has made their assessment of the effects of the GDPR available to us in a guest contribution

The aim of the European General Data Protection Regulation is to strengthen the rights of data subjects and to raise public and non-public awareness of how personal data is handled. In the first few months of implementation, however, it became apparent in many areas that practicable solutions were often lacking - until today. The result is constant uncertainty.

There are also weaknesses in the practical application of the GDPR in the area of networking. Whether trade fairs, congresses, business meetings: the exchange of business cards is customary here to expand one's own network. But what about the information requirements? Do comprehensive data protection notices have to be given at the time of handover? Strict interpretation of the law: obligation to provide information in the event of automated data collection

According to Article 13 GDPR, public and non-public bodies are subject to a comprehensive information obligation when collecting personal data. The person concerned must receive at least the following information:

  • Contact details of the person responsible, his representative and - if available - the responsible data protection officer
  • Purpose of the collection including legal basis
  • in the case of disclosure to third parties, the respective recipients
  • Information on the duration of storage
  • Rights of data subjects
  • Consequences of non-disclosure of the personal data that may be necessary for the conclusion of the contract

The information requirements are therefore very extensive and hardly fit on a single A4 sheet of paper. So do you now have to provide relevant information to the data subject every time you collect and process the data from a business card that you have received? Basically yes.

The simple receipt of a business card, on the other hand, does not justify the obligation to provide information. Only if you want to include the data in your customer file, for example, does a corresponding declaration need to be made.

Based very closely on the text of the GDPR, this means: If you know when you receive the business card that you want to automatically save and process the personal data contained on it, the person concerned must be presented with a corresponding data processing notice and, if necessary, consent must be obtained. A tacit, presumed consent, which could be expressed in the handing over of the business card, is not sufficient.

Less strictly speaking, however, a corresponding note on data processing can be made during the first contact using the data in the business card (e.g. as an e-mail attachment). If the person concerned has been informed of his rights, he can also object to further contact. Legitimate interest can justify contact without prior consent

Article 6 GDPR lists different requirements on the basis of which the automated collection and processing of personal data is permitted. The confusion following the implementation of the EU General Data Protection Regulation was particularly great here. Suddenly everyone said that the consent of the person concerned was always required. In fact, this is not always necessary, even if the personal data processed comes from business cards. Automated collection and processing is permitted under the following conditions:

  1. The personal data is required to fulfill a contract or a service.
  2. The data processor can demonstrate a legitimate interest. Here, however, it is necessary to carefully weigh up whether the legitimate interest actually outweighs the legitimate interests of the data subject.
  3. The person concerned has consented to this. Consent must be clear, informed and, above all, voluntary. It is precisely at the latter point that it often fails. requires e.g. If, for example, a doctor gives consent to the processing of patient data that is required solely for medical care and would refuse the treatment in the absence of consent, there can no longer be any talk of voluntariness. The effectiveness of the declaration of consent expires (which does not mean that the patient data cannot then still be processed). You can find more information about the GDPR and the new Federal Data Protection Act at