Katharina Mitterer talks about the EU-DSGVO and secure WhatsApp alternatives for companies
With this interview we want to inform enterprises and public authorities about the challenges of the GDPR, what has to be taken into account for the implementation of the GDPR and what requirements exist for GDPR compliant IT tools and messaging apps.
Teamwire: Hello Mrs. Mitterer! Thank you for taking the time today to talk with us about the GDPR. Maybe you would like to introduce yourself to the readers at the beginning?
Katharina Mitterer: Sure. I am a partner at the law firm ZIRNGIBL and responsible for IT and data protection law. We offer our clients practice-oriented and individual solutions in all areas of business law. We see ourselves primarily as a consultant to medium-sized businesses – but also DAX enterprises as well as startups are among our clients.
Teamwire: The GDPR is a very important topic that affects all enterprises operating in Europe. What should everyone know about the GDPR?
Katharina Mitterer: In fact, the GDPR is currently one of the most important topics in our daily counseling practice, and we find that many of our clients are unsure about the measures they need to implement. The GDPR is a Regulation of the European Union aimed at achieving a uniform level of data protection in all member states of the EU with regard to the processing of personal data. The GDPR contains comprehensive rules on the processing of personal data for private companies and public authorities.
In the case of violations of the GDPR, the supervisory authorities can impose substantial fines of up to 4% of the worldwide annual turnover or € 20 million. The associated business risks are enormous. In addition, some fear that the GDPR could lead to a new wave of warnings. In this respect, all organizations have high pressure to be in compliance with data protection. The GDPR came into force 2 years ago and is going to be applied from 25 May 2018 on.
Teamwire: What are the essential rules of the GDPR?
Katharina Mitterer: The GDPR regulates the principles of the processing and exchange of personal data in the EU. The central element of data protection law is the prohibition with permission reservation. This means that the processing of personal data always requires an express legal permission or consent.
In addition, the GDPR contains a number of fundamental principles that the processing must follow. Particular mention should be made of the purpose limitation principle (personal data may be processed only for the purpose for which it was collected), as well as of data minimization and storage limitation (only personal data that is necessary for the achievement of the purpose may be processed).
In addition, companies, where at least 10 employees are concerned with the processing of personal data, are obliged to appoint a data protection officer.
Data subjects (in particular customers, employees and business partners) can also request information from enterprises at any time whether the respective company has stored personal data about the person and if so, information on the processing purposes, the recipients of the data, the duration of storage and the origin of the data. Customers may also request the correction, erasure or restriction of processing.
These regulations are not completely new and could be found already in the old German Federal Data Protection Act (BDSG). However, the obligation to maintain a list of procedures and to inform those concerned about the processing of their personal data has been significantly expanded. New is for example the obligation to carry out a data protection impact assessment.
The most significant change is likely to be that enterprises will need to be able to demonstrate compliance with data protection requirements to authorities and regulators. This requires comprehensive documentation of the entire data protection architecture and the data protection management concept. These are important requirements by the GDPR that must be implemented by companies. This does not only apply to your own organization and processes, but also to all products and services that an enterprise obtains or uses from third parties. As a result, the expense of implementing the GDPR is generally considerable.
Teamwire: Where can our readers find useful information about the GDPR?
Katharina Mitterer: The authorities and regulators regularly publish handouts, help and short papers on the GDPR on their websites. However, these often only partially help, as some of the announced statements of the authorities are still pending and often contain only general information.
Teamwire: What should enterprises pay attention to when implementing the GDPR?
Katharina Mitterer: First of all, enterprises should identify the main processing activities and personal data flows and create a directory of processing activities. Most businesses are surprised at how many places in an organization personal data is processed.
Following this ‘inventory’, companies should undertake an assessment of the required actions to comply with the GDPR. The concrete requirements of the implementation measures depend on the respective company. In general, the measures include in particular the following points:
– Preparation of directories of data processing activities,
– Clarification of responsibilities for data protection issues,
– Possibly the appointment of a data protection officer,
– Adaptation of consent forms,
– Creation of concepts for the deletion and archiving of personal data,
– Checking and, if necessary, adapting of existing IT security concepts,
– Introduction of new processes, for example to handle data protection requests and to detect and handle data leaks,
– Reviewing and adjusting contracts with service providers (in particular IT service providers, file destruction, etc.),
– Documentation of the implementation measures.
Teamwire: Many enterprises are late with the implementation of the GDPR. What would you recommend to such organizations?
Katharina Mitterer: Of course there is very little time left and companies have to quickly identify the topics that are particularly critical for them. Professional advice can help to quickly identify company-specific privacy issues and prioritize them.
As a rule, lawyers can actively support companies through experience, methodologies and templates, and showcase pragmatic solutions, which save time.
Teamwire: What are the GDPR requirements for IT tools that are used in the enterprise?
Katharina Mitterer: Most providers of IT tools used by enterprises act as processors. The GDPR requires companies to provide reasonable guarantees that processing will be carried out in accordance with their data protection requirements. Enterprises should therefore carefully choose which providers they entrust the personal data of their customers.
Such order processing also requires the conclusion of a corresponding contract like a data processing agreement. Reputable providers already have model contracts that meet the legal minimum requirements. However, especially for companies that are not based in the EU, we realize that there is no awareness of the requirements of the GDPR, and therefore necessary contracts are not available from them.
It is also important that the data received by each provider is processed only for the purposes set out above. Using the data, for example to analyze the metadata in order to creat user profiles, is absolutely taboo.
Teamwire: What must businesses pay attention to with respect to the GDPR if they outsource IT services?
Katharina Mitterer: The outsourcing of IT services is regularly a case of order data processing, so that a corresponding contract with the respective provider must be concluded. In addition, care should be taken to ensure that the respective provider complies with sufficient measures to protect personal data. In particular, suitable certifications such as ISO 27001 can help.
It also plays a big role where the respective provider maintains its data centers. If there is a choice here, a data center in the EU should ideally be chosen, ideally in the country of the enterprise’s headquarters. If such a choice does not exist and the data center is located outside the EU, further measures must be taken on a regular basis, such as an agreement with EU standard clauses for international data transfer.
Teamwire: As part of the shadow IT, businesses often use consumer products such as WhatsApp and Dropbox. To what extent can companies get a problem here through the GDPR?
Katharina Mitterer: Many software products and services that are used as part of the shadow IT in the company do not meet the requirements of the GDPR. Especially popular services such as WhatsApp and Dropbox do the data processing outside the EU in countries with a lower level of data protection. Another shortcoming is the transparency. There is little information as to how such services deal with personal data (e.g. the contact’s address book). In addition, such services often also do not provide an order data processing agreement. By using such services, enterprises are at risk of failing to comply with GDPR requirements.
Teamwire: The access of messaging apps like WhatsApp to the address book is a frequently discussed topic. Why is that so critical?
Katharina Mitterer: When using WhatsApp, the whole phone book is loaded on WhatsApp servers. There the phone numbers are compared to show available contacts. This comparison of the stored information represents a processing in the sense of data protection law and therefore requires the consent of each contact, which however enterprises normally do not have. This approach has been frequently challenged by authorities and regulators in Europe and could even lead to a warning for the enterprise, if it uses WhatsApp for the communication. Furthermore the use of WhatsApp for corporate communications would be a violation of the terms of WhatsApp, as they only allow private use.
Teamwire: For these reasons, many enterprises are currently looking for a secure alternative to WhatsApp to communicate in accordance with the GDPR. What distinguishes a GDPR-compliant messaging app from your point of view?
Katharina Mitterer: A GDPR compliant messaging app especially states, that it takes appropriate measures to protect the transmitted data. The minimum is an effective end-to-end encryption. As a consequence an unnoticed outflow of trade and business secrets can also be prevented.
In addition, the messaging app should offer the enterprise the ability to remove individual users and chats without leaving a trace on mobile devices. This may be particularly important when losing a device or dismissing an employee.
For the reasons already mentioned, the messaging app should not be granted access to the address book of the respective device, on which the chat app is installed.
In order to be able to use the messaging app in accordance with the GDPR, it is also necessary to conclude a data processing agreement with the provider of the chat app. It might be even necessary, to obtain the consent of the employees who use the messaging app.
Teamwire: What will happen after the implementation of the GDPR?
Katharina Mitterer: After the implementation is before the implementation! Meaning, even after the requirements of the GDPR have been integrated into the corporate organization for the first time, there will still be room for improvement in many places. The GDPR and the realized measures have yet to pass the practical test and it will be shown how courts and supervisory authorities deal with the new legal framework. We therefore always recommend our clients to keep an eye on the further development of data protection law in order to react in a timely manner.
With the ePrivacy Regulation already the next data protection law is around the corner. Originally, it should come into effect with the expiry of the transitional period of the GDPR on 25.05.2018. However, since the legislative process has been delayed, this is not expected to happen before 2019. This regulation will – as far as we can already foresee it – bring numerous changes to online offers and make further adjustments necessary.
Teamwire: In conclusion is there anything else you want to give to the readers?
Katharina Mitterer: If you have not completed the implementation of the GDPR, there is not necessarily cause for panic. If one believes the recent studies, a majority of the German enterprises will not be able to implement the requirements of the GDPR on 25.05.2018. However, in view of the significant risks, we strongly advise addressing the GDPR challenges as soon as possible. So stay tuned!
Teamwire: Thank you for the interview.
About Katharina Mitterer and the law firm ZIRNGIBL:
Lawyer Katharina Mitterer has been active in the legal field of intellectual property, competition law and IT law since 2010. Katharina Mitterer’s knowledge in particular comprises the support in IT projects – starting from the drafting of the contract to the rescission of the contract in case of faulty software. In this regard, Katharina Mitterer renders advice to the public sector with regard to the procurement of IT. As a member of the working group digitalization and industry 4.0 Katharina Mitterer has a consulting focus on issues relating to data protection and data safety, cloud computing and big data. A further focus of Katharina Mitterer is the protection of IP rights and knowhow as well as their defence.
ZIRNGIBL is a value-oriented business law firm and partnership – more than the sum of the legal entities, united by a common idea. As a law firm that has always grown out of its own resources, ZIRNGIBL has the goal of being permanently committed to their clients with personal commitment at the highest professional level both nationally and internationally – loyally, committedly and independently, because ZIRNGIBL believes that way they can best support clients. Their clients include well-known medium-sized companies, corporations and individuals. ZIRNGIBL is one of the 75 largest and most successful commercial law firms in Germany.