You can no longer escape it. As of May 25, 2018, new data and privacy legislation the General Data Protection Regulation (GDPR) will apply throughout the EU. Better known in the Netherlands as Algemene Verordening Gegevensbescherming (AVG) and in Germany as Datenschutz-Grundverordnung (DSGVO). Previously, there were differences between member states in terms of data and privacy laws; the GDPR largely puts an end to this. However, member states can make their own interpretation on various points. As a result of the new legislation, things have become a lot easier legally in the EU, but because of the member states' own interpretations, you still have to pay attention when you operate internationally. Crossborder e-commerce is therefore still not as easy as we would like. Unfortunately, it is impossible to give unequivocal advice because it depends on the type of organization and the industry in which you operate. To avoid the danger of an Abmahnung (fine), we advise you to get the front end of your website (what consumers see) in order immediately.
Netherlands AVG vs. Germany DSGVO
For most organizations selling to German consumers from the Netherlands, the AVG will apply. Unfortunately, there are quite a few exceptions that mean you must also comply with the DSGVO. There is a whole list of differences between the Dutch and German interpretation of the new law. If you haven't already done so, get informed by a legal expert as soon as possible. When you sell to German consumers, you come into direct contact with the points below. These differ from what you have on your Dutch website:
- cookie use,
- permission age,
- Personal Data Authority and FG, and
- Datenschutz & Impressum.
Cookie Usage
Regarding cookie legislation, we have good news! Germany is often just a bit more conservative than the Netherlands, but not when it comes to placing cookies. Very nice for the marketer! In the Netherlands it is mandatory to ask permission before placing a cookie. Germany is a bit more generous in this regard. You may place a cookie as long as you inform the website visitor and refute the use of the cookie in the Datenschutz. So you can actively set a cookie, which makes you much less restricted in measuring Web statistics and retargeting campaigns. Although the use is not directly covered by the AVG, but it is related to the front end of your website and data usage.
Minimum age
Broadly speaking, general legislation regarding a direct offer to a child sets a minimum age of 16. Member states can choose a different age, but not below 13. The Netherlands maintains the minimum age of 16. In Germany it is 2 years higher, namely 18 years, but with the exception of sufficient insight into the meaning and scope of the statement issued. If you as an organization specifically target children, among other things, you must make reasonable efforts, taking into account available technology, to verify that the person meets the age limit or that the child has permission from a parental responsible party.
Personal Data Authority
In some cases, as of May 25, organizations are required to appoint a Data Protection Officer (FG). The FG oversees the application of and compliance with the law within an organization. In the Netherlands, the Data Protection Officer must register with the Personal Data Authority, which is one institution. EU member states may name situations other than the Netherlands in which an FG is mandatory. Germany also has one institution the Bundes-Datenschutzbeauftragter for the Federal Republic, but in addition 16 institutions for the federal states (Landes-Datenschutzbeauftragte). Depending on the type of company, a company must also register its FG in Germany or appoint an FG specifically for Germany.
Datenschutz and Impressum
Your current Datenschutzerklärung (privacy policy) and Impressum (colophon) of your German-language website need an update due to the new legislation. Have this carried out by a German lawyer or jurist to ensure compliance with European and possibly specific German legislation. The content of the Datenschutz [and Impressum] depends on the need according to quantity and nature of the data to be collected and processed and the necessity to protect the persons concerned from unwanted use of their personal data. Issues that determine the content of the Datenschutz [en Impressum] include what data you collect and what you do with it, what payment methods you use and how you use social networks. Suppose you collect e-mail addresses via your website for the newsletter, then the Data Protection Statement must include what you will use the newsletter for and how people can unsubscribe.
Dexport helps you legalize your website
Each company is unique in terms of its organization and operations. Based on the specific handling of personal data, we prepare the necessary documents. This means, that the privacy statement for the German website is made on the basis of the DSGVO. Would you like more information regarding your own Datenschutz and Impressum?
