leitzcloud: The GDPR-compliant cloud for your company!
Reading time: 5 min | Amelie Gärtner
June 17th, 2021
“Is leitzcloud GDPR compliant?”
This question has become more and more prominent in recent years and not without reason: Since May 25th, 2018, the General Data Protection Regulation (GDPR) has been in effect throughout the EU. Therefore, leitzcloud must also comply with this regulation.
Who does the GDPR apply to?
The GDPR is the General Data Protection Regulation that has been in effect throughout the EU since May 25th, 2018. The regulations apply to companies that are based in the EU, but also to non-European companies that have a branch in the EU or process personal data of EU citizens.
What are the objectives of the GDPR?
The objective is to create a uniform regulation throughout the EU to avoid the different standards of the individual member states. In addition, the fundamental rights and freedoms of natural persons and their personal data and the free movement of such data shall be protected.
What are personal data?
Personal data is information that allows conclusions to be drawn about the identity of a natural person. These can be identified directly or indirectly by means of identifiers, such as names, identification numbers, or several characteristics.
Visit us on Linkedin!
Read more about GDPR and other exciting topics on our Linkedin page.
We look forward to seeing you there!
Summary of the EU General Data Protection Regulation
The following table provides an overview of the individual chapters and summarizes the main contents of the articles.
| Chapter Number | Explanation |
|---|---|
| I. General Provisions | The first chapter specifies general provisions and objectives of the regulation and applies to the protection of natural persons with regard to the processing of personal data and the free movement of such data. The material and territorial scope is also discussed, as well as further definitions. |
| II. Principles |
The 7 articles describe the principles for data processing. This includes, for example, handling personal data as well as the lawfulness of data processing. Example: Article 6 of the EU GDPR: Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract [...] to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
| III. Rights of the Data Subject | The third chapter of the GDPR deals with the rights of a data subject whose data is being processed. This includes, among others, transparency, information obligations and rights of access, the right to rectification and erasure of data (“right to be forgotten”), etc. |
| IV. Controller and Processor | These articles explain the responsibilities of the controllers, as well as the appointment of a Data Protection Officer. The Data Processing Agreement (DPA) according to Article 28 of the GDPR defines the requirements for the contractual relationship. |
| V. Transfer of personal data to third countries or international organizations | The regulation regulates the processing of data in third countries that are not part of the EU and ensures that the level of protection for natural persons is not undermined when transferring data. |
| VI. Independent supervisory authorities | Supervisory authorities review and monitor the implementation and compliance with the regulation. Authorities must be independent and not be directly or indirectly influenced. |
| VII. Cooperation and consistency | Chapter 7 regulates the general cooperation between the individual supervisory authorities. In the event of disagreements, the coherence procedure is initiated and regulated by a binding decision of the European Data Protection Board. |
| VIII. Remedies, liability and sanctions | As the chapter suggests, the articles deal with liability and sanctions. In addition, the general conditions for imposing fines are mentioned. These are decided based on the circumstances of each individual case. |
| IX. Specific data processing situations | The GDPR deals with regulations for specific data processing situations, such as freedom of expression and information or the processing and access to official documents. |
| X. Delegated and implementing acts | The European Commission is authorized to adopt delegated acts, to delegate and to set certain conditions for the delegation. In addition, a committee is established to support the Commission in its tasks. Delegated acts = acts without legislative character to supplement or amend legislative acts. |
| XI. Final provisions | The final provisions mainly include the relationship to other directives and existing agreements. The European Commission is obliged to prepare a report on the assessment and review of the regulation every 4 years and to submit it to the European Parliament and Council. |
Did you know?
The contract for processing orders mentioned in Chapter 4 can be found in your customer portal at Leitzcloud, where you can sign the document directly.
What has changed for companies?
With the GDPR, the entire EU has been brought to a uniform level of data protection.
Scope: The regulation now also applies to non-European companies that are active in the European market or work with personal data of EU citizens.
Fines: Above all, fines have increased significantly, so depending on the violation, penalties of up to 4% of annual turnover or 20 million euros can be imposed.
Privacy by Design: "Data protection by design" means that data processing procedures have already been integrated into the system and are part of the standard.
Privacy by Default: "Data protection by privacy-friendly default settings" means that default settings should be privacy-friendly, so that primarily less technically savvy people are protected.
Reporting Obligation: Companies are subject to the reporting obligation if there are data breaches, which must be reported within 72 hours.
What has changed for consumers?
What additional rights have been granted to consumers?
Data portability: Consumers have the right to data portability, meaning they have the right to take their personal data to another provider - and this in a secure and commonly used format.
Consent for data processing: Such consents must always be given voluntarily and can be revoked at any time.
Right to rectification: Consumers have the opportunity to have incorrect data corrected immediately.
Right to erasure: Data must be deleted as soon as the purpose ceases to exist or the consent is revoked.
Right to information: Consumer rights have been extended, for example, they receive not only information about the purpose of data processing, but also about the duration.
Sources:
Intersoft Consulting (accessed 14.06.2021)
Datenschutzexperte.de (accessed 14.06.2021)
Datenschutz.org (accessed 15.04.2021)