Equine Communication Clinics and Classes
Privacy Policy:
Privacy Policy:
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46 / EC from 1995 (hereinafter: Data Protection Directive). In contrast to the data protection directive, the GDPR applies directly throughout the European Union (Art. 288 (2) TFEU).
The principles of “prohibition with reservation of permission”, “data avoidance and data economy”, “purpose limitation” and “transparency” also characterize the General Data Protection Regulation. There are also detailed regulations for the transfer of data abroad due to its particular importance for the rights of individuals to their personal data. For the processing of personal data, Art. 6 GDPR standardizes a so-called prohibition with reservation of permission as a general principle.
The processing of data is therefore only permitted with consent or
there is another exception standardized in this provision. is present.
This is the case, though
■■ the processing for the performance of a contract, the contracting party of which is the data subject
Person or is necessary to carry out pre-contractual measures,
which take place at the request of the data subject;
■■ the processing is necessary to fulfill a legal obligation that
the controller is subject to;
■■ the processing is necessary for the vital interests of the data subject
or to protect another natural person;
■■ if they are necessary in the public interest or to fulfill sovereign tasks
is or
■■ they are necessary to safeguard the legitimate interests of the person responsible or a third party
and the interests or fundamental rights and freedoms of those concerned
Person do not outweigh. This justification does not apply to authorities.
The principle of data economy already anchored in the Federal Data Protection Act (BDSG)
can now be found as one of the central principles of data protection in the
General Data Protection Regulation again. According to Art. 5 Para. 1 lit. c GDPR, the processing of personal data must be
Purpose appropriate and factually relevant as well as for the purpose of the data processing
be limited to the extent necessary.
The General Data Protection Regulation provides for a narrow purpose limitation in Art. 5 (1) (b) GDPR.
Personal data may only be collected for specified, clear and legitimate purposes.
In addition, only those changes to the processing purpose that are compatible with the original purpose of the collection are permitted (Art. 5 Para. 1 lit. b and Art. 6 Para. 4 GDPR). The General Data Protection Regulation sets out criteria in Article 6 (4) that must be taken into account when assessing the compatibility of a change in purpose. This includes the connection between the purposes, the overall context in which the data was collected, the type of personal data, possible consequences of the purpose-changing processing for the person concerned or the existence of appropriate security measures such as pseudonymisation or encryption. The latter leads to careful privileging of the further processing of pseudonymized or encrypted data, which is important for data protection-compliant big data applications.
Data security:
The guarantee of data security has also been enshrined in law as a central principle of data protection (Art. 5 Para. 1 lit. f and Art. 32 GDPR).
Taking into account the state of the art, the implementation costs as well as the type, circumstances and purpose of the data processing, but also the different probability of occurrence and severity of the risk for personal rights and freedoms, the person responsible and the processor must implement suitable technical and organizational measures. The security level must be appropriate in relation to the risk.
According to this, pseudonymisation or encryption, as well as the ability to guarantee the confidentiality, integrity and availability and resilience of the systems, may be required (see No. 4).
Data subject right:
Art. 12 GDPR initially standardizes requirements for the transparency of information, communication and the modalities for exercising the rights of the data subject.
Art. 13f. GDPR provide for an extensive catalog of proactive notifications, whereby a differentiation is made according to whether the data is collected from the data subject (Art. 13 GDPR) or not (Art. 14 GDPR). This concerns, among other things, the contact details of the person responsible, the processing purposes and the legal basis, if applicable the recipients or categories of recipients and the intention of the transfer to a third country, but also the duration of the storage or the criteria for determining this duration. The person concerned must also be informed of his or her rights.
Art. 15 GDPR regulates the data subject's right to information. The data subject has the right to request confirmation as to whether personal data concerning them are being processed. If this is the case, she has a right to information about this data as well as information, among other things, about the processing purposes, their origin, recipients, the duration of storage and about their rights.
The person concerned also has the right to request the correction and, with regard to the purpose, the completion of inaccurate personal data concerning them (Art. 16 GDPR).
In addition, according to Art. 17 GDPR (with certain exceptions), the data subjects have the right to request the deletion of their data - for example if they are no longer required for the purpose for which they were originally collected or processed or the consent given has been revoked. There is an exception, for example, if the processing is necessary to exercise freedom of expression.
is. As a special form of the right to erasure, there is now also a "right to be forgotten" (Art. 17 Para. 2 GDPR) if the responsible body has made the data to be deleted public. Then it must take reasonable steps to inform the bodies that process this data that the data subject
Person from them the deletion of all links to this data or of copies or replications
required. This regulation is of particular importance for the operation of Internet search engines.
In certain cases, the data subject can also restrict processing
request (Art. 18 GDPR) - for example, if the person responsible no longer needs the data, but the person concerned needs them to assert, exercise or defend legal claims or the person concerned objects
has objected to the processing and it has not yet been determined whether the legitimate reasons of the person responsible outweigh those of the person concerned.
The concept of the restriction of processing is essentially the same
the blocking in the sense of §§ 20 Abs. 3, 35 Abs. 3 BDSG.
In principle, the person responsible must provide all recipients of the data with any correction,
Communicate deletion or restriction of processing (Art. 19 GDPR). Unlike the right to be forgotten, this obligation is linked to previous transmissions to specific recipients.
The right to data portability is also new (Art. 20 GDPR). With its introduction
the data sovereignty of the data subject is strengthened. The right to data transfer
therefore gives data subjects the right, under certain conditions, to receive a copy of their personal data in a customary and machine-readable file format. The user has that
Right to "take" data from one provider to another.
The regulation can therefore change to a different provider, especially in the case of social networks
facilitate. Ultimately, however, it applies to any automated processing of personal data
Data based on consent or a contractual relationship with the person concerned, i.e. also for contracts with energy suppliers, banks or insurance companies. The person concerned can choose whether they want to receive the data themselves (and pass it on to a new processor) or whether the previous processor has to pass the data on to the new processor immediately. The right to data portability is limited to the data that the data subject has made available to the processor. It does not apply to the public area.
According to Art. 21 Para. 1 GDPR, the person concerned has a general right of objection to the processing of personal data that is in itself lawful, which is in the public interest, in the exercise of official authority or based on the legitimate interest of the person responsible or a third party (Art. 6 Paragraph 1 lit. e or f GDPR). The person responsible may then only process the data if he can prove compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the person concerned. There is an unconditional and unrestricted right of objection to data processing for the purpose of direct marketing. This also applies to profiling insofar as it is related to direct advertising (Art. 21 Paragraphs 2 and 3 GDPR). The person concerned is to be explicitly informed of the right of objection in an understandable form and separately from any other information (Art. 21 Para. 4 GDPR).
All rights of data subjects can be restricted by national laws in accordance with Art. 23 GDPR, provided this is necessary to safeguard certain public interests. The principle of proportionality and the essence of the fundamental rights must be observed. Restrictions are possible, for example, for reasons of the protection of national and public security, national defense, but also the interests of the tax administration or to protect the independence of the courts. The federal legislature has made use of this and provided for restrictions on the rights of data subjects in Sections 32 to 37 of the new Federal Data Protection Act (BDSG-new). In the light of the GDPR, these are to be interpreted strictly and measured against the standards of Art. 23 GDPR. Whether and to what extent these regulations can be applied due to the priority of application of the GDPR is left to a decision in the respective specific individual case.
The General Data Protection Regulation aims for the most uniform possible application of the law in the European Union. In the case of cross-border data processing in the non-public area, this is to be implemented through a complex cooperation and coherence mechanism, at the end of which there is a uniform decision by the supervisory authorities of the EU member states on the application of the law. It can be brought about either by way of agreement or forcibly by a European Data Protection Board (see "Consistency procedure"). The German supervisory authorities, like those of the other EU member states, will only have one vote in these mechanisms. The federal legislature has re-regulated the coordination of the German supervisory authorities, which is necessary in European matters, in Section 18 of the Federal Data Protection Act (BDSG).
Due to the so-called "one-stop-shop mechanism" introduced by the General Data Protection Regulation, it is easier than before for companies that have branches in several EU member states and that process data there to clarify their data protection issues: For these companies, In the case of cross-border data processing, only the supervisory authority at your head office is responsible, so that you have a central contact person. This relieves the company considerably compared to the previous regulations.
At the same time, however, it is also ensured that those affected by the data processing can always contact the data protection supervisory authority at their place of residence with complaints. The basic architecture of the one-stop mechanism is characterized by the definition of a lead data protection authority at the headquarters of the main office of the person responsible, which acts as the main contact person for the responsible body and enforces data protection law against it. As soon as several
Member States are affected, their data protection supervisory authorities are involved in the voting mechanism (authorities concerned).
The lead and the affected supervisory authorities agree on a uniform
Procedure, a corresponding resolution is sent to the main office
of the person responsible. He has to take the necessary measures to carry out the processing activities
of all branches within the Union in line with the decision. The lead supervisory authority is responsible for the measures
inform and in turn inform the supervisory authorities concerned. The supervisory authority to which a complaint has been lodged will inform the complainant of the decision. If a complaint by a person concerned is rejected or rejected, the decision will be taken against the petitioner by the supervisory authority. The enterprise
is only informed about it. If a complaint is only partially granted, two decisions are made - one
by the lead supervisory authority vis-à-vis the company and a
the called supervisory authority towards the data subject.
Where in one-stop-shop cases there is no consensus between the lead and those affected
Supervisory authorities can be reached in the cooperation procedure,
Art. 63, 65 GDPR standardize the so-called coherence procedure with the authority of
European Data Protection Committee to make binding decisions (Art. 65 Para. 1 GDPR) in order to ensure the correct and uniform application of the regulation in individual cases. The procedure for this is regulated in Art. 65 (6) and 60 (7) to (9) GDPR: The lead supervisory authority makes the final decision on the basis of the decision of the European Data Protection Committee vis-à-vis the main office of the person responsible, which applies it across the EU has to do. In the event of an unsuccessful complaint, the supervisory authority to which the complaint was lodged issues the decision to the complainant. Simultaneously with the adoption of the final decision vis-à-vis the person responsible or the complainant, any decision by the European Data Protection Board will be published on its website.
In order to contribute to the uniform application of the General Data Protection Regulation, joint positions, statements and guidelines are also determined in the so-called coherence procedure beyond the clarification of individual questions (one-stop shop).
Further information is available in the brochure of the basic data protection information.
The Federal Commissioner for Data Protection and Freedom of Information P.O.Box 14 68, 53004 Bonn House address: Husarenstrasse 30, 53117 Bonn Tel. +49 (0) 228 997799-0 Fax +49 (0) 228 997799-550 E-Mail: referat11@bfdi.bund.de Internet: http: //www.datenschutz.bund.de Edition: 5th edition, September 2017 This brochure is part of the public relations work of the BfDI.