Entrepreneurs think they can feel safe due to the low capacities of the supervisory bodies. A question that one gets asked again and again as a data protection officer is: “What should happen? Nobody notices that anyway! ”
A look at the figures in the 2019 activity reports published by the supervisory authorities shows that the number of complaints and control suggestions has increased enormously since the introduction of the GDPR. Citizens were made aware of data protection both through media reporting and, for example, through their own training courses as employees. Data protection violations are therefore detected more quickly and easily. Employees and customers in particular can play a key role in uncovering fines for the risk factors.
In the course of their work, employees learn a lot about the processes and structures in their company. Due to the higher level of awareness, most of them understand when processes in the company are not regulated in accordance with the GDPR and know which managers in the company do not attach great importance to data protection. It can have a correspondingly negative effect if employees become dissatisfied. The inhibition threshold to “get back at the company” when employees are laid off is particularly low. And what would be easier than to give the supervisory authority a tip that customer data has been piling up in the open filing cabinet in the staff kitchen for 30 years, or in the case of certificates of incapacity for work or that employees send sick notes by email to all colleagues “for information purposes”.
The headlines were also made by the judgment of the Düsseldorf Labor Court of March 5, 2020 – 9 Ca 6557/18, according to which an employee was awarded damages of € 5,000 because his right to information according to the GDPR had not been fulfilled sufficiently and on time. If more courts follow this approach in the future, the prospect of receiving compensation for pain and suffering should also represent an increased incentive for employees and customers to report violations to the supervisory authority.
Another of many risk factors are customers. Customers also notice when processes are regulated in a way that is contrary to the GDPR. If, for example, the files of other customers are openly visible in the reception area, if video surveillance takes place without signage or if they receive e-mails that were intended for another recipient, the customer can quickly get the impression that the company is data protection, and thus also the Risk factors is not that important.
Customers can react particularly irritably if their inquiries regarding services can never be answered. For this, however, advertising flutters into the mailbox every 4 weeks, although this has already been contradicted (several times). The inclined consumer can quickly find out about the admissibility of such behavior on the Internet and easily make a corresponding entry using the online form of the supervisory authorities.
If that’s not enough as an entrepreneur: Just one look at the company website, where the data protection declaration is extremely brief and the cookie banner is out of date, is enough for angry employees and dissatisfied customers to be able to immediately determine: Supervisory authority can be punished with a fine.
Entrepreneurs underestimate open flanks when it comes to data protection. Customers and employees in particular receive insights into the company that reveal gaps in data protection. Companies should not feel encouraged when it is reported in the press that the staffing of the supervisory authorities leaves something to be desired and that unreasonable inspections need to be expected in very few cases.
Because even if unprompted checks still take place far too seldom: Many consumers and employees now know very well about their rights and obligations under the GDPR and make use of the practical option of using the online form for complaints. If entrepreneurs do not make efforts to adapt in order to achieve GDPR compliance, a review by the supervisory authorities will have a difficult position. The argument “Nobody knows!” Can therefore be easily refuted. But it would be even better if the data protection officer couldn’t be confronted with it in the first place.
As the data protection officer, it is our job to identify gaps in data protection at an early stage and to support you with tailor-made solutions in establishing GDPR compliance. So you can concentrate on your core tasks while we take care of your data protection. If you are unsure what is important for your company – we will be happy to advise you. Here you come to our contact form.