Data Protection and German Businesses: New GDPR 2018 will cause a Flood of Lawsuits

Company Managers and British Parent Companies of German Subsidiaries better take this issue very seriously, because the German version of the GDPR is much stricter than the GDPR rules as applied in the UK.

So if you are running a business in Germany, you should ensure that your German company is in full compliance. For instance in accounting and human resources. Because the German business mentality is to torture competitors with costly cease and desist letters (more here).

Germans are Data Protection Extremists

When it comes to data protection in a company, it is often overlooked that sensitive personal data is also processed in areas that do not immediately spring to mind, like accounting for instance. While other legal regulations in accounting prescribe processing or long-term storage, this is usually not the case in controlling.

With regard to the requirements of the EU Data Protection Regulation (GDPR), in particular with regard to all data processing in accounting and controlling should be checked and, if necessary, adjusted. An adaptation could be achieved, for example, by pseudonymization (removal of all directly identifiable features) or anonymization (removal of all personal data).

These are presented as examples in this article:

(1) Data protection for personal data

The data protection regulations apply when personal data is processed. This means (according to Art. 4 para. 1 GDPR) all information relating to an identified or identifiable natural person (…). In accounting, such data is regularly found in Accounts Payable and Accounts Receivable. If the accounting department also takes over the data management of the employees and carries out payroll accounting, “special categories of personal data” are even processed.

(2) Sensitive data due to processing or quantity

However, even if no data of employees is processed in accounting or controlling, personal data may still be available there, which can have an impact on those affected if they are viewed by unauthorized persons. This is obvious, for example, for notes on (negative) payment behavior (creditworthiness index).

Sometimes the context (the accompanying circumstances) of the processing is also sufficient, even if no financial or health data is stored for it. As very descriptive examples these would be e.g. the debtor evaluation of a specialist with the special field for cosmetic operations or in addition, the customer file of an erotic dispatch.

(3) Risks in practice

In accounting it is often the case that personal data is exported, e.g. for various evaluations from the hopefully well secured accounting programs. Often these “Excel files” are then sent by e-mail without further protection. Even if this alone often violates data protection regulations, it also increases the risk that third parties can view the data. In the case of e-mails, for example, an inadvertently wrong recipient is sufficient.

(4) Pseudonymization: identification via detours possible

Apart from a secure form of transmission, pseudonymisation offers a further advantage.

possibility of reducing the risk of data misuse for those affected. For this purpose, all personal data are essentially removed – with the exception of one value – that enable a person to be clearly identified. The remaining data may not directly identify the person concerned. Only by consulting another file or another document may the person be identifiable.

(5) Conclusion

Pseudonymisation and anonymisation offer two suitable ways of reducing data protection risks. Particularly with regard to evaluations, it is worth checking to pseudonymize short-term evaluations, for which detailed checks may still be necessary, and then to summarize and further process this data anonymously after a specified time interval.

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts: