sportFACHHANDEL 08_2018 Leseprobe
Erfolgreiche ePaper selbst erstellen
Machen Sie aus Ihren PDF Publikationen ein blätterbares Flipbook mit unserer einzigartigen Google optimierten e-Paper Software.
36 | SERVICE | GDPR 8.<strong>2018</strong><br />
MISSED THE GDPR?<br />
No cause for panic ...<br />
... but it’s high time that we do something! Because everyone who uses personal data for their business<br />
has to act. But with a concept, sensible tools, and a reasonable expenditure of time, a large part of the new<br />
obligations are rather easy to implement – even now!<br />
Text: Christian Bonk<br />
1<br />
Do you process personal data, e.g. for a customer file with personal data?<br />
The principle of earmarking is valid: You are only permitted to process data<br />
when the specific use of it is certain and documented before processing.<br />
BEWARE OF TRAPS<br />
Many want to earn something<br />
through the GDPR and want<br />
to be paid with fantastic fees<br />
for their, partly questionable<br />
services by referring to their<br />
order situation, and the already<br />
taken affects of GDPR. In<br />
this case caution should be<br />
exercised as much as with<br />
questionable Internet tools<br />
that promise GDPR security<br />
at the touch of a button for<br />
high fees. You are better<br />
advised to soberly begin the<br />
implementation, and initially<br />
implement subprojects under<br />
your own direction. But one<br />
very important indication<br />
cannot be absent: With these<br />
indications you don’t have an<br />
entitlement to legal certainty.<br />
And in any case it is advised<br />
to gather information from a<br />
professional when there are<br />
individual, uncertain aspects.<br />
Such a professional can be<br />
an IT specialist solicitor, data<br />
protection officer, or even an<br />
expert from a professional<br />
association. Nevertheless, it is<br />
valid: When you begin meeting<br />
first requests under your own<br />
direction, you are definitely on<br />
the right path.<br />
2<br />
To do: Make a list of operations and<br />
processes during which personal data is<br />
processed.<br />
Example: Customer file containing shoe sizes,<br />
Purpose: Better and more professional consultation<br />
during a customer’s shoe purchase by knowing<br />
which shoe size ideally fits them.<br />
3<br />
To do: Create a production register: Everything<br />
that has something to do with personal<br />
data is recorded here. You are obliged to keep<br />
this register. You can up on the minimum requirements<br />
of such a register under Art. 30 GDPR.<br />
Example: Customer file for discount campaigns,<br />
List entry: 372 customers are in possession of one<br />
of our customer cards, for which we needed name,<br />
address and age.<br />
4<br />
To do: Ensure that computers or servers are<br />
in a lockable room – and, of course, that it is<br />
locked. You are obliged to create a sufficient<br />
level of protection to sufficiently protect the data you<br />
have gathered. These measures must also be documented.<br />
Keep a register of persons who need to have access<br />
to this room for job purposes. Additionally list whether<br />
the data is saved in a cloud, and ensure sufficient<br />
protection through passwords and certificates.<br />
5<br />
Do you use customer cards?<br />
You are also obliged to document their<br />
purpose, type of use, and extent of saved<br />
customer data. How, and to what extent this is to<br />
1<br />
Do you have a website?<br />
2<br />
To do: The first measure to be taken on your<br />
website is to update the privacy statement. In<br />
order to create it, it is best to get informed on the<br />
Internet. There are countless possibilities ranging from free<br />
to use generators for small businesses up to fee required<br />
services that individually adapt your privacy statement to<br />
the new law.<br />
be achieved can be found in the information<br />
requirements under Art. 13/14 GDPR.<br />
To do: Explicitly document how, for what purpose, and<br />
what personal data you equip your customer cards<br />
with.<br />
6<br />
Do you work in cooperation with<br />
providers?<br />
To do: Check who is using your customer<br />
data in order to fulfil your customer order and create<br />
instructions on how the providers are to deal with the<br />
data. Unconditionally conclude an order management<br />
contract with the providers.<br />
Example: Delivery service for prepared skis via a<br />
local courier service. Make the provider aware of<br />
only being permitted to use the addresses for the<br />
delivery by your order.<br />
7<br />
Do you expect requests by customers?<br />
Many customers are going to be more<br />
attentive due to the introduction of GDPR,<br />
due to extensive rights to information on their data,<br />
the right to restriction of processing of their data,<br />
the right to rectification of their data and the right<br />
to be forgotten. And you should be able to provide<br />
this data at any given moment.<br />
To do: Prepare for requests, and secure the processes in<br />
order to be able to quickly and non-bindingly answer<br />
the customers, and delete data if necessary.<br />
Example: Customer file: Show your customers the<br />
“data set” you have on your computer per request.<br />
3<br />
To do: Another important step is the<br />
so-called AVV contract – you should<br />
immediately update it to the current state<br />
with your provider. Normally, the provider will<br />
approach you, but in case of doubt, rather make an<br />
enquiry, because they are obliged to update the “data<br />
processing relationship” between you and themselves.