AM | 05/18/2018 | Reading Time: 4 Min.
You have probably heard about it already. The GDPR refers to the EU's General Data Protection Regulation, which comes into force on May 25.
From our perspective; well, data protection should have been regulated at the European level long ago, and more data protection is ultimately always desirable (though resisted by the business sector). For animeMANGA, this does not pose any major issues, as data protection and IT security have always been top priorities.
In accordance with the regulation, however, a few things will be changed.
1.)
This primarily concerns Con, Cosplay, and photos of individuals.
According to Art. 2(1), the GDPR applies to all personal data in a filing system. A filing system, as defined in Art. 4(6), is any structured collection of personal data accessible according to specific criteria, regardless of whether this collection is maintained centrally, decentrally, or organized by functional or geographical aspects.
In our assessment, the display of these photos on the website qualifies as a filing system. Under Art. 6 of the GDPR, consent is required to process this data (which practically covers everything).
The issue with photos lies in the details. A person in a photo falls under personal data (as defined). If a third party uploads a photo of a person, the consent of the photographed individual is still required. If multiple people are in the photo, then consent is needed from each person. It is emphasized that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, take precedence—especially if the data subject is a child. In the current version, this includes all individuals under 16 years of age. Consequently, in such cases, even parental permission is required.
It is often argued currently that the German Art Copyright Law (KUG), under § 22 or § 23, applies. These are exception rules, such as for artistic freedom. However, this interpretation is likely no longer valid under the GDPR or, if at all (under Art. 6 GDPR), must be interpreted "very differently," as the protection of personal data takes precedence (relatively unambiguous). The GDPR is not an "unrestricted right," but it is undeniably very limiting.
For this reason, we will remove the aforementioned photos in their current form.
2.)
Generally, we will explore whether further minimization of personal data is possible.
Update from May 16:
We have decided to no longer process first and last names, as they are inevitably personal data, and even if permission is given, it cannot be ruled out that a person under 16 might register.
Under Art. 6 of the GDPR, this processing is neither necessary for the performance of a contract nor a legal obligation.
Update from May 18:
Upon further consideration, all personal data enabling identification has been removed. We now only optionally display gender. Additionally, email and date of birth are stored for legally justified reasons and regulations. The email serves as opt-in proof, which must be verifiable regardless of age. We consider this a minimal prerequisite for a valid data protection consent declaration. However, we are considering adjusting this storage to align with the statute of limitations under the German Unfair Competition Act (UWG). The date of birth serves for age verification and is necessary under youth protection considerations.
These changes ensure that no direct or indirect identification of a person is possible anymore.
From our perspective; well, data protection should have been regulated at the European level long ago, and more data protection is ultimately always desirable (though resisted by the business sector). For animeMANGA, this does not pose any major issues, as data protection and IT security have always been top priorities.
In accordance with the regulation, however, a few things will be changed.
1.)
This primarily concerns Con, Cosplay, and photos of individuals.
According to Art. 2(1), the GDPR applies to all personal data in a filing system. A filing system, as defined in Art. 4(6), is any structured collection of personal data accessible according to specific criteria, regardless of whether this collection is maintained centrally, decentrally, or organized by functional or geographical aspects.
In our assessment, the display of these photos on the website qualifies as a filing system. Under Art. 6 of the GDPR, consent is required to process this data (which practically covers everything).
The issue with photos lies in the details. A person in a photo falls under personal data (as defined). If a third party uploads a photo of a person, the consent of the photographed individual is still required. If multiple people are in the photo, then consent is needed from each person. It is emphasized that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, take precedence—especially if the data subject is a child. In the current version, this includes all individuals under 16 years of age. Consequently, in such cases, even parental permission is required.
It is often argued currently that the German Art Copyright Law (KUG), under § 22 or § 23, applies. These are exception rules, such as for artistic freedom. However, this interpretation is likely no longer valid under the GDPR or, if at all (under Art. 6 GDPR), must be interpreted "very differently," as the protection of personal data takes precedence (relatively unambiguous). The GDPR is not an "unrestricted right," but it is undeniably very limiting.
For this reason, we will remove the aforementioned photos in their current form.
2.)
Generally, we will explore whether further minimization of personal data is possible.
Update from May 16:
We have decided to no longer process first and last names, as they are inevitably personal data, and even if permission is given, it cannot be ruled out that a person under 16 might register.
Under Art. 6 of the GDPR, this processing is neither necessary for the performance of a contract nor a legal obligation.
Update from May 18:
Upon further consideration, all personal data enabling identification has been removed. We now only optionally display gender. Additionally, email and date of birth are stored for legally justified reasons and regulations. The email serves as opt-in proof, which must be verifiable regardless of age. We consider this a minimal prerequisite for a valid data protection consent declaration. However, we are considering adjusting this storage to align with the statute of limitations under the German Unfair Competition Act (UWG). The date of birth serves for age verification and is necessary under youth protection considerations.
These changes ensure that no direct or indirect identification of a person is possible anymore.
This article was originally published in German. It was translated with technical support and editorially reviewed before publication.
Comment(s) 0