After a short digression on the Big Brother awards in Bielefeld, Heise legal advisor Joerg Heidrich and c’t editor Holger Bleich first discuss in detail in the current episode 61 of the c’t data protection podcast about the “non-fine” they chose of the week”: Actually, the data protection world was just waiting to see how high the fine would be. It’s about the car rental company Buchbinder and a huge data leak that c’t 2020 uncovered.
The Bavarian State Office for Data Protection Supervision has now informed c’t that, contrary to all expectations, Buchbinder got away with it without any sanctions. The relevant circumstances were, in particular, “the accountability of the misconduct underlying the data protection violation and comprehensive and effective self-responsible remedial measures as well as the increased sensitivity of the company to sanctions due to the pandemic”.
Attorney Kathrin Schürmann podcasting in the office (in the background: the Federal Ministry of Economics in Berlin)
Heidrich highlights the potential importance of this decision in punishing other data leaks. Attorney Kathrin Schürmann also considers the justification of the authority to be less than plausible. Schürmann is a founding partner of the Schürmann Rosenthal Dreyer law firm and, as a data protection expert, advises companies on the introduction and development of new digital business models.
Compulsory for the drawer
The episode focuses on the obligation to carry out a written data protection impact assessment (DPIA) in accordance with Article 35 GDPR. Using the example of a dating website, Schürmann and Heidrich explain when such a DPIA is mandatory and which points should be dealt with in it. The aim of the DPIA is a systematic description of the planned processing operations and the purposes of the processing. In particular, a company must assess risks to the rights and freedoms of the data subjects, i.e. carry out a risk analysis of all processing operations.
This is by no means trivial. Bleich suspects that the obligation is being ignored by the vast majority of German companies. Heidrich and Schürmann take a similar view and point out that this always involves a fine – the sword of Damocles. You can explain a simple fact in a DPIA using guidelines, they say. But when it comes to complex processes, possibly with international data transfer to processors, a company can hardly avoid experienced, external DPIA advice.
180 pages of advice from specialist lawyers: What companies, associations and the self-employed need to know! With many FAQs, instructions, checklists and samples. On DVD: 60-minute webinar “Anatomy of an IT disaster” – be prepared and master the crisis.
Episode 61:
Here are all the episodes so far:
(raised)
