The new General Data Protection Regulation enters into force in 2018. It will play a role in the online print industry – in fact an important one. Is it going to make life arduous for some online print providers? Probably.
Several aspects of the upcoming General Data Protection Regulation need to be borne in mind – companies’ duty of compliance, the requirement to be proactive – and there will also be changes to contract terms. Some online print providers will have to overhaul the way they handle customer data. I have requested Dr. Martin Schirmbacher, the legal advisor to the Initiative Online Print and an attorney specializing in IT law at HÄRTING Rechtsanwälte to provide an overview of what action the General Data Protection Regulation requires online print providers to take. This much I can reveal in advance – the outcome is a very (!) informative document even for those with no legal training. And if you read the document, you will be extensively clued up on what the General Data Protection Regulation will require online print providers to do from 2018 onwards and how they need to take the appropriate action to gear up for it.
General Data Protection Regulation – a new law from Brussels
The General Data Protection Regulation (GDPR) is the talk of the online town and it is putting all eCommerce businesses under pressure to take action. The GDPR is an EU regulation that will apply in all member states of the European Union from May 25, 2018 onwards. In contrast to an EU directive, the Regulation does not require separate implementation – it is already in force, does not require an additional transition period and will affect all companies that process personal data within the European Union.
The Regulation also affects all online print providers. There are no sales or headcount thresholds beneath which the new rules do not apply. The GDPR basically applies equally to start-ups as well as to market leaders with branches in 20 countries.
Most companies that have already come into contact with the GDPR have heard of the horrendous fines that the Regulation envisages. While previously the maximum penalty for breaches of data protection rules was a fine of 300,000 Euros, fines of up to 20 million Euros can now be imposed. As far as large corporations are concerned, fines can amount to as much as 4 % of annual global sales. Even if the probability of smaller companies being impacted by such fines is not necessarily increasing, the overall risk potential is incomparably higher, however. The regulatory authorities are seizing virtually every opportunity to point out that the fines framework needs to be maxed out. Even smaller companies that to date have regarded data protection as a marginal issue will now have to deal with this matter in detail.
Personal data – processing prohibited
As previously, data protection law applies exclusively to personal data. Such data must always be related to an individual person. Corporate entities are not protected. But this should not lead anybody to mistakenly conclude that B2B companies are not affected. Even those companies that only have business customers collect personal data, for instance from contact persons. Furthermore many company names include the name of the owner(s), so there is a reference to private individuals.
One of the fundamental tenets of the (old and new) data protection law is the principle of prohibition – every instance of processing personal data is prohibited unless there is a justification for such action. There can be many justifiable reasons; the most important are: (1) a contractual basis, (2) the legitimate interests of the company and (3) the consent of the person involved.
(1) One justification for processing personal data is a contract with the customer. An online print provider may, for example, forward a customer’s address details to a logistics service provider to enable the latter to deliver the goods that the customer has ordered. This justification only ever extends as far as what is necessary for the purposes of contractual performance. A credit rating check, for example, is not covered by this.
(2) Data processing can comply with the terms of the GDPR if it is based on the company storing the data protecting its legitimate interests. However that does not always apply, as a legitimate interest will almost always exist. In fact, the processing of personal data must serve a specific purpose and the interests of the person affected must not outweigh those of the company. What is required is a trade-off between the interests of the company in processing the data and the interests of the individual affected in having as little data collected and processed as possible. What’s important here are the reasonable expectations of the person affected. If they typically anticipate having their data processed, then their data can in case of doubt be utilized. If what the company plans to do with the data tends not to be common practice, then it must refrain from processing data. Ultimately this is a case-by-case issue, with uncertain outcomes.
(3) If permission cannot be derived from the law itself, consent from the individual affected may help where appropriate. Almost any data processing procedure can be justified by voluntary consent. But this only applies if the consent was given in a valid form. And the GDPR specifies more stringent requirements for the provision of consent compared to currently valid law. The voluntary nature of consent can, for example, be questioned if that consent is linked to concluding a contract. Under certain circumstances the new law prohibits linking consent with concluding a contract – details are as yet unclear. Furthermore separate consent must be obtained for various processing steps – but the law doesn’t state when companies need to obtain separate consent if their processing steps are so different. Consent that has already been provided remains valid, if it basically complies with the requirements of the GDPR.
Compliance – must-haves
The essential change in the GDPR lies in the reversal of the burden of proof. While it was previously acceptable for mid-sized companies simply to do nothing wrong as far as data protection is concerned, the General Data Protection Regulation now imposes extensive obligations on companies, which they must proactively fulfil if they are to avoid fines. The most important points in a whole series of compliance specifications are detailed below:
(1) Directory of procedures – a long list of all data processing procedures
Basically every company must maintain a directory of all its data processing activities. Although the GDPR envisages an exemption from this obligation for companies with less than 250 employees, the same regulation, however, includes several counter-exceptions that entail smaller companies having to maintain directories of procedures too. That threshold is indeed irrelevant if the processing of personal data is not just an occasional occurrence. That is likely to be the case with the vast majority of online businesses, meaning maintaining such directories is urgently recommended. The directory can also be maintained in electronic format, for instance as an Excel spreadsheet.
The directory must list all data processing procedures and in particular the purpose of such processing, and deletion deadlines must also be stated. Not every individual data processing step needs to be recorded; this is meant to be a general overview of data processing activities. The object of the regulation is on the one hand to generate an awareness of processing personal data within companies and on the other hand to provide regulatory authorities with a simple overview of data processing procedures within companies. Accordingly the directory must be capable of being submitted at any time on request by the relevant authorities. However, private individuals, for instance customers, do not have a right to inspect these directories.
(2) Rights of persons affected – objection, information, deletion and much more besides
The GDPR contains all of twelve sections that deal with the rights of persons affected. What is not really new is the right of the customer to request information about how their personal data is stored. The right to have data deleted also exists. However what is new is a general right of objection to having data processed. Of course the company cannot be prevented from storing data that is required for the performance of a contract or the pursuance of claims. Data that is processed solely for the purposes of marketing must however be deleted on request.
As is so often the case, the devil is in the detail. If a customer submits a request for information, this must be fulfilled without delay. In other words, a response must normally be provided within a few working days. The statutory maximum period, which only applies in exceptional cases, is one month. That means that every company must establish a process to handle requests for information. Companies need to address how to respond to such requests well before they are actually made.
(3) Data protection statement – comprehensive, transparent user information
Every company that has a website is already familiar with this – a data protection statement must provide information on how personal data is processed. The new law goes beyond that in two respects. On the one hand there is a duty of information relating to all data processing procedures. Anybody who also collects data offline, for instance in the course of a customer meeting, must provide information about how that data is processed. Furthermore the scope of mandatory information has once again been widened. In accordance with the new law, information must be provided about a company’s data protection officer, for example. Furthermore the legal basis for processing data in each case must be stated. If data is to be passed on to third parties (for instance to service providers), categories of recipients of that data must at any rate be stated.
(4) Technical and organizational measures – risk-appropriate data security
The action that companies have to take to ensure data processing security also takes on a new characteristic. The Regulation specifies that suitable technical and organizational measures must be adopted to guarantee a risk-appropriate level of security. Both the risk and the importance of the data must be factored into determining the necessary level of security. The more serious the consequences of a loss of data would be to those affected, the more secure the IT systems must be. Risk assessment is therefore required.
The GDPR also provides for the quality of technical and organizational measures to be reviewed at regular intervals. A regular process that tests IT systems must be put in place.
(5) Obligation to report data breaches – rapid notification will become mandatory
The obligations to report data breaches have been extended significantly. While notification was previously only required in exceptional cases, the new law states that basically every breach of data privacy must now be reported to the authorities within 72 hours. The objective is to provide information quickly in order to be able to react in good time and keep any damage or loss to a minimum. The consequence of this obligation is ultimately that companies need to set up internal processes that take effect in the event of data leaks.
If there is a high risk of data loss, the persons affected must also be informed. Here too there are no long compliance periods – companies have an obligation to notify without delay.
(6) Appointment of a data protection officer – appointment obligation as of 10 employees
The GDPR provides for an obligation to appoint a data protection officer. However this should only apply if the company’s core activity is the performance of data processing procedures that necessitate an extensive, regular and systematic monitoring of persons affected or if health data is being processed.
But German law goes even further and provides for – ultimately as hitherto – the mandatory appointment of a data protection officer, if more than 10 employees in the company are permanently occupied with the automated processing of personal data. Because that applies to nearly all companies employing more than 10 people, many German companies will also be required by the GDPR to appoint a data protection officer.
The GDPR as it affects online print providers – four practical examples
The following four examples briefly explain what actual impact the GDPR will have on the work that eCommerce businesses do.
(1) Customer data – everything has a personal reference
All customer data that is stored is personal data. The fact that a customer created a photobook but didn’t order it is just as personal as their payment deadline, the payment method they use or the question of whether the customer has subscribed to a newsletter.
Every single item of data must be checked to see if there is a justification for it and for how long this applies. Thus, for example, there is no reason to store an intention to buy an actual product for a period of years. Depending on the investment involved, this information must be deleted just a few weeks later. On the other hand purchase histories may be stored for longer periods, in case of doubt until the relevant statute of limitations expires. A deletion deadline must therefore be ascertained for each item of data. As a general rule, credit card data may only be stored if the customer provides additional consent.
(2) Personal data in print products – use for printing purposes only
Many print products, especially B2C ones, are customized. Be it posters, photobooks or invitation cards, these products feature photos of people and sometimes even their names. In such cases personal data is also processed, because the customer at any rate knows who the people in the photos are. The online print provider may only process this data for the purpose as provided for in the contract – namely producing a print product on behalf of the customer. Any other processing or use for other purposes (for instance facial recognition spread over several orders) is not permitted.
(3) Newsletter promotion – consent to personalization?
Nearly every eCommerce business sends e-mail newsletters to customers and other subscribers more or less regularly. The German Unfair Competition Act states that this requires the explicit consent of the recipient. The GDPR does not change that requirement. However data protection law specifications must be complied with.
If the newsletter is to be personalized or designed based on knowledge about the recipient (e.g. ordering behavior or open rates), this constitutes data processing that in turn needs to be justified. Depending on which data is actually used to personalize the newsletter, this can possibly be justified by the legitimate interests of the online print provider. The GDPR explicitly states that direct marketing is a legitimate interest. Then that also has to apply to targeted direct marketing. What matters are the reasonable expectations of the recipient. The more data that is used and the more unexpected its usage, the less that utilization of that data can be justified based on legitimate interests. In case of doubt, this requires consent. In any case the recipient must be given the opportunity to terminate this personalization process. The recipient must be advised in advance of their right of objection
(4) Payroll accounting – the GDPR affects all sections of a company
As a rule, payroll accounting in Germany is outsourced to a tax accountancy firm or other specialist or performed using appropriate software. In both cases the company remains responsible for data processing. In particular this means that a(n) (contract data processing) agreement that complies with the specifications of the Regulation needs to be concluded with a service provider. A service or software provider should be requested to verify GDPR compliance.
The new data protection law is not only relevant in relation to customers but also affects every section of a company in which the data of private individuals is processed.
The GDPR is on its way, so you had better start implementing it soon
The General Data Protection Regulation is set to bring changes and will also substantially increase online print providers’ workloads and costs. That may well be regarded as irritating. Dealing with data protection should in future be just as much of a matter of course as occupational health & safety or taxation law. This applies both in terms of customers’ corresponding expectations and of course in terms of the potentially horrendous fines that companies might be threatened with.
The GDPR applies to all eCommerce businesses. Those companies that have not previously concerned themselves with data protection should get started now. The rules are to some extent complicated but a little bit of preparation will however enable you to get a handle on the GDPR. Burying your head in the sand is at any rate not an option.