Data protection is a crucial topic that companies must not take lightly. Especially in the digital age, where cybercrime and data breaches are on the rise, protecting sensitive data is essential. There are various aspects to consider for digital business cards to comply with data protection regulations and ensure user security.
What should you consider regarding data protection and digital business cards?
1. Hosting and Cloud Solutions
Digital business cards are often operated via cloud services. It is important to carefully check where the data is stored. The location of the servers is crucial, as data protection laws such as the GDPR may apply depending on the country where the data is processed. Make sure that the cloud services used have relevant certifications such as ISO 27001 and implement secure technical and organizational measures (TOMs) to ensure data security.
2. Data Encryption
Security measures such as data encryption are essential, especially against access by the cloud provider itself. End-to-end encryption ensures that only authorized persons have access to the data. Out-of-the-box encryption is ideal as it minimizes the likelihood of data leaks and ensures that no unauthorized access is possible.
3. Cookies and Tracking
Digital business cards should not use marketing or tracking cookies that send data to third parties or the provider. These cookies can collect personal data and put the business card owner in a legally precarious position. Opt for a solution that does not require consent via cookie banners by using only technically necessary cookies. This eliminates annoying pop-ups, allowing the user to focus on the main goal, exchanging contact information.
4. Consent to Data Use
If personal data is collected through the use of the digital business card (e.g., through contact generation forms), a transparent and easy-to-understand privacy policy must be available. Consent to data use should be obtained through an opt-in solution (e.g., checkbox) that allows users to actively agree to or decline data processing. Ideally, you have the option to embed your own privacy policy.
5. Data Processing Agreement (DPA)
A DPA is essential when an external service provider is involved in the processing of personal data. The agreement regulates which data is processed, how security is ensured, and the rights and obligations of both parties. It should be ensured that the DPA meets the requirements of the GDPR and is regularly updated.
6. Technical and Organizational Measures (TOMs)
To ensure data security, technical and organizational measures must be implemented. This includes the use of firewalls, regular security updates, access controls, and training employees on handling sensitive data. Protecting against unauthorized access, such as through multi-factor authentication, is also important.
7. Legally Required Content
Any accessible digital business card must contain legally required information such as an imprint and a privacy policy. These contents should be individually adapted to the company's guidelines and regularly reviewed to ensure legal security.
8. Privacy by Design
"Privacy by Design" means that data protection is integrated into the design of the digital business card from the beginning. This includes the use of minimal data requirements and strict access control. "Privacy by Default" ensures that the default settings of the business card are privacy-friendly and that the user must actively agree before additional data is collected.
9. Email Sending via Digital Business Cards
If the digital business card sends emails on behalf of your company, it is crucial to securely and encryptedly integrate your own email service (e.g., via SMTP). This ensures that emails are actually sent from the official company address and not via the business card provider's server, reducing risks to data protection and authenticity.
