In February of this year the following little story happened: We received an official letter from a representative of the LDI NRW (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia). A Mr. Pascal G. had contacted the authority and complained that he had received an unsolicited newsletter from us on November 07.11, 2019.
Newsletter using the double opt-in procedure - a safe bet
Regarding the procedure: a person can register on our homepage to receive the latest newsletters. On our registration page you only need to enter your surname, first name and an email address, whereby the name can also be an alias or a nickname. Only the email address has to be up to date. In order to avoid misuse, we use the so-called double opt-in procedure. This is done by clicking on the link in the confirmation email that you will receive after entering the email address in the online form. Only then is the respective address actively included in the recipient list. This ensures that it was actually the owner of the email address who consciously registered for the newsletter. If the link in the double opt-in confirmation email is not clicked within a certain period of time, no newsletter will be sent to this address. So safe, so good, we thought.
In the letter from the data protection officer, it was alleged that Mr. G. had asked us three times by fax via his lawyer Piotr Z. to provide information about the storage of Mr. G.'s data. Since we did not react to this, Mr Z. would have switched on the data protection officer. Unfortunately, none of these faxes have been received by us, which has been proven, since we are subject to a retention requirement for every email and every fax.
A poker player and an unlicensed attorney
Sometimes the internet is a great thing. A little googling and you can find numerous blog entries about the machinations of Messrs. G. and Z. Mr G. is a full-time poker player and likes to stay on the German-Austrian border. Mr. Z. has lost his lawyer license and is represented by an even more dubious assessor. It is their trick to warn clubs, small companies and other institutions for alleged data protection violations and to collect fees. So, as we in the Rhineland know how to put it so charmingly: real bastards!
So we had a lot of material to get the data protection officer to smile with an email. Double opt-in, proof of not having received any faxes, some information on the business conduct of Messrs. G. and Z. But - data protection officers don't smile!
So after half a year we received another one and a half page letter with the request to finally make a statement to Mr G., with a copy to the LDI, that we have not saved his data. Failure to do so could result in hefty penalties, which is why we dutifully declared that we had deleted the data that he had entered himself.
The LDI clerk has probably acted correctly, strictly according to the regulations. But how crazy is this new General Data Protection Regulation? Nobody understands it in its entirety, the economy has been burdened with billions and consumers are annoyed. To date, there is no electronic patient file in Germany, a vaccination register like the one that exists in Israel would also fail in our country due to the GDPR. Instead, we are grappling with the permanent cookie craze that makes it difficult to visit websites. The portal "data protection notes" lists using the example of the Märkische Oderzeitung:
“No less than 21“ necessary ”cookies as well as a stunned 216 (!) In the Marketing category make the inclined website visitor doubt the quality and handling of their visual aid”.
Data protection is undoubtedly important, but the current version of the GDPR is a bureaucratic monster that needs to be reformed extensively. Frau von der Leyen should act! Please forgive the joke at the end!
Bernd Viebach