Data Protection Definition: Principles & Impact

Data protection is intended to protect the personal data of individuals from unauthorized and improper use.

This so-called "personal data," i.e., information that makes a person directly or indirectly identifiable, includes, for example, data such as full name, date of birth, address or telephone number. Particularly sensitive personal data (e.g., health, origin, political orientation, religion, etc.) belong to the special categories of personal data and are thus given special protection.

In Germany, the legal basis for data protection is provided by the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), among others.

By the way: The EU General Data Protection Regulation (GDPR) does not apply in the EU, but to everyone who process data of EU citizens. A significant difference!

The principle of data protection is that every individual has the right to informational self-determination. On this basis, everyone should be able to decide for themselves how their data is processed.

In concrete terms, this means that the collection, storage and processing of personal data is basically prohibited by default, unless:

• There is a legal authorisation (e.g. data at the tax office to determine the tax burden),
• The data is needed to fulfil a contract (e.g. a sales contract between two people),
• Or, the person concerned has expressly given consent.

Personal data is processed according to seven principles that are mandatory for every company or organisation:

• Lawfulness and transparency: Data processing needs to be lawful and plausible for the data subject.
• Purpose limitation: Processing may only be carried out for the purpose for which the data subject has consented.
• Data minimisation: Only the data necessary for the purpose may be obtained and used.
• Accuracy: Only correct, necessary and up-to-date data may be used.
• Storage limitation: The respective data may only be used as long as necessary for the respective purpose (afterwards, they must be legitimately deleted).
• Integrity and confidentiality: Adequate protection is the be-all and end-all, because the data must not only be protected from loss, but also from unlawful use.
• Accountability: Compliance with data protection must be verifiable.

Every person whose personal data is collected and processed has the following rights:

• Information/access: Any person may request information from authorities, companies or other bodies about their data stored with them.
• Rectification: If the stored data is not correct, there is a right to have the data rectified.
• Erasure/ to be forgotten: Provided that no law stands in the way, a person may request the erasure  of their data.
• Objection: any person may object to the processing of their data on specific grounds. If the objection is justified, we must comply with it.
• Withdrawal: Every person has the right to withdraw his or her consent to the processing of personal data without giving reasons.
• Restrict processing: If there is a legitimate reason, the person may request the restriction of the processing of his or her data.
• Data portability: Individuals have the right to receive their stored data in an electronic format.
• Complaint: If a person does not agree with the processing of their data, they can lodge a complaint with the data protection supervisory authority.