Data protection checklist for freelancers and the self-employed
1. Do I process personal data (e.g. names, addresses, telephone numbers, IP addresses, email addresses, etc.)?
2. How do I process this data (online via the cloud, on my computer / Excel, Word, card index etc.)
3. Do I have a procedure directory?
Here, you have to list which personal data you are processing, which groups of people are affected and what they are doing to protect the data technically and organizationally. That was already there before, called the directory of procedures, but also only applied to automated processes.
4. What is the legal basis for using the personal data?
- Fulfillment of a contract (e.g. invoicing)
- legal obligation
- Protection of vital interests
- overriding public interest
- legitimate interests of the person responsible, provided that the interests of the data subject do not outweigh the interests of the person concerned
5. Is there a legal basis for collecting and processing all data?
- if necessary in writing (due to the obligation to provide evidence), but can also be done electronically or orally
- Information about the possibility of revoking consent at any time
- For data from under 16-year-olds: approval of the legal representative
6.. Have I fulfilled my information obligations by means of a data protection declaration (print or online)?
7. Do I observe the requirements of a data protection declaration?
- Understandable language
- Information about the type of data and how it is processed
- Name of the person responsible
- Reference to the rights of the person concerned (especially: revocation, information, deletion, correction)
8. Have I made a risk analysis?
- Type of data
- Sources of risk
- Appropriate technical and organizational measures
- According to Art. 32 Para. 1 GDPR, companies must take suitable technical and organizational measures to protect data and prevent risks for those affected. To do this, you first have to be clear about the risks you are dealing with. And it is best to document these thoughts (the documentation obligations come from Art. 5 Para. 2 GDPR.
9. Do I need a data protection officer?
- If I employ at least 10 people who are constantly involved in the automatic processing of data
- Possibly from one person: When I have to do with special categories of data (e.g. health data) - this is currently controversial
Let’s expand on this a bit. As a rule, lone fighters do not need a data protection officer. According to Section 38 of the new Federal Data Protection Act in Germany, a data protection officer must be appointed if, as a rule, at least 20 people are constantly involved in the automated processing of personal data. But: if a data protection impact assessment is required in accordance with Article 35 GDPR, a data protection officer is required for one person or more. This data protection impact assessment is always mandatory when special categories of data are processed, such as health data (see above). This would then apply, for example, to small medical practices or pharmacies.
However, since Art. 37 Para. 1 c GDPR indicates that a data protection officer must be appointed if the "core activity of the person responsible or the processor is the extensive processing of special categories of data", most healthcare companies are (one-man - Doctors' offices or pharmacies) excluded. Hence, why special categories are noted above.