Company Managers and British Parent Companies of German Subsidiaries better take this issue very seriously, because the German version of the GDPR is much stricter than the GDPR rules as applied in the UK.
So if you are running a business in Germany, you should ensure that your German company is in full compliance. For instance in accounting and human resources. Because the German business mentality is to torture competitors with costly cease and desist letters (more here).
Germans are Data Protection Extremists
When it comes to data protection in a company, it is often overlooked that sensitive personal data is also processed in areas that do not immediately spring to mind, like accounting for instance. While other legal regulations in accounting prescribe processing or long-term storage, this is usually not the case in controlling.
With regard to the requirements of the EU Data Protection Regulation (GDPR), in particular with regard to all data processing in accounting and controlling should be checked and, if necessary, adjusted. An adaptation could be achieved, for example, by pseudonymization (removal of all directly identifiable features) or anonymization (removal of all personal data).
These are presented as examples in this article:
(1) Data protection for personal data
The data protection regulations apply when personal data is processed. This means (according to Art. 4 para. 1 GDPR) all information relating to an identified or identifiable natural person (…). In accounting, such data is regularly found in Accounts Payable and Accounts Receivable. If the accounting department also takes over the data management of the employees and carries out payroll accounting, “special categories of personal data” are even processed.
(2) Sensitive data due to processing or quantity
However, even if no data of employees is processed in accounting or controlling, personal data may still be available there, which can have an impact on those affected if they are viewed by unauthorized persons. This is obvious, for example, for notes on (negative) payment behavior (creditworthiness index).
Sometimes the context (the accompanying circumstances) of the processing is also sufficient, even if no financial or health data is stored for it. As very descriptive examples these would be e.g. the debtor evaluation of a specialist with the special field for cosmetic operations or in addition, the customer file of an erotic dispatch.
(3) Risks in practice
In accounting it is often the case that personal data is exported, e.g. for various evaluations from the hopefully well secured accounting programs. Often these “Excel files” are then sent by e-mail without further protection. Even if this alone often violates data protection regulations, it also increases the risk that third parties can view the data. In the case of e-mails, for example, an inadvertently wrong recipient is sufficient.
(4) Pseudonymization: identification via detours possible
Apart from a secure form of transmission, pseudonymisation offers a further advantage.
possibility of reducing the risk of data misuse for those affected. For this purpose, all personal data are essentially removed – with the exception of one value – that enable a person to be clearly identified. The remaining data may not directly identify the person concerned. Only by consulting another file or another document may the person be identifiable.
Pseudonymisation and anonymisation offer two suitable ways of reducing data protection risks. Particularly with regard to evaluations, it is worth checking to pseudonymize short-term evaluations, for which detailed checks may still be necessary, and then to summarize and further process this data anonymously after a specified time interval.
If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.
Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.
For more on German business and corporate law see these posts:
- How to read a German Company Register Extract
- Company Forms in Germany: An Overview
- Pitfalls of German Contract Law and German Company Regulations (Part 1)
- Pitfalls of German Contract Law (Part 2)
- 3 Ways to Expand Your Business to Germany
- Establish a German Limited Company (GmbH): FAQ and Checklist
- What is a GmbH? The German Limited Liability Company explained
- What is a German “Mini GmbH” or “Unternehmergesellschaft”
- Checklist: Formation of a German Company. And then what?
- Buying a German Company: A quick Checklist
- When Starting a German Business: Don’t Forget the Trade Register Notification
- 10 Things to do when starting a German Business
- German Labour Law: Beware of Fictitious Self-Employment
- Brexit as a Business Opportunity for British SME’s
- German Business and Corporate Law Firm for British and US Clients