In Germany, the Internet of Things faces several data protection keystones in the shape of TTDSG and GDPR. While TTDSG only applies on a national level, GDPR is mandatory to implement across the EU. Extensive media focus in connection with heavy fines and irritating cookie banners on websites often make us forget that products and applications in smart homes must also be designed in compliance with GDPR. In this blog post, you will learn why this is the case and how good consent management can help prevent penalties.
The following paragraph briefly summarizes the most relevant information, with a detailed explanation below:
GDPR is an EU-wide regulation that makes the protection of individuals with regard to the processing of personal data a fundamental right.
Personal data are, among others, the name, date of birth, e-mail or IP address.
If the processing of data takes place within the framework of controllers or processors established in the European Union, GDPR applies.
Lawful processing of personal data is given, among other things, by the consent of the users.
Non-compliance can result in fines of up to 20 million euros or 4% of the total annual global turnover.
The smart home as part of the Internet of Things collects and processes a large amount of personal data - GDPR therefore also applies here.
Good consent management eliminates the risk of penalties and builds trust.
The General Data Protection Regulation (GDPR) was published on May 4, 2016 and has been in effect since May 25, 2018. It recognizes the protection of individuals with regard to the processing of personal data as a fundamental right. Processing means the collection, recording, storage, adaptation or use of information. Personal data is any information relating to identified or identifiable natural persons. Examples include, but are not limited to, name, date of birth, email or IP address.
GDPR applies if the non-automated, partially automated or fully automated processing of data takes place within the framework of controllers or processors established in the European Union. The actual processing of the data does not have to be carried out in the EU. An exception is made, among other things, if the data is necessary for the prosecution and detection of criminal offenders. Controllers are companies that decide on the purposes and means of processing personal data. Processors are companies that process data on behalf of controllers.
The processing of personal data is only lawful if at least one of the following conditions is met:
The consent of the users is available
Processing is necessary for the performance of a contract or legal obligation
Processing is necessary for the protection of vital interests
Processing is necessary for the performance of a task carried out in the public interest
Processing is necessary for the purposes of the legitimate interests of the controller or a third party
If the processing of personal data takes place unlawfully, any data subject has the right to lodge a complaint with a supervisory authority. On April 28, 2022, the European Court of Justice (ECJ) made the ruling that additionally consumer protection associations are allowed to file a complaint in case of a breach of GDPR. This requires neither a mandate from a consumer nor proof of a concrete violation of the law. If the lawsuit is successful, fines of up to 20 million euros or 4% of the total worldwide annual turnover of the previous fiscal year, whichever is higher, are threatened.
Consent management: The problem turns into an opportunity
In addition to Industrial IoT and autonomous vehicles, the Internet of Things includes the smart home sector. Smart home devices such as networked light bulbs, smart vacuum cleaners or intelligent climate control collect large capacities of data. Some, such as a person's movement profile or location, IP address or heart rate measured on smart watches, fall under the category of personal data. This means that a DSGVO-compliant basis for processing this data must also be created in the connected home.
A much-used option for this is to obtain users' consent by means of consent management. There are some regulations associated with this. Data controllers must be able to prove that the data subject has voluntarily consented to the processing of his or her personal data. If consent is given by means of a written declaration, the request for consent must be executed in an understandable and easily accessible form in clear and simple language and must be clearly distinguishable from other factual circumstances. Finally, the data subject must be able to withdraw consent at any time.
If the regulations are complied with, consent is obtained in a legally compliant, transparent, informed and explicit manner. This eliminates the risk of penalties and builds trust among users. This requires a consent management platform that enables smart home companies to obtain consent from users, enforce it on their devices, and document it for data protection authorities. APOCRAT has developed a Consent Management Platform that meets these needs and enables smart home companies to exploit the full potential of their data. We would be happy to provide you with a consultation in this regard. Learn more about APOCRAT and our solution here.
Sales & Partner Manager: Paul Jelenik
Mobile: +43 676 4636255