A new level of data protection
On May 25, the European General Data Protection Regulation (GDPR) will go into force after a two-year transitional period. The regulation places stricter requirements on companies and authorities for ensuring data protection and imposes tough penalties in cases of non-compliance. Below you can read about what the new regulation entails, and what you need to know about handling personal data.
Every person has the basic right to control his or her data: What data about them is stored? How is it used? Is it ever deleted? This is the core message of GDPR. It will take effect on May 25, 2018 and will standardize data protection laws across the EU. As a result, every company around the world that collects or processes personal data on EU citizens will have to contend with new, stricter regulations concerning the processing of that data. They focus particularly on the collection, use, and storage of personal data as well as its deletion, plus on protection against unauthorized access to the data.
Companies in the logistics industry, too, have had to address this topic and take the appropriate precautionary measures. These are of both a technical and a procedural nature: Is there an up-to-date overview of all a company’s systems that collect or contain personal data? Is collecting it necessary for performing a contract? Has consent been given for collecting and using the data, and appropriately documented? In general, GDPR requires that records, information, processes, and receipts be documented in a legally secure and transparent fashion.
Companies in which ten or more employees regularly handle personal data must also appoint a corporate data protection officer. To comply with GDPR from the outset, in the future data protection should be technically incorporated when drawing up data processing procedures. These principles of “privacy by design” and “privacy by default” are enshrined in Article 25 of GDPR.
Who is responsible for compliance with GDPR?
Essentially, every company is responsible for compliance with GDPR. If a third party processes personal data on behalf of a company, this is called order processing, and both the contracting company (controller) and the third party (processor) are responsible for complying with GDPR. In addition, these cases require an agreement on order processing.
DACHSER is responsible for ensuring the protection of personal data needed for rendering freight-forwarding services. This does not require an agreement on order processing.
The Bavarian Data Protection Authority in Ansbach has ruled that freight-forwarding services do not fall under order processing as defined by Article 4 (8) of the EU General Data Protection Regulation (GDPR).
Ensuring data protection has always been an important concern of ours, even before GDPR takes effect.
DACHSER has made intensive preparations to be ready in terms of technology and processes to implement the new additional regulations of GDPR. Personal data has always been used only to process requests, fill orders, and—provided consent has been given—to grant access to special information or offers. We also need this consent in order to send you the DACHSER eLetter in the future. In what’s called the double-opt-in process, all recipients must confirm in a second step that they wish to continue receiving information.