Like its predecessors, the GDPR has laid down the principle of data economy. Companies need a deletion concept for the data that they no longer need. A good reason to think about a paper shredder. Incidentally, a right to deletion. You can request the person responsible to delete your personal data immediately, for example if you have withdrawn your consent. However, data that was collected on the basis of a legal basis are not affected by the right to deletion.
Statutory retention requirements also conflict with the right to erasure. For example, invoices must be kept for ten years. But, a customer could in theory ask the same of you - so you need to ensure you have that protocol in place.
Do I need a data protection officer?
As a rule, lone fighters do not need a data protection officer. According to the law, a data protection officer must be appointed if, as a rule, at least 20 people are constantly involved in the automated processing of personal data. But: if a data protection impact assessment is required in accordance with Article 35 GDPR, a data protection officer is required for one person or more. This data protection impact assessment is required whenever special categories of data are processed.
However, since Art. 37 Para. 1 c GDPR indicates that a data protection officer must be appointed if the "core activity of the person responsible or the processor is the extensive processing of special categories of data", most healthcare companies are (one-man - Doctors' offices or pharmacies) excluded. In Art. 91 GDPR it says in sentence 4:
“The processing of personal data should not be considered extensive if the processing concerns personal data of patients or clients and is carried out by a single doctor, other member of a health professional or a lawyer. "
The fact that sole proprietorships and freelancers are not forced to get a data protection officer does not mean that advice is not useful. You can solve many things yourself - but this is no substitute for talking to an expert. If you think the type of business or trade class your business operates under could be included in this category, please talk to a professional adviser.
Apart from sole proprietorships, freelancers and freelancers, in particular, have to adhere to the provisions of the GDPR. Freelance work is to be understood as an independently performed scientific, artistic, teaching, writing or educational activity, as well as professional activities of other groups, such as lawyers, tax consultants, architects or doctors.
In contrast, freelancers, and freelancers called self-employed workers, performing missions and projects for companies under contract or contract for work and fair person. For the above-mentioned professional groups, both the General Data Protection Regulation and the Federal Data Protection Act contain extensive requirements that must be observed when processing personal data. The law does not provide for any exceptions or relief for sole proprietorships. EU bodies and institutions as well as the member states and their supervisory authorities required to take into account the special needs of micro-enterprises as well as small and medium-sized enterprises when applying the GDPR regulations.
Entrepreneurs must always be able to prove that they take technical and organizational measures to ensure compliance with data protection regulations. This obligation arises from Art. 5 Para. 2 GDPR. According to this, the data processing company is responsible for complying with the data protection principles for the processing of personal data from Art. 5 Para. 1 GDPR and must provide evidence of their compliance. For this, all processes should be documented that allow conclusions to be drawn about your own GDPR compliance.
If the person concerned or the supervisory authority makes a request, the company must be able to fully demonstrate compliance with data protection regulations. In this respect, it is advisable to document all measures that are initiated in your own company or freelance business with regard to data protection. All training measures, seminars, further education or instructions for action should be recorded. It is advisable to keep a processing directory for this purpose.
Most freelancers and self-employed people have websites, which means you need Cookie Notices
Most of all, most freelancers and self-employed people have a website - this means you’ll need to ensure you have a complaint Cookie notice. The so-called "Cookie Directive" regulates the legal handling in the EU. To explain: EU directives are not automatically "law", but must be implemented by the E.U. countries.
The EU Commission had declared that the cookie directive does not actually have to be implemented in Germany, as the current regulations in Germany already meet the requirements of the cookie directive. That sounds strange because the German rules do not provide for consent (i.e. click on " Yes, I agree" ), but only provide a reference to the right to object. But, you need it anyway if you want to be complaint on the E.U. level. Yep, I understand - it makes no sense, but also - is exactly how one could expect it to be!