Supervisory authority
The supervisory authority is an authority that controls the implementation of the GDPR. During this control, the data protection authority also still checks compliance with the GDPR. The most important tool for this is binding documentation. If this is not submitted or is incomplete, fines will be imposed. More information: GDPR Article 51
Processor
As soon as you pass on personal data to another company, this partner company is a processor according to the GDPR. Such data transfer takes place more often than one might suspect at first glance. Starting with the tax consultant, who posts all invoices, to the parcel service provider, who delivers the ordered goods. Regardless of whether you are a sole proprietor or a corporation, many business processes can no longer be carried out without data transfer. However, without a corresponding contract, the transfer is illegal according to the GDPR and can lead to an administrative fine . Without the appropriate know-how, such a contract cannot be drafted in a legally secure manner. With easyGDPR, you can create order processing contracts for any service provider at the click of a mouse. More information: GDPR Article 28
Order processing contracts
The processing of personal data by service providers must be regulated by contract in accordance with the requirements of the General Data Protection Regulation. These so-called order processing contracts require expertise to ensure a DSGVO-compliant design. Our easyGDPR software allows you to design the contracts for each service provider. Our years of experience and tested expertise mean that you can draft your contracts not only quickly, but also in accordance with the requirements of the GDPR. If necessary (e.g. change of service provider) you can adjust the contracts by mouse click.
With easyGDPR you can protect yourself from the high fines . You can create your DSGVO documentation quickly and easily with our generator. All points such as risk analysis, processing directory, data protection impact assessment, etc. are covered. If necessary, you can use easyGDPR to update the documentation with little effort.
Stakeholder inquiries
The GDPR gives every natural person the right to know how personal data is processed. Such a request is called a data subject request. This includes not only the right to erasure (right to be forgotten), but also the right to inspect the stored data and the right to lodge a complaint with the data protection authority.
This right is given to every citizen of the European Union and it is also a mandatory right (lat. ius cogens). While the request may be denied under certain conditions, the response to the request is mandatory.
Even for small companies, this administrative burden can be immense. With easyGDPR Enterprise, you get the opportunity to answer these requests automatically. This is how you reduce your administrative workload with our GDPR software.
For more information, see Chapter III of the GDPR.
Cloud
The cloud is a process that describes how programs, infrastructure or platforms are moved to the Internet. The advantage here is that costs can be reduced because more capacity can be rented as needed, as well as worldwide availability.
Data protection is a key aspect of the cloud, as data is no longer under the company’s own control but is managed by service providers. As a result, corresponding order processing contracts must be concluded. Furthermore, secure data transmission is essential to prevent the data from being intercepted by third parties. The GDPR requires a state-of-the-art solution for all data collection and processing processes.
With our easyGDPR consulting, you benefit from our years of experience in computer security and our DSGVO expertise. We support you in migrating to the cloud and bring this process in line with the European General Data Protection Regulation.
Compliance
Compliance is a technical term from the business world and describes the implementation of legal requirements. When compliance is mentioned in connection with the GDPR, this refers to the implementation of the General Data Protection Regulation. All companies that regularly process personal data are obliged to comply with the GDPR.
With easyGDPR you can implement this measure quickly and easily. The tool allows you to quickly implement the documentation, such as processing directory, risk analysis, etc.. Furthermore, easyGDPR also offers consulting and training on the GDPR. With easyGDPR you have a strong DSGVO partner.
Data Breach
A data breach, or personal data breach, occurs when data that your company stores or processes is lost, stolen, or published on the Internet. If this breach may result in a risk to the rights and freedoms of individuals, the controller (usually management) must notify the data protection authority (DPA) within 72 hours of becoming aware of the breach. If your company is a processor, you must report the breach to the responsible party.
If the data breach poses a high risk to the personal rights and freedoms of natural persons, the data subjects must be informed without undue delay, unless this would involve a disproportionate effort, see Art. 33 GD PR and Art. 34 GDPR.
Data protection impact assessment
The data protection impact assessment is a documentation measure according to the GDPR and replaces in Austria the previously mandatory notification to the Data Processing Register (DVR). This process must be carried out independently if there is a particular risk to the persons concerned as a result of the processing operation. Failure to provide this documentation can result in heavy fines (up to 4% of annual global sales).
With easyGDPR, you can not only create a data protection impact assessment including risk analysis, but also fulfill all other documentation requirements according to the GDPR. If required, you can also take advantage of our data protection consulting service to benefit from the expertise of our certified GDPR expert as well as our years of experience.
Further information: Article 33 GDPR: Data protection impact assessment
Privacy policy
In the privacy statement, companies indicate what measures have been taken to ensure data protection. According to the GDPR, this document must be created and handed over to customers upon request. Contrary to popular belief, this is not only mandatory if a homepage is operated, but must be created by any company that processes personal data.
The information that must be included in the privacy statement is listed in Article 13 of the GDPR. For more detailed information, please refer to our blog post Privacy Policy and Information Obligations.
With easyGDPR you can create a privacy policy. The system queries all necessary information and generates a privacy policy from it via generator. Not only can you include this on your homepage or webshop, but it is also part of your DSGVO documentation obligation.
Data protection officer
The data protection officer is the natural or legal person who decides on data protection in a company or an association. The data protection officer is NOT synonymous with the data protection officer. Information on the obligations of the controller can be found in Section 1 GDPR
Data Protection Officer
The data protection officer is a natural person appointed by an organization (company, association, authority) to deal with data protection issues. This person can be part of the organization or appointed externally (e.g. lawyer, GDPR expert). In any case, the data protection officer must be competent according to the GDPR. Whether an appointment is mandatory depends on the company’s business activities. For more information, please click on the following link: When is a data protection officer required in Austria? or When is a data protection officer required in Germany?
The tasks of the data protection officer are defined in Article 39.
Third countries
When the GDPR refers to third countries, it means all countries that are not members of the European Union. If personal data is transferred from the EU to a third country, then a corresponding authorization or certification is required. This rule also applies to the United States. For this purpose, the European Council has reached an agreement with the US government – the EU-US Privacy Shield.
The General Principles according to Article 44 shall be observed.
easyGDPR
easyGDPR is a software that is accessible via the Internet and helps you meet the requirements of the GDPR. Through structured queries, step by step, you first obtain an assessment of the data protection situation in your company. Based on this, easyGDPR shows you the necessary measures to meet the requirements of the GDPR. The mandatory documentation, such as processing directory, risk analysis, data protection impact assessment, etc. can also be created quickly and efficiently with easyGDPR. If your business processes change, you can update the documentation with a few mouse clicks and thus meet the requirements of the GDPR at any time.
easyGDPR is available in Lite, Standard and Enterprise versions. We also offer DSGVO consulting services.
Recitals
The GDPR Recitals are part of the GDPR and describe the objectives and intentions of the European Parliament and the European Council when drafting the Regulation. They help in the interpretation of the legal text and prevent ambiguities. In total, there are 173 recitals, which have thus significantly influenced the GDPR.
The enormous scope of the regulation makes it clear that without expertise, the GDPR cannot be implemented in accordance with the regulations. You can therefore leave the implementation of the GDPR to an external expert, or you can choose the more cost-effective option – namely easyGDPR.
easyGDPR is a software that enables you to implement the GDPR without any prior technical knowledge. Our years of experience and expertise on the GDPR have gone into the development of easyGDPR. Through targeted, step-by-step querying of the necessary information, easyGDPR provides you with all the information you need to implement the DSGVO. The necessary documentation is created automatically according to your specifications and can be updated at any time. This way, you comply with the General Data Protection Regulation not only now, but also in the future. All with just one tool – easyGDPR.
EU-US PrivacyShield
According to the GDPR, any transfer of personal data to third countries is only permitted if this third country has a similar level of data protection as the European Union. This is to ensure that the General Data Protection Regulation is not undermined by processing taking place in third countries. The Privacy Shield is a set of agreements between the European Union and the United States of America that are intended to ensure that U.S. data protection is comparable to that in the EU.
U.S. companies must be certified under the Privacy Shield, once you are, data transfer to these companies is permitted. A transfer of personal data to companies in the USA without Privacy Shield certification is a violation of the GDPR.
If you have any questions about data transfer, you can take advantage of our easyGDPR consulting service. Our certified data protection expert will support you with any questions you may have. For more information on the PrivacyShield, see also our article EU-US Privacy Shield
Privacy by default/Data protection through technology design
The German legal text of the GDPR speaks of data protection by technology design, but the English term “data protection by design” is generally used. This expression describes a fundamental requirement of the General Data Protection Regulation. If a new technology is developed (e.g., a computer program, a website, etc.) then the greatest possible attention must be paid to data protection already during development. A classic example is a web store: It must be possible to order as a guest user; the mandatory creation of an account (= permanent storage) in the course of ordering would be a violation of data protection-friendly technology design.
Data protection must also be ensured by technical measures. Appropriate cybersecurity measures must ensure that attackers cannot gain access to sensitive documents.
Although the GDPR talks about technology design, this principle applies to all business processes. For example, the printed payroll data shall be kept in a lockable filing cabinet.
For more information on Privacy by Default, see Article 25 – Data Protection by Design and by Default
Privacy by design/privacy-friendly default settings
A second principle of the GDPR is data protection-friendly default settings, also known as “data protection by design”. This basic rule states that only the necessary data may be requested in any data processing process. Thus, querying the place of birth as a mandatory field for ordering in a web store would be inadmissible, as this information is not required for order processing.
This GDPR principle is also important if you offer a newsletter. The field “register for the newsletter” must NOT already be checked on order or registration forms. Instead, the user must actively select the newsletter, otherwise the data processing is illegal.
For more information on Privacy by Design, see Article 25 – Privacy by Design and by Privacy Preferences.
State of the art
The GDPR requires data processing and data security to be implemented taking into account the state of the art. In this way, the legislator has ensured that companies must constantly keep their processing procedures and protective measures up to date. Ongoing measures are therefore necessary to ensure that all processes continue to be legally compliant. With easyGDPR, you know what measures to take to ensure that your data processing remains state of the art. As a certified Sophos partner, we also offer solutions in the area of IT security. You can see how important it is to stay at the cutting edge of technology in our article on the Panama Papers.
The “state of the art” specification is described in GDPR Article 32 Paragraph 1.
Ransomware
Ransomware is a special malware that encrypts files or entire disks. Thus, the victims no longer have access to their files. For companies in particular, this is a disaster. If there is no backup, many are forced to give in to the ransomware and pay the demanded amount. However, there is no guarantee that the files will be decrypted again. Therefore, it is important to back up all files regularly, at short intervals, in order to be able to restore the files in such cases.
Right to be forgotten
The right to be forgotten is part of the comprehensive rights granted to every EU citizen by the GDPR. The personal data of an individual must be deleted if requested by the individual. Only in certain situations may a company refuse this request, for example, if a legal obligation to retain data would otherwise be violated.
With easyGDPR you get the possibility to answer these deletion requests automatically, so you actively reduce your DSGVO administration effort with our tool easyGDPR.
The right to be forgotten is described in Article 17 GDPR.
Recitals
Recitals is the English term for “recitals”. These describe the basic ideas with which the GDPR was created and help to better understand and implement the legal regulations. You can find the recitals on our website: German version, English version
Risk analysis
The risk analysis is part of the data protection impact assessment and, under certain criteria, a GDPR obligation. This documentation covers the risks posed to data subjects whose personal data is or has been collected. This measure replaces the prior notification to the Data Processing Register (DPR).
With easyGDPR you can perform a risk assessment in full. If you are unsure whether a risk analysis is necessary, you can take advantage of our easyGDPR consultation. Our certified data protection expert will be happy to explain the need for a risk analysis.
Safe Harbor Agreement
The Safe Harbor agreement is the predecessor of the EU-US Privacy Shield and was declared invalid by the European Court of Justice (ECJ) in 2015 because the agreement jeopardized data protection in the EU.
SSL/TLS
SSL means Secure Sockets Layer and this is the name for an obsolete encryption method, which has been replaced by TLS (Transport Layer Security). Nowadays, when SSL is mentioned, TLS is usually meant.
TLS enables tap-proof communication between two applications over the Internet. Data transmission without TLS is now no longer state of the art. When you visit a website, you can tell that the connection is encrypted with TLS by the lock icon that appears. Programs, websites and webshops without TLS encryption do not meet the requirements of the GDPR.
Processing directory
The processing directory is one of the most important requirements of the GDPR. In this, you document all processes in which personal data is processed. If your company is inspected by the data protection authority, these records must be presented in printed form. The processing directory is not only a list of data collection processes, but also includes reasons for data collection, the legal basis, and information on which persons have access to the collected data.
Such a processing directory can be a major effort even in small companies. The only exception to the processing directory is if personal data are not processed on a regular basis. However, even small businesses such as craftsmen, nurseries or moving companies regularly process such data in the course of payroll, invoicing customers, job applications, etc.
With easyGDPR, you can create a DSGVO processing directory without any prior knowledge. Thanks to templates for various business processes such as payroll, employee time recording, contact forms on homepages, e-mail traffic, etc., it is ensured that no data collection procedure is forgotten. Furthermore, easyGDPR has templates for various industries (e.g. driving schools) to create the processing directory even faster.
With easyGDPR, you implement the DSGVO without prior knowledge.
More information on the processing directory can be found in Article 30.
Encryption
Encryption ensures that sensitive data can no longer be evaluated by unauthorized persons. If a data carrier (hard disk, USB stick, etc.) contains personal data, encryption must be performed, otherwise the data processing does not comply with the state of the art and thus contradicts the GDPR. Backup data carriers (so-called backups) must also be encrypted. The easyGDPR team will be happy to assist you in implementing this measure of the General Data Protection Regulation.
Please also note that password protection (access control) is not the same as encryption.