Data Protection Law

• DSGVO (GDPR)

• Bundesdatenschutzgesetz

• TTDSG (cookies)

• UWG (email marketing)

• Data protection supervisory authorities under GDPR

• Alle persönlichen Daten und Informationen, die zu einem Identifier gelinkt sind

• Bsp für Identifier: ID Number, location, IP address, Cookie ID

• Spezieller Schutz sensitver Daten (zB Gesundheitsdaten)

• muss gesetzeskonform verarbeitet werden

• dafür muss eine Legal Basis bestehen

• man darf personal data nicht ohne legal basis benutzen

1. A contract

2. Legimate interest

3. Law

4. Constent

1 von 4 muss applyen

if there is a contract & theres a good reason -> you dont need consent

• data processing is required to initiate or manage a contract

• A contract has relevant data related to the respective customer

Bsp: online merchant must process personal data in order to distribute goods, inclucing email address, bank account details, account details and enquiries

• Data processing is necessary to protext the legitimate interests of the controller

• A legitimate interest of the controller could be overwritten by the interest of the data subject

Bsp: video surveillance (their interest: we don´t want customers to steal stuff, other interest: normal customer doesnt want to be filmed -> abwägen, was schwerer wiegt inkl. wie lange wird der Film gespeichert, wer hat Zugang)

there could be law that tells you “you must collect that data” e.g. Covid als man im Restaurant seine Daten lassen musste

ansonten wurde das in der VL geskippt weil es so viele verschiedene gibt

• the data subject has opted-in for the processing of the data (not opted out)

• Consent is only necessary if no other legal basis can be determined of if its required by law

bsp für required by law: email-advertising, sensitive data, website cookies

only if 1-3 is missing this comes up

• voluntary

• informed

• explicit consent

• for the specific case

• Traceability

• Revocability

muss freiwillig sein

darf nicht erzwungen sein wie “du kannst es nicht usen ohne consent”

es kann kein vorausgefülltes Kästchen sein oder so, sondern man muss explizit irgendwo draufklicken

ist der biggest disadvantage von Constent

(können ihren Consent schon zurückgezogen haben)

• The processir is bound by Data Processing Agreement (DPA)

• Processor is under strict instruction from the controller

• The controller mainstains responsibility of the data

• Data transfer outside EU require appropriate safe guards

• Newsletters

• Invitations to events Satisfaction survery

• Birthday cards

• Any other “indirect sales promotion”

• Voluntary: no preselected ticking box

• informed: reference to privacy policy

• traceability: Store-IP-adress in double opt in

• explicit consent: Send button or ticking box

• for the specific case: Description of marketing purposes

• Revocability: Opt-out-link

• is considered best practice but not required by law

• proof of ownership of an email address

• When a customer adds their details. they should receive a conformation email with verification link

• the confirmation email must not contain promotional material

1. The entrepreneur has obtained a customers email address in relation to a sale of goods and services

2. The entrepreneur uses the address for direct advertising of his or her own similar goods or services

3. The customer has not objected to this use, and

4. The customer is clearly and unequivocally advised when the address is collected and every time it is used, that he or she can object to such use at any time, without costs arising by virtue thereof, other than transmission costs in accordance with the basic rates

• Newsletters should only be sent with explicit consent of the recipients

• Double-opt-in is best practice and the only way of proving email ownership

• These rules also apply to other communication channels such as SMS, WhatsApp, social media messengers, push notifications, etc

• one exception

• TTDSG

• Notice required for websites and apps if non-functional cookies are used

• “Tracking-cookies” requires explicit consent (opt-in) before activation

  
  

Storing information in the end user's terminal device or accessing information already stored in the terminal equipment, shall be permitted only if the end user has consented on the basis of clear and comprehensive information

• Cookies

• Browserfingerprint

• Tracking Pixel

• Wenn es absolut notwendig ist für den Telemedien-Provider, um seine Telemedien zu providen

• Technisch notwendig

• Notwendig um Sicherheit zu gewährleisten

• Notwendig für die Webseiten performance

ökonimisch notwendig

• Cookies for registration

• shopping cart

• Language settings

• Voluntary: Website use without consent

• Informed: Privacy policy and imprint

• Traceability: Consent is captured via CMT

• Explicit consent: Opt-in and not Opt-out

• For the specific case: Individual services must be selectable

• Revocability: Opt-out function in privacy policy or website footer

Reject button on first layer

• Tracking Cookies require explicit consent from website users

• Exeption: Cookies are “Absolutely necessary” (eg Shopping cart, language settings, …)

• Consent and rejection of cookies must be on the first layer of a website

-> doesnt matter if B2B or B2C

->distinguish between customers who opted in for newsletter and the ones who haven´t

-> opted-in: send invatation in Newsletter-form

-> not opted in: you can´t send the newsletter