. GDPR is so strict

This is not the case. The re­gu­la­ti­ons on the pro­ces­sing of per­so­nal data in the GDPR have not only re­main­ed largely the same as the pre­vious Data Pro­tec­tion Di­rec­ti­ve and its im­ple­men­ta­ti­on at the time, but the General Data Pro­tec­tion Re­gu­la­ti­on has also largely har­mo­nis­ed data pro­tec­tion law.

     This has made it much easier to move data within Europe (EU/EEA), which is a stated, un­fort­u­na­te­ly often over­loo­ked goal of the GDPR. In ad­di­ti­on, the GDPR also applies to con­trol­lers outside the EU/EEA if they process data of in­di­vi­du­als within the EU.

  1. Only major „data brea­ches“ must be re­por­ted to the su­per­vi­so­ry authority. 

     This is not the case. A data breach must be re­por­ted to the su­per­vi­so­ry aut­ho­ri­ty in the event of a per­so­nal data breach, if pos­si­ble within 72 hours of the breach be­co­ming known.

     Ac­cor­ding to Art. 4 No. 12 GDPR, a per­so­nal data breach is a breach of se­cu­ri­ty which, whether ac­ci­den­tal or un­lawful, leads to the de­s­truc­tion, loss, al­tera­ti­on, un­aut­ho­ri­sed dis­clo­sure of, or access to, per­so­nal data trans­mit­ted, stored or other­wi­se processed.

     The con­trol­ler is ob­li­ga­ted to de­mons­tra­te this in ac­cordance with the prin­ci­ples of ac­coun­ta­bi­li­ty. Given the rarity of cases with no risk, no­ti­fi­ca­ti­on in ac­cordance with Art. 33 GDPR is ty­pi­cal­ly un­avo­ida­ble, even for minor incidents.

  1. The audit of the im­ple­men­ta­ti­on of the GDPR, in par­ti­cu­lar the se­cu­ri­ty of pro­ces­sing in ac­cordance with Art. 32 GDPR, is only to be carried out once at the be­gin­ning.

     This is not the case. Ac­cor­ding to the GDPR, the tech­ni­cal and or­ga­ni­sa­tio­nal me­a­su­res (TOM) must not only be im­ple­men­ted once, but a pro­ce­du­re must be pro­vi­ded for the regular review, as­sess­ment and eva­lua­ti­on of the ef­fec­ti­ve­ness of the TOM (Art. 32 para. 1 lit. d GDPR).

     The current ap­pro­pria­ten­ess of the TOM is based on the state of the art.

     The oc­cur­rence of data brea­ches in par­ti­cu­lar can lead to exis­ting pro­ces­ses and tech­ni­cal im­ple­men­ta­ti­ons having to be re-examined.

  1. Consent must be given to a privacy policy.

     No. A wi­de­spread mis­con­cep­ti­on in con­nec­tion with consent con­cerns the privacy policy.

     With a data pro­tec­tion de­cla­ra­ti­on – the term „data pro­tec­tion notice“ is better – the con­trol­ler fulfils its duty to inform the data subject, in­clu­ding em­ployees, cus­to­mers, users and busi­ness partners.

As implied by their name, these in­for­ma­ti­on ob­li­ga­ti­ons pri­ma­ri­ly aim to inform the data subject and provide details re­gar­ding the pur­po­ses of the pro­ces­sing, re­ci­pi­ents of the data, storage period, etc. (Art. 12 ff. GDPR). Con­fir­ma­ti­on of know­ledge or consent is not man­da­ted and should not be re­ques­ted, as per civil and con­trac­tu­al law considerations.

Further errors in data pro­tec­tion – TLfDI press release (only available in German):

We will pleased to help you – E-mail .

Wie können wir Ihnen weiterhelfen?

Kontaktieren Sie uns: Wir sind gerne für Sie da!