It is not uncommon for the police to contact companies in order to clarify facts. In doing so, the authorities request the transmission of video surveillance recordings, IP addresses, names of drivers of the company car or similar personal data. But when is such information compliant with data protection laws?
Find out here which steps of the checklist for information to police and co. you need to check before you can disclose personal data to authorities.
1. identification of the requesting authority
Before you even perform an audit regarding the data concerned, it is important to first identify the requesting authority. This is not an obligation under the GDPR, but a self-protection measure. If your company is later accused of an unauthorized transfer (data protection breach), you must be able to prove under which circumstances the transfer took place and that it was data protection compliant.
Therefore, specify in the company that no information about personal data will be provided over the phone. In the case of written inquiries, employees should always check the sender carefully. Every communication must be documented.
2. verification of the request for information
As the person responsible, you must then check whether the requesting authority is allowed to demand the relevant data at all. A request for information must always have a legal basis. This can be a court order, a request for information from the public prosecutor's office or a paragraph from the Code of Criminal Procedure (StPO) and a brief justification or description of the facts.
At this point, be sure to involve your data protection officer in parallel with the legal department or similar. He or she can quickly identify any risks that may arise and advise you accordingly.
3. review of the legal basis
According to Art. 5 GDPR, processing may only take place if the corresponding legal basis also permits it. Therefore, a justification of the transfer via Art. 6 DSGVO or Art. 9 DSGVO for special category data is required.
a. Art. 6 I lit. c DSGVO: legal obligation
The data controller may transfer data that it collects on the basis of a corresponding legal obligation. If, for example, the police want to obtain information on the basis of the Code of Criminal Procedure, the company is generally obligated to provide information within the scope of the Code of Criminal Procedure. However, there may also be corresponding voluntary rights or rights to refuse to testify.
b. Art. 6 I lit. f DSGVO: overriding legitimate interests
Otherwise, access may be justified on the basis of overriding legitimate interests. Recital 50 to the GDPR states that law enforcement constitutes such a legitimate interest.
c. Art. 9 GDPR: special personal data
If the data concerning the information is of a special category according to Art. 9 of the GDPR, the higher level of protection must be observed. However, the German legislator has made use of the possibility of an opening clause according to Art. 9 II lit. g in conjunction with IV DSGVO and created Section 4 III BDSG. This regulates, among other things, the disclosure of materials from video surveillance of publicly accessible spaces for the purpose of law enforcement. However, other video surveillance, such as of internal company areas to which only employees have access, is not covered.
Here, too, the data protection officer should always be consulted in individual cases.
4. publication and documentation
If data is released at the end, this must also be documented.
When providing information, particular attention must be paid to the principle of data minimization, so that the material must always be shortened or blacked out as much as possible. In addition, technical and organizational measures to protect the data must also be in place when providing information. All steps of the checklist and the corresponding procedure of the company must be documented in detail.
In the area of data privacy in the company, it is important to create uniform guidelines that can be followed every time personal data is handled. These guidelines, like the checklist explained here for dealing with requests for information from authorities such as the police, must be known to all employees. A regular Training of all employees is essential here.
The involvement of the data protection officer also simplifies the procedure and prevents many a data protection violation. The data privacy officer should be carefully selected and regularly trained. It makes sense to use a professional external data protection officer here.
Are you looking for an external data protection officer or do you otherwise need help in the area of data protection (e.g. online employee sensitization or live training courses adapted to your company)? Contact us! Our team of experts is looking forward to meeting you.