Do you need advice on processing personal data? Are you implementing new technologies and want to comply with the AVG? Or are you looking for legal help with a privacy dispute?
Privacy law is essential for any organisation working with personal data. The use of this data is bound by the strict rules of the General Data Protection Regulation (AVG). Companies, institutions and public authorities must align their processing of personal data with the provisions of the AVG.
Our privacy law lawyers support you in all aspects of privacy legislation. We offer advice, conduct proceedings on privacy issues and can act as Data Protection Officer (FG). A special focus within our services is the processing of personal data when using new technologies, where our expertise in IT law offers significant added value.
The General Data Protection Regulation (AVG) is a European law that came into force in 2018, setting out the rules for processing personal data. The aim of the AVG is to better protect citizens' privacy by imposing stricter rules on companies and organisations. This includes the right of access, rectification, erasure and the right to be forgotten. The AVG imposes obligations on organisations, such as appointing a Data Protection Officer (DPO) and keeping a processing register. Companies must also ensure appropriate security measures and may only process personal data if there is a legal basis for doing so, such as the consent of the data subject or a contractual obligation.
Making an organisation AVG compliant requires several steps. First, an inventory of all personal data processed must be made. The next step is to identify the basis for the processing, such as consent or a legal obligation. It is important that companies are transparent about the processing of personal data, for example through a privacy statement. In addition, appropriate security measures should be put in place to protect data against data breaches. Companies must also keep a processing register, which records what data is processed, for what purpose and who has access to it. Where appropriate, a Data Protection Officer (DPO) should be appointed to oversee compliance with the AVG. Procedures should also be in place for reporting data breaches and handling requests from data subjects, such as the right to access or delete data. Delissen martens' AVG toolbox can help you with this.
There are specific obligations under the AVG in the event of a data breach where personal data is unknowingly disclosed or lost. First, the breach must be reported to the DPA within 72 hours, unless the breach is unlikely to pose a risk to the rights and freedoms of data subjects. If there is a high risk to data subjects, they must also be notified immediately. It is important to properly document the data breach, including the cause, consequences and measures taken to prevent a recurrence. Companies should also take appropriate technical and organisational measures to minimise the risk of data breaches, such as encrypting data or restricting access to sensitive information.
Personal data may only be processed if there is a legal basis for it, such as the data subject's consent, the performance of a contract, a legal obligation or a legitimate interest. There are also special categories of personal data, such as data on health, race, political opinions or religion, which are subject to stricter rules. These may only be processed under strict conditions, for example if the data subject has given explicit consent or if the processing is necessary for the exercise of specific employment, social security and social protection rights. Companies should always ensure transparency and security when processing personal data and ensure that data is not kept longer than necessary.
Family names are frequently used as trade names for a business. A family name gives a piece of authenticity to a business, but its use can also be risky. Melvin van Tiel discusses some points of interest in his blog.
