Previous work on Data Protection Act (2007-2009) | Paper for Descisions about GDPR | Data Protection Declaration for Users in EU & EEA
General Data Protection Regulation (EU) 2016/679
The General Data Protection Regulation (EU) 2016/679 or GDPR regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents with severe penalties of up to 4% of worldwide turnover.
It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.
The GDPR is known as Datenschutz-Grundverordnung (DSGVO) in german, as règlement général sur la protection des données (RGPD) en français, as regolamento generale sulla protezione dei dati (RGPD) in italian, as algemene verordening gegevensbescherming (AVG) in dutch, as Ogólne rozporządzenie o ochronie danych (RODO) in polish, as Reglament General de Protecció de Dades in catalan, as Obecné nařízení o ochraně osobních údajů in czech, as Allmänna dataskyddsförordningen in swedish, as Databeskyttelsesforordningen (populært kaldet Persondataforordningen) in danish, as Splošna uredba o varstvu podatkov in slovenian, as Isikuandmete kaitse üldmäärus in estonian, as EU:n yleinen tietosuoja-asetus in finnish and as Personvernforordningen in norwegian.
Recommended Procedures
- Clarify who in your company is/shall be responsible for data protection. The data protection officer may not be a member of the Committee.
- Name a data protection officer.
- Check which data of persons (guests, employees, suppliers, web visitors etc.) you process exactly, especially data of citizens resident in the EU.
- Is it sensitive data (e.g. data on health, religion)?
- Health: no
- Religion: no
- other senistive data: no
- Check the legal basis for the processing of the data (e.g. legal obligation, contract, legitimate interests, consent)
- Check if you need the data at all. If not, delete them.
- Check your contracts, terms and conditions, data protection declarations for compatibility with the DSGVO.
- Check/create processes/documents to meet your obligations regarding Information, Documentation, Data transferability etc. to be able to meet.
- Check then Status of technical Data security.
(source: Swiss Hotel Association)
- Preparation of a processing list in accordance with Art. 30 GDPR
- Subscription to the community. Involved: subscriber. (name, e-Mail, date of birth; Web DB?)
- Subscription to the association. Involved: subscriber, secretary, treasurer, committee or AGM. (name, address, e-Mail; ERP)
- Conclusion of agreements for order data processing with external third parties in accordance with Art. 28 GDPR
- Have we data processing with external third parties? I do not think so.
- Revision of declarations of consent in accordance with the requirements of the GDPR
- Checking and ensuring TOMs (= technical and organisational measures)
- Development of a security concept
- Securing the rights of those concerned
- If someone wants to leave and delete all data immediatly: following the policies, this take some time, as assurance dependicies have to be checked and maybe anonymised.
- Assurance forms are kept for seven years, but not by CAcert, but the assurers.
- If a wiki user deletes his page, the content can still be found with comparing different old versions in the info section.
(source: Ist Ihr Verein für die neue Datenschutz-Grundverordnung (DSGVO) bereit?)
Further reading