The Saxon data protection commissioner has published his Activity report for the years 2017 and 2018 published. Among other things, it states the following:
- Real estate manager are not order processors of the homeowners, but independent responsible parties.
- The use of a Dashcam is in any case not in the legitimate interest if the traffic situation is recorded permanently and without any reason.
- The Taking photos at public events can be in the legitimate interest of the organizer, insofar as the taking of the photos has a connection to the event, especially since the participants of the public event will assume that photographs will be taken.
“However, this can no longer be assumed if the persons to be photographed obviously refuse to be photographed, photos are taken covertly or secretly, photos may discredit the persons photographed, or the privacy of the persons photographed is affected.”
When children are admitted, the balancing of interests must be carried out with particular care. – Become Photos published on the InternetAccording to Section 23 of the German Copyright Act (KUG), publication without consent
“in particular, [is] permissible when the persons in the images appear only as incidental features next to a landscape or other locality.”
Here, too, the responsible party may be able to invoke a legitimate interest, but the event participants must be made aware of the planned publication on the Internet. – Photos of people wearing glasses, for example, are not in principle special categories of personal data:
“Using a photograph that shows a large number of people, including, for example, people wearing glasses, at a public event does not convey health information about those people but rather documents the event. If, on the other hand, a photo is published with an accompanying text that refers to a specific handicap of the persons photographed, and if the photo serves, for example, to indicate possible therapies, there may be a processing of health data.”
- There are references to the Data protection in sports competitions.
- When notifying the information according to Art. 13 DSGVO (Privacy policy) applies:
“The “communication” of the information does not require an active approach to the data subject, but is to be understood with the English version “provide” as a “making available”. This can be done “by appropriate measures” of the controller (Article 12(1) GDPR), which can complement each other (notice, info sheet, statement on website, text part in the contract, oral notice, …). Crucial, that the information can be reasonably obtained by the data subject.“
In the contract initiation relationship, it can be particularly difficult to provide all of the relevant information at first contact.
“To the extent that information is missing from this first collection step (e.g., the contact details of the data protection officer, Article 13(1)(b) GDPR, or the designation of the legal basis, Article 13(1)(c) GDPR), the supervisory authority considers that this may be take place at a later collection or processing step (e.g. as Link in the signature of an e‑mail response). The decisive factor here is whether the circumstances of the first survey are ’suitable’ (or not ’suitable’) to make this information properly possible.”
- At comprehensive request for information the controller may ask the data subject whether initial information is sufficient and may be asked to specify otherwise to which information or processing operations the request for information relates. A reasonable period of time should be allowed for the reply.
- If online providers offer the possibility to stay logged in (through a cookie), but precheck a corresponding “stay logged in” button, they thereby violate the Obligation for data protection-friendly default settings (Article 25 (1) of the GDPR).
- There are references to the Weighing interests when using online tools.
- The WhatsApp use in the business environment is “problematic”. Because WhatsApp accesses contact data by default, the principle of “privacy by design” is violated. However, the use of WhatsApp is permissible if WhatsApp cannot access customers’ contact data, if customers are informed in advance of the “data protection issues”, if they are provided with an alternative secure communication channel and if WhatsApp cannot access data of customers who do not communicate via WhatsApp (e.g. because their contact data is not stored on the device).
- The authority received only a few inquiries about jointly responsible one.
- Maintenance and remote maintenance services even after the entry into force of the GDPR as a matter of principle. Job processing unless it is “purely a technical maintenance of the infrastructure of an IT by service providers”, e.g. “work on power supply, cooling, heating)” and if personal data can only be taken note of “incidentally” in a purely support and repair activity.
- At Translation services a differentiation must be made: The classification as commissioned processing “depends, on the one hand, on the content of the texts to be translated, i.e., the question of whether they (also or primarily) involve personal data. On the other hand, it must be taken into account what freedom the translator has in his activity, i.e. whether he must adhere strictly and word-for-word to the original – as in the case of the translation of official documents – or whether it is ultimately only a matter of a transfer in accordance with the meaning, in which the translator is granted corresponding leeway. Even if a private person exclusively submits documents or texts concerning him/herself for translation, one will not be able to assume a commissioned processing”.
- The Payroll accounting by tax consultant is not commissioned processing.
- At Penetration testing (pentests) and for Maintenance contracts be ”
the processing of personal data is not actually the core of the contract. Nevertheless, the client knows about the possibility of disclosure and orders quasi ‘with conditional intent’.” “Thus, I consider it in the interest and necessary to bind the client in the event of knowledge of personal data from the area of the client, as in the case of commissioned processing.“
- In the event of data security breaches, the Misplacement of documents in the foreground.
- In the designation of Data Protection Officer The Saxon Data Protection Commissioner accepts the designation of legal entities. In addition, the name of the data protection officer does not have to be stated in the data privacy statement; it is sufficient to state a telephone number or a generic e‑mail address. However, the specification of a name is permissible.