The right know-how as well as extensive experience play a decisive role in data protection consultancy.
ds² benefits from many years of empirical experience, a comprehensive knowledge of theory and practice, and strong working relationships with the relevant industry institutions. In order for customers to receive the best advice possible from ds², we place great value on professionalism, flexibility and being up-to-date in the relevant fields. All ds² consultants have had the best possible training in the field of data protection and are kept abreast of the latest developments and guidelines through regular training courses. Every consultant has taken relevant exams and can fall back on extensive professional experience both within businesses and as a Data Protection Consultant.
However, not only do ds² clients rely upon a comprehensive technical knowledge, but can also expect professional, customer-friendly service. Clients always have access to an on-site contact person, who is familiar with the business. Besides the actual Data Protection Consultant, a deputy is made available, who is always available from the initial audit onwards.
In addition customers benefit from the collective know-how of all consultants, as an ongoing knowledge-exchange takes place between the individual consultants’ areas of expertise. For acute Problems ds² provides the opportunity for online-conferences, in order to effect as quick a solution as possible and to make the whole process more cost effective.
For your peace of mind, all of the ds² consultants’ activities are covered by our consultancy indemnity insurance.
Minimum wage and data protection
Since the beginning of January 2015 the new Minimum Wage Law applies. But why does a consultancy for data protection and security inform about this law?
Is there a connection between the Minimum Wage Law and data protection? The answer: Yes. At the first glance it is unexpected, but when examining the law it is obvious. This review will provide clarification.
Aim of the Minimum Wage Law
The legislator wants the client to ensure the compliance of the legislations on minimum wages. In the past many minimum wages and similar wage agreements were infiltrated, especially by false self-employed workers with service contracts and contracts for work. Thanks to the law these opportunities shall disappear.
An employer who charges another employer with services or work is liable for the subcontractor. He is liable as guarantor who has waived the defence of failure to pursue remedies (§ 13 MiLoG, § 14 AentG). The same applies to the subcontractors of the client.
Important for clients
The client is liable for his entrepreneur and subcontractors and the compliance of the Minimum Wage Law. This liability without fault can’t be eliminated completely by a careful choice and control (Informationstext des Unabhängigen Landeszentrums für Datenschutz (ULD) Schleswig-Holstein, 06.02.15). For this reason the client has to minimize his liability risk and his risk of incurring a fine. He has to take action for this.
The relevance in terms of data protection
From the perspective of the client it might be useful to collect and process data that show that the commissioned companies comply with the Minimum Wage Law. A control of the payroll accounting could be an obvious solution. But in such controls data protection requirements have to be met. This applies both to the clients (collect, process and use data) and the contractor (transfer the data).
The clients have to check (according to § 28 Abs.1 Satz 1 Nr. 2 BDSG) whether collecting and saving employee data is required for the compliance of their own business purposes and their entitled interests. The client has to make sure that the legitimate interest of the person in exclusion of the data processing or use of data doesn’t outweigh.
The contractors have to consider whether the transfer of employee data is necessary for the employment. If it is necessary, then the transfer is permitted(§ 32 Abs.1 Satz 1 BDSG).
From a data protection point of view the case under 1 might be permitted in particular cases, the case under 2 hast to be considered as not permitted by German data protection law.
[„Wenn der Auftraggeber auf Basis einer vertraglichen Abrede mit dem beauftragten Unternehmer bei diesem einen pauschalen Zugriff auf bestimmte arbeitsvertragliche Unterlagen möglicherweise aller Beschäftigten oder gar auf deren Personalakten erhält.“ (ULD Schleswig Holstein, 06.02.15)]
In § 32 BDSG the interests are weighed up in contrast to § 28 BDSG. A balancing of interests can open up new opportunities. The assessment of necessity has to be very strict. The necessity of the payroll accounting control for the purpose of establishing employment is the only thing to check.
According to the ULD the client has to refer to methods that do not require data collection (less severe measure). Controlling payroll accountings of employees of contractors would enable the access for the client to data (religious affiliation, marital status, date of birth, tax class, etc.) that is not necessary for the minimization of the liability risk. Therefore, the transfer of payroll accountings form contractors to clients is not permitted by law.
The client might consider this situation as a dilemma. On the one hand the guarantor is responsible fort he compliance of the Minimum Wage Law by the contractor. On the other hand he isn’t allowed to control the payroll accountings of the contractor to minimize his risk of liability. The legislator did not create a corresponding legal basis according to § 1 Abs. 3 Satz 1 BDSG that could jutify such a control.
Good solution approaches
Certainly it’s useful to make appropriate contractual regulations and choose the service providers carefully. This isn’t a legal obligation but has to be considered as binding to minimize the liability risk for the client.
At this point we only want to name a few solution approaches:
• Checking the offer for signs that the minimum wage is not paid
• contractual term for compliance of the Minimum Wage Law with contractual penalty regulation
• regulations for subcontractors (exemption from demands, banc guarantees)
• auditing regulations (anonymization, trusted third parties)
• right of veto for subcontractual relations
For further information and detailed solution please contact your competent and experienced data protection officer.
Industry 4.0: a future-oriented project– benefit from the opportunity, avoid risks
The future-oriented project Industry 4.0 targets the fortification and sustainability of the German industry. At the same time the data privacy protection needs to be respected.
Chances and ambitions of the future-oriented project Industry 4.0
The future-oriented project Industry 4.0 targets the fortification and sustainability of the German industry.
Foreign companies especially from the Asian region enhance their competitive position by increasing the productivity and by accelerating the process of innovation while the German industry has to deal with raw material scarcity and the increasing average age of the employees. The industry has to meet these challenges.
The German industry needs viable solutions for the future to that.
The technology of cyber-physical systems (CPS) carries the potential for a solution. These systems are small computers with sensors and actors (drive units; converter). They can be integrated in almost all objects and be connected via Internet. When the physic and digital world mix we talk about the Internet of things. The collected data can serve for the appropriate and customizable use of resources. The machines are able to signal when the maintenance needs to be done and spare parts are necessary. Therefore production delays and loss of production are minimised (predictive maintenance).
Germany’s traditionally very export-orientated mechanical engineering can profit massively from this new and intelligent technology. The main benefit of this technology is the connection of machines and services as a service package.
The data privacy protection is not negligible
This practice requires caution as to the data privacy protection: often the collected data have personal references and are therefore subject to the BDSG in Germany.
Employees for example have to log in into their machines before they start working. This procedure allows to collect data that show which person when, how long and by doing what has operated the machine.
This information enables companies to create complete usage profiles of their employees. If these profiles are suitable for performance monitoring and behaviour control, they need to be checked in advance as prescribed by law by the data protection officer.
The legislator enacted protective laws that need to be respected before implementing the new technology as possible in order to avoid the possible degradation of several employees to machines and expose them to continuous control (privacy by design).
Furthermore, the exchange (transmission, general data comparison) of personal data to recipients outside the company is difficult. Especially the data transfer to non-EU states can be complicated because every transfer requires a legal basis that allows it (e.g. §§ 28, 4b BDSG).
Industrial companies should involve their data protection officers on time as he knows the concerns of the industry and is able to bring them in line with the legal situation and the jurisprudence. Our experienced data protection consultants are happy to support you in the process.
Legal basis for data transfers to the USA questioned
Safe harbor self- commitments from US service providers (data recipient in the US) were an option to justify data transfers to a third country with poor data protection security (here the United States) within the scope of exceptions without a permit. The EJC declared the Commission decision from 26.10.2000 (which underlies this exemption clause) with its decision from 06.10.2015 void.
The EJC judgement doesn’t deal with the question if an adequate level of protection exists in principle in the United States. Furthermore, it doesn’t provide concrete and explicit specifications for companies what to do with existing data transfers (certified to safe harbour). Until further notice a lawful warranty of a secure level of data protection on the basis of safe harbor is no longer satisfied. As in the past, it is possible to revert to other options (standard contractual clauses, Binding Corporate Rules or approved individual contracts).
When an affected person complains about the unsecure data transfer of his personal data to a safe harbor certified data recipient, the authority has to check if the requirements in directive 95/46/EC are fulfilled.
In an initial assessment the authorities refer to the central role that will play the national and European data protection authorities in finding a solution. It is necessary to ascertain whether the data transfers to the United States need to be suspended and in which form, even if they are based on standard contractual rules, Binding corporate Rules or approval. The authorities will coordinate quickly their proceeding concerning the clarification of the consequences of the judgement.
We will pursue the development in this sector and inform our clients about the progress.
First of all we advise our clients to create a shortlist of the affected processes to identify the need for action and prioritize them. Your ds² data protection consultant is happy to assist you.
Reports from the German data protection authorities on this subject:
- BfDI - Europäischer Gerichtshof kippt Safe-Harbor (06.10.2015)
- LDI NRW - EuGH erklärt Safe Harbor für ungültig
- HambBfDI - EuGH kippt transatlantisches Safe Harbor-Abkommen (06.10.2015)
- Artikel 29 Gruppe - Article 29 Data Protection Working Party - PRESS RELEASE - Decision of the Court of Justice of the European Union on Safe Harbor (06.10.2015)
- Artikel 29 Gruppe - Statement of the Article 29 Working Party - Press Release (16.10.2015)
- Positionspapier der unabhängigen Datenschutzbehörden des Bundes und der Länder (Datenschutzkonferenz) (26.10.2015)
At this year’s BvD Congress in Berlin the ds² proprietor and BvD chairman Thomas Spaeing together with his team and 200 more data protection colleagues debated on the risks for data protection regarding to the bill for the basic regulation for data protection of the EU.
One thing became clear: many useful and modern concepts were lost within the negotiations. Operational data processing will be controlled by authorities – which entails an amount of bureaucracy. The proven way of self-regulation for the companies by internal Data Protection Officers are no longer relevant in Brussels. In its place, Brussels prefers new authorities and the data protection authorities in the EU member states (which are to this day under-resourced). The consultant’s advisory function that ensures a lawful data processing in many companies is now at risk.
That comes along with a serious intensification of the sanctions for the data processing companies and a vague wording in many regulations that bring a long period of legal uncertainty in data protection for the companies. “This is bad news for companies and citizens” – according to BvD chairman Thomas Spaeing.
For companies it is all the more important to count on the proven support and expertise of their Data Protection Officer.