The GDPR and start-ups

99 articles and 173 recitals serve to protect data subjects. The GDPR is thus more comprehensive than Directive 95/46/EC, on which it is based. In addition, there are recommendations for action from the data protection authorities and the Article 29 Data Protection Working Party. Overall, this represents a not inconsiderable organizational and financial effort.

The GDPR serves to protect the fundamental rights of data subjects, namely the "right to informational self-determination."

The Right to informational self-determination is considered the "fundamental right to data protection." It is not explicitly mentioned in the constitution, but it has a broad scope of protection and includes, among other things, data protection. This "new fundamental right" was developed from the general right of personality and dates back to the so-called census ruling of the Federal Constitutional Court (Federal Constitutional Court, judgment of the First Senate of December 15, 1983, 1 BvR 209/83 et al. - Census -, BVerfGE 65, 1).

Although many companies were still in the midst of implementing the new regulations on May 25, 2018, uploading documents and updating privacy statements, many were already furtively checking their fax and email inboxes. They feared a new general Wave of warnings.

Unfounded, as it turns out. While there have been warnings due to missing or inadequate privacy policies, warnings coupled with (!) claims for damages, and various requests for information and deletion, the big wave, such as in 2014, has yet to materialize.

Unfortunately, this doesn't mean that data protection can be taken lightly. This is demonstrated not least by the case of a company that had achieved absolutely nothing after May 25, 2018. The first letter from the supervisory authority in the form of a "request for information pursuant to Art. 58 (1) (a) GDPR" was not long in coming. It's a shame that, as a business owner, you now have to react, adapt, and improve within a short period of time. This not only ties up resources, but is also entirely avoidable.

The central element of the GDPR is certainly the strengthening of enforcement measures by data protection authorities and courts. Data protection violations that are Fines of up to 41% of worldwide turnover of the previous fiscal year have achieved their intended purpose for many companies. Ignorance of the relevant legal provisions and the associated risks are unaffordable. The reputational damage that may accompany lengthy investigations and lawsuits is offset by data protection compliance, which certainly builds trust and credibility among customers.
 
Here too, it has been shown that prevention is definitely preferable to later repair of damage!
 
One practical approach is to raise awareness and implement legal frameworks specifically tailored to your company.

Start-ups must also comply with the documentation requirements under Article 30 (5) GDPR. One might initially think that start-ups are exempt from the documentation requirement because they rarely have more than 250 employees. Far from it, because if data is processed regularly, documentation is required. Ultimately, data protection compliance will also convince investors.
This also applies, in a modified form, to start-ups in the contract processing sector.
 
Ultimately, startups are well advised to develop an emergency plan. This should include the procedure in the event of a data breach and an assessment of the consequences.

• Check of the website including recommendations for action
• Optimized privacy policy
• Contract for order processing
• Processing register for controllers
• Check of technical and organizational measures
• Data protection concept
• Data protection training

Please contact me for an individual offer.