The most common data protection breaches in companies

What is the definition of a data breach?

If a data protection breach is recorded, the company has violated the applicable data protection law. For companies based in Germany, the German Federal Data Protection Act (DBSG) and the General Data Protection Regulation (GDPR) apply.

If a company is obliged to appoint a data protection officer and cannot provide an internal or external data protection officer, this is the basis for the first data protection breach. The company is concerned with the legal protection of personal data, which can be jeopardized, for example, by hacker attacks or the accidental disclosure of personal data. At the same time, the processing of personal data must comply with data protection regulations.

A breach of data protection can be recorded if personal data is disclosed, manipulated, or destroyed. In these cases, the media often report on data breaches or data leaks.

Whether a data breach must be reported by a company must always be considered on an individual basis. The data affected must be assessed in terms of the risk it poses to the data subject. A notification must always be made if the data breach has caused material, physical, or immaterial damage.

The company does not have a data protection officer

If a company permanently employs more than 20 people with the automated processing of personal data, the appointment of a data protection officer is mandatory.

Many companies that remain below this number of people refer to this rule, but it is not only the number of people that is solely responsible for the need to appoint a data protection officer. If particularly sensitive data is collected, such as health data, the appointment of a data protection officer is essential. If companies rely solely on the number of employees who constantly work with sensitive data, a data protection breach can easily occur.

Regardless of the appointment of a data protection officer, all companies must ensure that they comply with the GDPR and data protection regulations.

The privacy policy is incorrect or does not exist

If you contact companies via the website, a correct depiction of the privacy policy is mandatory if the site requires the provision of personal data. In some cases, however, it can be noted that the privacy policy is missing, but the visitor IP address, user location, or email contact details are requested. These deficiencies in content automatically lead to a data protection violation.

A privacy policy must always contain full details of what information is collected and how long the data provided is stored. The intended use of the data must also be clear from the privacy policy. The use of simple and generally understandable language is mandatory in the privacy policy. If the company is obliged to appoint an internal or external data protection officer, this person must be listed in the privacy policy.

Data protection breaches in the storing and processing of personal data

Storage of data or disclosure of personal data

A typical breach of data protection occurs when personal data is recorded without a declaration of consent having been obtained in advance. On the internet, an example of this would be when newsletters are sent without prior consent.

If companies use personal data collected to sell it to other companies or to gain another data advantage, this constitutes an intentional breach of data protection regulations, unless these actions have been secured in advance under data protection law. In most cases, data protection violations in this area are subject to particularly high fines.

Lack of security concerning personal data

These data breaches can often be recorded in companies. Personal files are lost and can therefore also be viewed by unauthorized persons. Reports of this kind can often be found in the media under the heading "data scandals" - in many cases, data access was gained through a hacker attack that was due to inadequate security precautions. For large corporations in particular, such a data leak means a catastrophic loss of image and thus a loss of revenue. However, the loss of a storage medium can also expose personal data to third parties and is considered a data breach.

A classic data protection mishap is the sending of circular emails to various subscribers. If the addresses of all mail recipients are not set in BCC, but in CC, the sending causes access to the personal data of the recipients. As this often occurs in companies, internal training should be provided.

Data breaches resulting from personal contact

If a company has collected personal data, the company is also obliged to disclose this stored data to the data subject. If a company ignores this request for personal data or does not provide it within a reasonable period, the company controller is in breach of data protection law. In principle, an incoming request should be processed and information provided promptly.

In many cases, however, it is not sufficient to simply send the requested personal data. In most cases, information on the use of data is also requested to provide the data subject with a comprehensive overview.

The correct utilization of checkboxes on the company's website

Companies like to use and collect personal data for marketing purposes. Consent must be obtained on a legal basis, particularly for contacts who are not yet active customers. These consents are usually requested on a form.

A company must pay close attention to the legal basis - the purpose of the data collection must be precisely stated by the company. The revocability of the consent given must always be pointed out.

A desirable illustration within Checkbox would be to clearly define for the user which measures they are consenting to. A checkbox that has already been filled in is not only ambivalent for the image of the company, but it also excludes the active consent of the person concerned.

The data processing controller

In companies, it is often unclear who is responsible for which duties and who is the controller. Many companies use customer databases, payroll accounting, and a marketing newsletter. In many of these cases, an external data processing company will use the data. There is often a lack of clarity about the rights and obligations of the respective parties. To act in compliance with data protection regulations, companies should draw a clear line between controller and data processing.

If you do not want to risk any errors in data processing, the processing must be carried out on the instructions of the controller. The controller is responsible for the data protection declaration and must also register the designated processor in a record of processing activities. A data processing agreement (DPA) is then concluded with the processor.

The DPA must contain all points from Art. 28 of the GDPR. In particular, the service description must be clearly defined and which partial service is to be performed by the designated data processing company. Data categories must be listed and subcontractors must also be named. Data security must always remain verifiable.

The controller often does not fully review the technical and organizational measures (TOM). If these are in place, the controller can find out how data processing is organized at the data processing company and what protective measures are taken. If a TOM is not taken into account, the company is overlooking an essential component of a data processing agreement.

Data protection breaches - a summary

Data protection in companies is a complex issue that controllers and employees have to deal with. To avoid damage to their image and the resulting loss of sales, companies should invest in internal training and give employees a feel for the correct handling of personal data. By implementing a training concept, fines and other consequences can be avoided.

No company can claim that it complies with all data protection rules, but it is important to reduce internal and external misunderstandings and ambiguities and always keep an eye on data protection with all its consequences and implications.