Chapter in this post:
The new EU-wide General Data Protection Regulation, or GDPR for short, will come into force on May 25, 2018. It aims to improve data protection for EU citizens. Companies based here as well as companies located elsewhere with EU customers or their data must adhere to the new rules. In addition to online shops and email marketing companies, this not only affects social networks, but also bloggers who, for example, send out newsletters or organize competitions. I have put together a few hints, tips and sources on the subject for you here.
Attention: This article is not intended as legal advice, but only reflects my research results to the best of my knowledge and belief!
Worth reading: The blog post mentioned in the video
The new EU data protection regulation applies to all companies that handle personal data. Whether mailing list, customer data, forum users or cloud services - there are many examples. If you, as a blog operator, collect, store and use data from readers, then you should also take a look at the EU GDPR. Because personal data starts with the name and email address. Overall, this includes these data:
As far as I've read: No. Data already collected and cookies, etc. set by the end of May do not need to be treated separately again. So if you already have dozens, hundreds or thousands NewsletterIf you have subscriptions, then not every subscriber has to agree to the use of their data in EU-GDPR-compliant form. But you should make provisions for upcoming subscriptions, future cookies and the like.
Companies that collect and use personal data (on a large scale) must carry out a data protection impact assessment. This means that you have to check whether the personal data is secure, cannot be viewed / used by unauthorized third parties and / or whether the data owner could be at risk. The data protection impact assessment is therefore a classification of data security and its possible consequences. If these turn out to be negative, adjustments may be necessary.
The GDPR also applies to companies that have EU citizens or EU companies as customers or clients. Therefore, US mailing service providers such as MailChimp would also have to stick to it. A clue that everything is going well is, for example, the "double opt-in", i.e. the double consent for the newsletter subscription - once when you register and once via a confirmation link in the corresponding e-mail.
However, the security issues continue afterwards. For example, the data for MailChimp newsletters are stored on US servers - outside the EU and as an attractive target for hackers and secret services. It is questionable whether this is 100% d'accord with the EU GDPR. For this reason, some people from my circle of friends and customers are currently moving their newsletter lists from MailChimp to Cleverreach, Klick-Tipp or other German newsletter service providers. If you want to check out all providers, then click here:
With further research is with this post noticed. It describes, among other things, that one would have to enter into a contract with MailChimp in which the order data processing (from May only "order processing") is clarified in accordance with the new regulation. External providers such as Google Analytics, as I understand it, do not require a written contract that you have to send back and forth. Here the provider, i.e. Google, can regulate the formalities digitally at the push of a button. In the account management of Analytics you can do this in the menu item "Addition for data processing". MailChimp could theoretically retrofit such an automatism.
But what changes in detail now, what do you have to pay attention to in the future, and which existing regulations, ordinances and laws will be expanded? I did a little research and among other things in this source information found on this. So here are a few important points that you as a data processing entrepreneur, blogger, shop operator and mailing marketing company should consider:
There are two points in addition to the above list that may require a brief explanation. On the one hand, this would be “data portability” and, on the other hand, the “right to be forgotten”. I have summarized what it is all about in brief explanations:
The new EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018. There will be no further transition period and no new law has to be made out of it in Germany. The new collection of rules and guidelines is adopted directly as a regulation. So if you have to do with personal data from customers, readers, users, clients, employees and other people, then you should read it up. If in doubt, it can be helpful to call in an appropriately specialized lawyer to be on the safe side. Because as already mentioned at the beginning: This blog entry is not legal advice, but just a well-intentioned reference as a result of my research on the topic;)
Jens has been running the blog since 2012. He appears as Sir Apfelot for his readers and helps them with problems of a technical nature. In his free time he drives electric unicycles, takes photos (preferably with his iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions for current bugs.