The 5 most important start-up regulations for data protection
1 No data processing without a legal basis: The Basic Data Protection Regulation (DSGVO) contains a fundamental prohibition with a reservation of consent: personal data may only be processed if permission is granted, the so-called legal basis.
2. consent is often not the best solution: the requirements for legally effective consent were deliberately set high in the DSGVO. This creates many pitfalls which must be taken into account if consent is to be used as the legal basis.
All data processing needs one or more purposes: personal data may only be processed for legitimate, clear and defined purposes. Any purpose that is not prohibited is legitimate. But the requirement that the purpose must be clearly identifiable and predetermined often leads to problems in the start-up context. It is often not clear at the beginning what the data will be processed for later. The essence of a start-up is regularly that the concrete business model and, in some cases, the services to be provided are not yet clear.
4) Data subjects must be informed about the processing of their data: Transparency is one of the basic principles of data protection: data subjects should know how their data is processed and by whom. Only in this way can they be enabled to exercise their rights. One of the obligations derived from this principle is to provide information on data protection on the website (the “privacy statement”).
5. in addition to customers, employees, suppliers and shareholders must also be protected: Data protection should protect all people, regardless of their role. Therefore, when it comes to data protection, companies must not only consider (potential, actual and former) customers, but also other stakeholders whose data the company processes.