Zahlungsdienstleister als Auftragsverarbeiter -

Payment service provider as a processor? – What must be observed in terms of data protection law for payment service providers

Payment processing via service providers is convenient, fast and easy for customers and responsible companies. In the following we explain what companies in charge of data protection have to observe if they want to use payment service providers for payment processing with their customers.

Read more

Datenschutz im Autohaus - Datenschutzgrundverordnung - Datenschutz - Daten - DSGVO - Autohaus - Autohäuser

Data protection in the car dealership

Data protection cannot be transferred 1 to 1 from one company to another. The implementation of the GDPR in car dealerships poses particular challenges for those responsible. In the following, we would like to discuss some of the special features of data protection in car dealerships.

Data protection in the car dealership is end customer business

In the end customer business, it is particularly important for companies to protect the rights of the data subjects. Customers may react angrily if they are dissatisfied. As a result, they often ask for their data to be deleted and no longer want to receive advertising from the dealership. Special attention must then be paid to ensuring that the right to erasure under Art. 17 GDPR is identified as such and forwarded to the responsible parties at the dealership. These must carefully examine whether the right can be fully complied with or whether, for example, the right can be exercised. Invoices are still subject to further retention.

Adhere to deadlines for data subject rights

The effort involved in checking deletion requests should not be underestimated. In doing so, the company should comply with the time limit set out in Art. 12 para. 3 DSGVO to respond to deletion requests always keep in mind. A month goes by quickly, especially if employees are not sufficiently trained and do not recognize requests for data subject rights as such or do not take them seriously at first and simply ignore them.

It is essential to train employees

For companies, it pays to train their employees on data protection. If such training is neglected, it may happen that employees ignore the rights of those affected or even treat customer data carelessly. The employees of the car dealerships have a lot to pay attention to in terms of data protection, especially in direct customer contact.

Copies of ID and salary slips

If the responsible company underestimates the importance of its employees in terms of data protection compliance, it can be costly. Copies of identity cards and salary statements and similar sensitive data are sometimes requested from customers in the context of a car purchase or a test drive, copied and then, in the worst case, openly filed in a transparent film on the sales desk in the showroom.

Various customer loyalty programs

The implementation of the GDPR in car dealerships also causes difficulties when using various customer loyalty programs. It is important to respect the right of objection of the data subjects according to Art. 21 para. 2 GDPR to be taken seriously in the case of direct marketing. It is fatal when car dealerships use different systems that do not communicate consistently with each other or are not properly maintained. If the dealership fails to clearly define responsibilities, advertising objections from customers may not be considered.


Storage of customer data in the showroom

The storage of customer data in the exhibition room is unfavourable. When implementing the GDPR in the dealership, those responsible should ensure that customer data is not stored there. Customer traffic in the exhibition space is constantly running and unauthorised persons may gain access to personal data such as purchase and lease agreements. In case of doubt, the sales staff should be provided with lockable cabinets so that documents can be quickly locked away in case of short-term need.


Screen lock in the showroom

The salesman’s workstations in the showrooms of the car dealership also pose a risk of fines if the workstations are not blocked when the employees leave. The staff’s argument that they only went away for a short time does not hold up. You are quickly distracted from your daily work, approached by another customer, still want to get documents from your colleague and in 5 seconds the unlicensed person will be able to use minutes to get data. Responsible persons should therefore pay attention to training employees. A written instruction is often not sufficient to adequately sensitize employees to the handling of customer data.

Data protection audit helps with self-assessment

If responsible parties are unsure about the implementation of the GDPR in the dealership, data protection audits can work wonders. They help in the detection of vulnerabilities. If you find in the audit that the processes that were supposedly implemented have been ignored or “adapted” by employees, you now have the chance to improve. In addition, data controllers often get the impression that it is sufficient if they have trained their employees and documented everything in terms of data protection. However, especially in the end customer business, many mistakes happen in the handling of personal data in everyday work. If problems only come to light as a result of customer complaints or with the supervisory authority, there is a risk of fines. A data protection audit can therefore help in advance to identify problems, raise the general awareness of all employees and avoid fines.

Data protection in the car dealership as a quality feature

Ultimately, the dealership’s customers will also appreciate the prudent handling of their data. Data protection is increasingly seen as a quality feature. If data protection is treated too laxly, customers quickly get the impression that they are not in the right hands, not only when it comes to data protection, but also when buying a car. However, anyone who handles customer data in a data-protection-compliant and professional manner will have an easy time gaining and maintaining the trust of their customers!

Book your data protection audit now and check how well you are really positioned.


Datenoffenlegung an Partnerunternehmen - DSGVO - DSGVO Bußgeld - Bußgeld - Datenschutz - Datenschutzverstoß - Datenschutzgrundverordnung - Daten

Disclosure of data to partner companies

For many companies, division of labour and cooperation are not only a matter of necessity, efficiency and cost reduction, but also a matter of course. What someone else can do better, he can usually do faster and cheaper, and if you sell to the same customers, there are synergies in the merger. In this respect, many companies think of many things when it comes to partnerships and cooperations with other companies – only data protection is often forgotten when it comes to the disclosure and transfer of data. It is often overlooked that cooperations with other companies require that personal data be disclosed to third parties. However, responsible companies should definitely check this data transfer in terms of data protection law and clearly define and regulate responsibilities in order to avoid fines.

Read more


Personalized contact details for employees of business partners – a problem under data protection law?

The more detailed data processing operations are considered in corporate practice, the more data protection problems seem to arise. How does it look e.g. with the use of personalized contact details that have been sent to my company by business partners and are assigned to the employees of the business partner?

Read more

Der Datenschutzkoordinator - alles was man wissen muss - DSGVO - Datenschutz und IT-Sicherheit

simply explained: the data protection coordinator

In this technical article we dealt with the so-called “data protection coordinator”. Not least because of the increasing requirements from the General Data Protection Regulation, more and more companies are deciding to appoint an external data protection officer. A data protection coordinator should be assigned to this in the company. But what exactly is a data protection coordinator and what is his job? What is the difference between data protection officers and data protection coordinators? We clarify these and other questions in this blog post.
Read more

Cyber Gefährdung - Datenschutz und IT-Sicherheit - Corona bedingt verschärft

Risk in the area of information security and data protection from Corona intensified

The corona pandemic has given SMEs in particular a boost in digitization. Collaboration tools have reached an unprecedented level of penetration. Home office is widely accepted by employers. For many companies and employees, everyday life in the company has improved and made it easier. Despite all the euphoria, one shouldn’t forget data protection and information security. The BSI (short for Federal Office for Information Security) also reminds of this in its “Report on the Situation of IT Security in Germany 2020” from October 20, 2020, in which it states that the attack surface and the associated cyber threat to criminals increased during the pandemic.
Read more

Daten, Papierarchieve, DSGVO, was gibt es alles zu beachten?

Data protection in data and paper archives

The digitization of processes, the outsourcing of data to cloud solutions, email archiving, the implementation of the requirements from the GoBD with regard to the documentation of digital business processes with corresponding storage solutions and backups as well as the handling of the extensive requirements for IT security and data protection resulting from all this are all part of the The center of the action.
Read more

Datenschutz und Informationssicherheit in Clouds - was gibt es zu beachten?

Information security and data protection in clouds

Data storage is increasingly moving to the clouds, away from local servers. What many companies are not aware of: Although it is practical to hardly have to worry about anything, you still have to ensure data protection and information security yourself.

Read more

Schmerzensgeld für unvollständige und verspätete Auskunft - DSGVO Bußgeld

GDPR violation: Compensation for incomplete and late information

Violations of the GDPR can cost companies dearly. The first thing that usually comes to mind are the high regulatory fines that are widely reported in the press. But not only high fines from the supervisory authorities threaten defaulting companies with incorrect information – compensation for pain and suffering can also be due, as the judgment of the Düsseldorf Labor Court of March 5, 2020 showed (Az. 9 Ca 6557/18). The reasoning for the judgment contained some fundamental statements regarding immaterial damages in connection with the violation of the GDPR.
Read more

Biktom Studie offenbart - DSGVO - was gibt es alles zu beachten?

Bitkom study reveals: even 2 years after the introduction of the GDPR, companies still find it difficult to implement the GDPR

The Federal Association for Information Technology, Telecommunications and New Media e. V. (Bitkom) has commissioned a study on the implementation of the GDPR in companies, the results of which were presented on September 29, 2020. According to this, half of the companies surveyed did not introduce new projects due to the requirements of the GDPR. Only 20% of the companies stated that they have now fully implemented the GDPR.

Read more