FOM software must be DSGVO-compliant, otherwise organizers run legal risks. What is important in detail?

A guest article by Stephan Schmidt, specialist lawyer for IT law, TCI Rechtsanwälte Mainz

Data protection! In most organizations, this is probably one of the least loved topics. And yet it must be dealt with, if only for reasons of legal security. Data protection is also a key issue in relation to FOM software, because failure to do so can lead not only to consequences under data protection law, but also to the contestability of assembly resolutions.

Legal basis

Organizations need at least two legal bases to conduct an FOM:

First, the legal basis for the implementation of an FOM per se. This has been created by the so-called Corona Act(Section 32 (1) sentence 1 of the German Civil Code). This makes FOMs legally permissible, even without a corresponding provision in the Articles of Association. Since the Corona Act is limited in time until August 31, 2022 and the legal situation has not yet been clearly clarified thereafter, the Articles of Association should nevertheless be adapted for future FOMs.

In addition, organizations still require a basis under data protection law, which usually results from Art. 6 DSGVO. Various legal bases can be found here, such as the legitimate interest of an organization or the fulfillment of a contract. For example, an association can argue that the members of the association have certain participation rights from their membership, and that the FOM therefore serves the fulfillment of the contract.

Shopping or do it yourself?

That's the first question FOM organizers have to ask themselves when it comes to software. For data protection reasons, it would perhaps be best if we all set up our own IT solutions tailored to our needs. In practice, however, most companies, clubs and associations do not have the personnel, technical or financial capacity to do this. So this question has already been answered for the majority of FOM Magazine readers.

Selection of a software provider

For the implementation of the FOM, the organizer usually has to transmit participant data to the software provider, unless it is a solution that the organizer also operates and hosts itself. When transferring and processing participant data, compliance with the GDPR must always be ensured. There is therefore a whole range of data protection considerations when selecting a provider.

Company headquarters of the provider

A central question is the corporate domicile of the provider. Depending on how the contract for the use of a service is structured, it is difficult to see what happens to the data and where the data may be forwarded.

Providers from the European Economic Area (EEA) are basically unproblematic with regard to the registered office. They are subject to the GDPR and are considered "safe" in terms of data protection law.

Safe third countries are also unproblematic, and currently include Great Britain, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Providers from all other third countries are problematic, including the USA.

Long story short: Most organizations should choose a provider from an EEA state or a safe third country. Otherwise, you get yourself into too many problems.

If you are interested in the details, you can read on here. Otherwise, you can jump directly to the next item "Data center".

Problems with unsecure third countries

The transfer of personal data to third countries is only permitted if it can be guaranteed that an adequate level of data protection exists in the destination country.

Such additional guarantees are, for example, technical solutions such as encryption and/or contractual guarantees. Various providers have included provisions in their data privacy agreements that regulate matters such as data requests or claims for damages. Whether these additional guarantees are sufficient has not yet been decided by the courts.

One potential way out is to use EU standard data protection clauses published by the EU Commission in July 2021. But here, too, there is still uncertainty, as there is little experience to date of how courts deal with lawsuits against these standard clauses.

In addition, for suppliers from third countries, an assessment of the legal system of that third country may be required (Transfer Impact Assessment, TIA). This is not practical for small companies or associations, as they do not have the capacity or budget to assess the legal system of a third country.

In addition, there are further difficulties: For example, one must be able to justify why one uses a provider from a third country, although there are alternatives in the EEA or in safe third countries. The lower price alone is not sufficient as a criterion.

You may also need to obtain consent from participants for data to be transferred to third countries. However, this consent can be revoked at any time. Particularly in the case of FOMs, you would then be faced with the problem of not being able to hold the meeting if participants with participation or voting rights do not give their consent or revoke it.

Another option would be to choose a platform provider in the EEA area and then rely on individual services from third countries, such as encrypted video functions.

Data center

In addition to the company headquarters, the location of the data center used is also crucial. You should also ask about the data centers of the subcontractors (for example, AWS or Google Cloud) and the content delivery networks, because this is where third-country transfers are sometimes hidden.

Technical features

From a data privacy perspective, software should allow certain settings:

Rights and roles: Of course, not every participant should have the same rights, such as the organizer.

Privacy-saving settings: These are, for example, the encrypted transmission of data or the use of passwords for meeting rooms.

Sound and images of participants: Should be turned off by default upon entry

Technical/organizational measures: Ideally, the provider can demonstrate ISO certification, e.g. based on ISO 27001, ISO 27018, or Common Criteria in accordance with ISO 15408. This saves the organizer audit effort.

Third-party providers: Which third-party providers (tools) are used or can be used?

Telemetry data: Where are telemetry and usage data transmitted to? What are they used for?

Background: Are insights into the private environment possible or can the background be hidden without problems?

Further processing: Is it ensured that no information of a contract partner protected by confidentiality agreements is processed in the web-based service?

Votes & Elections: How is voting done? Are secret ballots possible? How is the vote documented?

Deletion of the data: What happens to the data after the virtual event? When is data deleted and how is deletion confirmed?

Paperwork

Another topic that you certainly like to deal with: Bureaucracy!

Consent

Once a provider has been found, the data protection officers must give their consent. If employees participate in the meeting, the works council or personnel council must also be involved(Section 87 (1) no. 6 BetrVG).

Order processing contract

Part of the contract with the respective software provider must be an order processing contract. This regulates how the data is handled: How will they be recorded and stored, when will they be deleted, how will data queries be handled?

The contract is concluded only with the main contractor, who must then in turn take care of the compliance of its subcontractors.

Data protection impact assessment

If sensitive data is obtained for FOM (for example, financial data), a data protection impact assessment may have to be carried out. This is to describe, assess and mitigate risks to the rights and freedoms of participants.

Data protection notice according to Art. 13 DSGVO

If applicable, you may need to send out privacy notices that educate participants about how data is processed, for example, which provider they use, where it is located, and when data is deleted.

You should only inform in these data protection notices, but not obtain consent "in the data protection notices", because such consent can be revoked at any time and you also do not legally need consent in data protection notices, which after all are only intended to inform about the circumstances under data protection law.

Directory of processing activities

The selected tool must be included in the register of processing activities.

Advertising consent

You can request further data based on consent, e.g. an advertising consent for sending a newsletter. However, the consent must not be linked to the permission to participate in FOM. For such consents, you usually need a double opt-in.

Preparation and implementation

Data economy

During the preparation of the FOM, you should only ask for the data that you really need for the implementation. For example, you should not ask for the date of birth if there is no age restriction for the FOM. Keep the data query as streamlined as possible.

Lists of participants

Participant lists may only be viewed and managed by authorized persons. Again, the assignment of roles and rights in the tool and in a separate participant registration is important for this.

You should also ensure that only authorized persons receive invitations and that lists of participants are not publicly viewable. In addition, the list of participants may only be published if the participants have expressly consented.

Requests to speak

During the meeting, other participants may have a legitimate interest in knowing the identity of the respective questioner, but there is no legal obligation to disclose it.

A possible solution is that you explain the handling of questions in the invitation and the data protection notices and also refer to the right to object to being named in individual cases in accordance with Art. 21 (1) DSGVO.

Image and sound recordings

Image and sound recordings are only permitted after the consent of those being recorded. Participants must be clearly informed about recordings in which they may be visible and before this recording begins (even if this is only the case for questions).

Consent must not be mandatory for FOMs, i.e. participation must also be possible without admission.

A possible shortcut

Do you feel overwhelmed by all these requirements? Don't worry, it's not just you.

Finally, though, the good news is that you can solve most challenges simply by choosing the right provider to deliver them an all-in-one DSGVO-compliant package. Even in this case, however, you should still check the details, because ultimately, as an event organizer, you are responsible for the data protection of your FOM.