From 25 May 2018, the EU’s new General Data Protection Regulation (GDPR) will be fully applicable. The new regulation is intended to harmonize the handling of personal data throughout Europe and protect the fundamental rights and freedoms of natural, i.e. real existing persons. What will the new regulations change for us and our customers?
At the heart of the new regulation are so-called personal data and how they are handled. Concretely it concerns for example contact data (e-mail addresses or addresses) of customers, suppliers or employees. In addition, a personnel number, a license plate or location data can be assigned to individuals and thus make them “identifiable”.
Personal information may continue to be collected if there is an “authorization fact”, i.e. either the data subject has given his/her consent or processing is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures. Furthermore, personal data may be collected and processed in the event of a legal obligation to protect vital interests, for the performance of a task of public interest, or if this is necessary to safeguard a legitimate interest of the controller or a third party. It should be added that even before the GDPR came into force, only data required for business transactions could be collected.
How is Hellmann reacting to the new regulations?
Hellmann has had a functioning data protection organization for a long time with appointed data protection officers and close cooperation between the IT, Legal and Human Resources departments. With the GDPR, we have additionally formed a project group that recognizes, communicates and implements the effects and adaptation requirements within the Hellmann Group. In this way, it was possible to achieve the legally necessary adjustment steps with regard to data protection well before the GDPR came into force. The Hellmann internal competence team is supported by external consultants, including Dr. Volker Wodianka from SCHLUTIUS Data Privacy & Compliance GmbH. Dr. Wodianka will in future act as external data protection officer. Finally, all of Hellmann’s European subsidiaries are involved in the work of the central GDPR project group and are supported in all aspects of the evaluation and implementation of the requirements. This also applies independently of the affiliation to the respective product division.
What remains challenging in the Europe-wide context is that some local deviations from the GDPR are permitted; i.e. so-called opening clauses allow Member States to adopt a data protection rule that differs from the GDPR in certain areas. The German legislator has already passed a new Federal Data Protection Act, which applies alongside and supplements the GDPR. Companies based outside the EU will be surprised that they are subject to the rules of the DSGVO according to the so-called market place principle if they offer products or services specifically in the EU and no special exceptions apply. For example, the legislator wants to regulate the handling of user data for online giants such as Facebook, Amazon or Google.
The entry into force of the GDPR also entails a comprehensive information obligation for us as a company. It is important to inform customers and suppliers, but of course also all employees in advance in detail about the forthcoming changes and the manner and purpose of the collection of their personal data. For more details on the handling of your personal data and data protection in general, please visit: www.hellmann.com/privacy.