The spook scares many organizations – also so love DSGVO "ubersetzen". This is the impression we get when associations and companies talk about the spectre of the new data protection regulation. Even lawyer sabine gross from kronach speaks of an "ungetum".
She understands that the GDPR instills fear in club officials and small store operators. But it was not possible to get out of her way.
This is also evident in the domestic club world. The SPD local association schneckenlohe, for example, shut down its homepage. Chairman joachim sunkel gave the new data protection guidelines as the reason for this.
The largest association in the district does not go that far. Jorg schnappauf, chairman of the kronach gymnastics club, notes that he and his colleagues on the board have become more aware of the issue. The association laid the foundations for adapting data protection two years ago, and has been making adjustments since then. Declarations of consent on image rights, no release of data, declaration in the association, review of data processing, stipulations in the articles of association – there are many starting points.
But even though the gymnastics club feels it is in good shape and its members are relaxed about the change, schnappauf has doubts about the new, unwieldy legal construct. "We were still running an honorary office", he emphasizes "we don't have an office. We have to take the whole thing seriously, of course, but the specifications should also be implementable in practice."
Sabine gross can understand that the associations are currently scrutinizing their working methods. She herself is active on the board of the kronach tenants' association and, from both a professional and a functional point of view, feels that the law is "insanely woolly and bureaucratic" the new law is. "It all gets out of hand. It's a really sprodes law that you don't want to go near."
But no one can avoid dealing with it as soon as data is collected. "And there is no distinction between the aquarium friends and the DFB – the same requirements apply to all of them."
Everything that is needed to exercise membership or to communicate does not require the consent of the person concerned, says gross about the processing of personal data. Even on this fundamental question, a lot of incorrect information was circulating among the clubs. More problematic are the documentation requirements and the instruction of each new member. What newcomers need to know "no one reads that"!
Nevertheless, gross encourages the associations to get to grips with the issue. Sitting out the case will not be enough in this case. It is not to be expected that the GDPR will be overturned again. And at the end of the day, "you can do anything, you just have to start doing it!"
There are more serious problems
Despite the bureaucracy, the lawyer considers the new law at least a step forward in data security? Only to a certain extent. "Our real problem is that we have to pay for facebook, amazon& co. Giving away our data voluntarily. These guys know everything about us. This is a much bigger problem than what small associations or businesses do."
New regulation means one thing for associations: a lot of extra work
Sabine gross has already helped associations on their way through the DSGVO jungle several times. In presentations, she showed them what is in store for them. The lawyer also mentions important points for us.
The GDPR applies: as soon as an association processes personal data, the regulation applies to it. "It doesn't matter if you have a rough database, it only matters that you collect data", states gross. Such typical information is: name, address, date of birth, telephone number, e-mail address, bank details, membership number or functions in the association.
Data protection officer: since there are usually fewer than ten people in a small association who are constantly involved in data processing, there is usually no need for an officer. The situation is more difficult for groups that constantly collect sensitive data. "The ten-person requirement does not apply, as I currently read the law", says the lawyer. This could become a problem for self-help groups in some circumstances.
Data protection regulations: associations are obliged to lay down in writing the basic principles of their work with data. This can be done, for example, through the articles of association or a set of rules and regulations.
Information obligations: when accepting new members, everyone must be informed about data protection. And the association should be able to prove that it has fulfilled this obligation.
The information is quite extensive: contact of the controller and its representative, purposes of the processing, legal basis, recipient of the data (for example, umbrella organization, internet), third country transfer (for example, member management in a cloud) and (the lack of) data security guarantees, storage period, data subjects' rights, right to revoke consent, right to complain to a supervisory authority.
Data processing: an association does not always need consent for data processing. It is not necessary when it comes to the pursuit of the association's goal, member administration or support.
Directory: does an association need a directory of processing activities? Yes, because personal data are regularly processed. Similar extensive specifications are expected as in the case of the information requirements. "That's really bad", sabine gross shows understanding for the trouble in the associations. "But they can not get around it."
Data protection obligation: without such an obligation, it is not possible for the management board to prove that the data subjects comply with the GDPR principles. Behind this, however, there are requirements that do not make the work any easier for those concerned. "When processing data at home on the computer, spouses and children were not allowed to look at the monitor, and the user needed a separate hard disk – who would do anything then??", gross wonders whether the standards are not currently set a little too high. However, the lack of case law on the new ordinance is still a problem in assessing some points.
Information: if a member wants information about the use of his data, the association must provide it to him within one month at the latest. Again, the specifications are very detailed. This means that there is a risk of a high workload in the event of inquiries.
Kronach: two dog siblings looking for a home
The shelter dogs gracia and zacatin come – as the unusual names suggest – from spain, more precisely from the local partner shelter sierra nevada near…
Failure of the renovation of the hikers’ hostel because of the access road?
The hikers’ hostel in ludwigsstadt is to become a modern, appealing and unique accommodation for hikers and clubs. It is to become a showcase project for…
Expansion of the bridge in buchau not in sight
Lively debates took place at the castle meeting in the zum paul guesthouse given in buchau. There was lively discussion, especially on the subject of the…
U.s. Government admits spying on internet companies
U.S. Intelligence coordinator james clapper acknowledged that data is being collected without naming the ausmab. President barack obama defended the…