Legal & Compliance
🚨 THIS HAS BEEN TRANSLATED
The binding version is in German and can be found here: DSGVO
At Bilendo, data protection has been an important component from the very beginning, both in the development of the software and in the associated storage and processing of data. In the context of the GDPR, we want to present the new regulation on the one hand and show how data protection is implemented and realized in the company and in the software on the other.
What is the GDPR?
The General Data Protection Regulation, DS-GVO for short, is a new EU basic regulation adopted by the European Parliament in 2016. The implementation has a transition period of two years and comes into force in Germany on May 25, 2018. This replaces the EU Data Protection Directive, which dates back to 1995. The aim of the GDPR is to improve the protection of personal data of all citizens in the European Union. This means that companies and public bodies are bound by much stricter regulations when they collect and process personal data. With the GDPR, the original EU Data Protection Directive was further developed and improved with regard to data security and protection. On the one hand, the basic regulation is intended to increase the sanctions against companies in the event of a violation of the law and, on the other hand, to further strengthen the rights of data subjects.
To whom does the GDPR apply?
The GDPR applies in all EU member states and to all companies with European headquarters as of May 25. With the effective date, all national data protection directives lose their effectiveness. Whereas the EU Data Protection Directives of 1995 only had a scope of application within the European Union and for companies based there, the GDPR is much broader. It applies equally to companies based in third countries that store and process the data of EU citizens.
In summary, this means that the GDPR as a basic EU regulation on the one hand creates a uniform legal framework for all EU members and on the other hand strengthens the data sovereignty of citizens in the European Union, especially vis-à-vis companies based outside the EU.
The complete legal provisions of the new General Data Protection Regulation can be found at DSGVO.
Legal notice
Our website does not serve as a standard reference work on the European General Data Protection Regulation nor as legal advice for other companies. Furthermore, the site is not intended to be a guide for legally compliant compliance with the GDPR. Rather, it is about providing and summarizing all relevant information so that everyone can understand how Bilendo internally handles the legal changes regarding data security and protection.
This legal information is in no way to be confused with legal advice from a lawyer! We therefore expressly point out that if you require advice on the information provided here, as well as on its correctness and completeness, you must consult a lawyer.
Accordingly, you may not rely on this document as legal advice or as a recommendation for a particular interpretation of applicable law.
The most important changes due to the GDPR
Rights of persons
One of the most important points in the GDPR is the processing and storage of personal data by companies and public bodies. Personal data is understood in the broadest sense to mean any information relating to an identified or identifiable individual.
According to Art. 4(1) GDPR, an identifiable person is "a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
Consent to the processing of personal data
The GDPR further tightens the conditions for the effective consent of data subjects. The legal basis for consent can be found in Art. 4 (11) GDPR. There, it is stated that "any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her". The formal requirement is regulated in Art. 7 GDPR. The declaration of consent must be formulated in the clearest and simplest language possible and clearly describe the purpose of the processing and storage. Furthermore, the consent must be presented separately from other content. This implies that "hiding" the consent in the GTC or in the privacy policy does not comply with the provisions of the GDPR.
In addition, consent must comply with the following principles:
Voluntary
Clear and voluntary consent to the processing of data for one or more specified purposes is required. For a detailed interpretation of voluntariness, see recital 43.
Informed
Informedness means the unambiguous instruction of the data subject as to what data are collected and for what purpose and by whom these data are stored and processed.
Uniqueness
In this context, consent to data processing may no longer be based on the passive opt-out solution, but will be replaced by the active and unambiguous opt-in solution. You can read more details in recital 42.
Tie-in prohibited
The GDPR introduces a clear and distinct prohibition of tying. This is found in Article 7 (4) of the GDPR and indicates that the provision of any type of service must not be dependent on consent to the collection, storage and processing of personal data if this data is not required for the actual purpose of the service.
Form
For consent to be valid in form, it must be given in writing, electronically or orally. The consent must be unambiguously recognizable as a declaration of intent by being an unambiguous action or statement. The burden of proof here lies with the data processor in accordance with Art. 5 GDPR.
Reference to right of withdrawal
In addition to voluntariness, informedness, unambiguousness, the prohibition of tying and the correct form, every consent must include a reference to the right of withdrawal.
If the above points are clearly and unequivocally present, the data processor has consent to collect, process and store the personal data. It must not be forgotten that this data is always linked to the purpose of the consent given due to the prohibition of linkage.
At the moment of the effective declaration of consent for the processing of personal data, the company must fulfill its information obligations towards the data subjects.
Obligation of the companies to provide information
With the GDPR, companies must comply with extensive information obligations pursuant to Art. 13 and 14 GDPR vis-à-vis data subjects:
At the time of collection, the above information must be provided in a comprehensible, transparent, precise and clear manner to the data subjects. According to Art. 12 GDPR, this should be done in written or electronic form.
Bilendo provides a detailed privacy policy in this context and thus complies with the duty to inform. The above points can be read in detail in the privacy policy. If you have any questions, please do not hesitate to contact us at datenschutz@bilendo.de.
Rights of the data subjects
In addition to the stricter requirements for legally compliant consent, the introduction of the GDPR has strengthened the rights of data subjects in particular. These include the right to information, rectification, restriction of processing, deletion, notification, data portability, objection, revocation of the declaration of consent under data protection law and the right to lodge a complaint with the supervisory authority. The most important points are discussed below
.Right to information of the data subjects
If personal data are processed by companies or public bodies in the future, the data subject has the right to information about the following (according to Art. 15 DSGVO):
Right to rectification and cancellation
The data subject has the right to demand immediate correction of incorrect or incomplete data in accordance with Art. 16 of the GDPR. In addition, the data subject has the right according to Art. 17 DSGVO of being forgotten. The latter may request the immediate deletion of the personal data from the controller if one of the following points is given:
Data subjects have an additional right to information pursuant to Art. 19 GDPR if changes have been made to the personal data. In detail, this means that the data subject must be informed if the personal data has been subject to a correction (Art. 16 GDPR) on the part of the data processor, a deletion (Art. 17 GDPR) has been carried out or the processing of the data has been restricted within the meaning of Art. 18 GDPR. Further information can be found in our privacy policy.
Internal procedures
In addition to strengthening the rights of data subjects, the GDPR focuses equally on the legal regulation of technical and technological measures. As a FinTech company, data protection through technology plays a special role.
Data protection through technology
IT security has gained considerably in importance in the GDPR compared to the BDSG. Accordingly, there are a large number of new regulations that require the protection of data through IT security. It must be ensured that appropriate technical and organizational measures have been taken both at the time of planning and during the execution of the processing of personal data.
The basis of the technical and organizational measures is found in Art. 5 (1) (f) of the GDPR and is specified in Art. 32 of the GDPR. In addition, Art. 25 GDPR sets out the principles for data protection through technology design and through data protection-friendly default settings. This means that, on the one hand, data protection by technology ("data protection by design") must be ensured and, on the other hand, all default settings must be preconfigured as a data protection-friendly standard ("data protection by default").
Data Protection by Design
Data protection by design is also understood to mean "data protection by technical design". Article 25 (1) of the GDPR stipulates that technical measures for data protection and data security must already be incorporated during the development phase of IT systems and the data processing processes that take place there. Technical data processing should therefore be data protection-friendly per se. This includes, for example, the possibility of activating and deactivating functionalities or modules, anonymization and pseudonymization of personal data, authentication and authentication, and comprehensive encryption of all data collected.
Data Protection by Default
The legal framework for "data protection-friendly default settings" is found in Art. 25 (2) of the GDPR and stipulates that any data processing within IT systems must aim to collect, store and process as little personal data as possible. This means that settings must be preconfigured in terms of data protection and only the necessary amount of data is collected that is required for the purpose of the service. This is in line with the principles of data avoidance and data economy. The aim is to protect users from settings that are not privacy-friendly.
Technical and organizational measures
The requirements of integrity and confidentiality in the processing of personal data are found in Art. 5 (1) lit. f DSGVO. Suitable technical and organizational measures are required to safeguard these principles. This requirement is implemented in particular by Art. 24 and Art. 25 DSGVO as well as Art. 32 DSGVO. The technical measures refer to the complete data processing operation and mean all physical measures implemented to protect the data. Organizational measures, on the other hand, refer to the regulations that have been implemented and concern the general conditions of data processing. In addition, Article 28(1) of the GDPR stipulates that cooperation, and thus the transfer of personal data, is only permitted if the contractor can demonstrate technical and organizational measures to the client and there is a sufficient guarantee to secure the data. Within this framework, Bilendo provides the technical and organizational measures as an annex in the contract for commissioned processing. All necessary documents can be found in your Bilendo account.
Contract for order processing
The GDPR also makes processors responsible for the processing, storage and collection of personal data in compliance with data protection requirements. Until the new General Data Protection Regulation came into force, the legal obligation lay exclusively with the client. In order to comply with the new provisions, in the future a contract for commissioned processing must be concluded between the client and the processor in accordance with Art. 28 DSGVO. This contract is the legal basis for data processing.
The following points must be agreed in the contract:
Bilendo provides the contract for order processing and all required attachments for download in the user account. If you have any questions, please contact your Bilendo contact person at datenschutz@bilendo.de.
Legal obligations as a processor
As a processor, Bilendo fully complies with all legal obligations.
Directory of processing activities
In addition, Bilendo complies with the documentation and verification obligation pursuant to the new European General Data Protection Regulation by providing the directory of processing activities (Art. 30 DSGVO). All processing and procedure directories are available for the submission obligation of the supervisory authority pursuant to Art. 30 (4) DSGVO.
Supervisory authority
Furthermore, Bilendo assures extensive support and immediate cooperation with the competent supervisory authority in accordance with Art. 31 GDPR.
Appointment of a data protection officer
Bilendo has appointed an internal and external data protection officer as a processor pursuant to Art. 37 (1) DSGVO:
Wolfgang Steger (External Data Protection Officer)
Sapporobogen 6-8
D-80637 Munich
Phone: +49 89 21999 80
Florian Kappert (Internal Data Protection Officer)
Fürstenfelder Str. 9
D-80331 Munich
Phone: +49 89 3441321 00
Security and protection of data at Bilendo
As a processor of personal data, Bilendo is aware of the responsibility and special security of the data of our customers and their customers. All data managed and processed in the context of service provision are stored exclusively in German data centers and are subject to the regulations of the DS-GVO in the further collection, storage and processing. The data of our customers as well as their customers are located in Frankfurt a. M. in a state-of-the-art data center of Amazon Web Services Germany (AWS). This data center is certified according to:
Furthermore, any connection to and from Bilendo is only possible in encrypted form. The SSL encryption secures both the call of the website, the application itself and the transport routes of the data. The same protection applies to the transmission of data between Bilendo and service providers. In addition to SSL encryption, Cloudflare Protection provides additional security for the app.bilendo.de domain. This prevents any attack on the DNS system (Domain Name Service).
IT infrastructure
In the Bilendo IT organization chart, you will find all service providers with whom Bilendo works as well as the underlying IT structure for service provision. The selection of service providers is subject to a strict review with regard to data security and data protection. Bilendo has concluded a contract for commissioned data processing with all partners and service providers in accordance with Section 28 DSGVO. The overview of all companies as approved subcontractors within the meaning of § 28 (4) DSGVO can be found as an attachment in the contract for data processing. The contract can be downloaded from the Bilendo account.
You can find more information in our Data Privacy. In addition, we offer information on the subject of data protection notices for , and for an.