By carefully analysis the GDPR and the Federal Data Protection Act (BDSG), our lawyers ensure that our clients are fully aware of what is expected of them under German data protection law.
Art. 4 GDPR contains the relevant definitions in data protection law according to the regulation. This section must be viewed as the starting point for the application of data protection regulations and consequences. Under this section, the definitions for “data controller”, “data processor”, and “data recipient” are outlined.
Art. 4 GDPR also defines “personal data”. “Personal Data” under the regulation means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’).
An “identifiable person” can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data include (a person’s):
- Name, age, address
- Date of birth
- Contact details (telephone number, e-mail address)
- Identity card number
- Health data
- Marital status
- School Education
- Work experience
“Processing” under Art. 4 GDPR means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Note: GDPR is based on the principle of prohibiting data processing subject to permission. This means that data processing is generally prohibited but is permitted under certain circumstances. Therefore, another person cannot use your data in the above-mentioned manners without getting your permission first to do so. Permission can be granted:
Tip: The former is on a shakier legal foundation due to its revocability. Therefore, an attempt should be made to base the lawfulness of data processing – at least additionally – on the general elements of authorisation under Art. 6 lit. b-f GDPR. These are:
- fulfilment of (pre-)contractual obligations,
- protection of legitimate interests
- fulfilment of legal obligations,
- protection of vital interests,
- protection of public interests and exercise of official authority.
If you have any further questions on this matter relating to your situation, please make sure to contact our employment lawyers directly.