„Innovations optimize your receivables management. Subscribe to the atriga newsletter and be the first to know!“
atriga News
Kristin Pagnia, data protection officer at atriga GmbH, in conversation: "Data protection must be actively lived in the company". (1/2)
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) imposed a fine of 35.3 million euros on the Swedish fashion company H&M last autumn. According to the federal authority, H&M had been collecting data on the private circumstances of employees in a service centre with several hundred employees since 2014. The data was stored on a network drive to which up to 50 managers had access. Due to a configuration error, the data became visible company-wide in 2019. The supervisory authority then ordered a ‘freeze’ and the release of the data carrier. The Hamburg State Data Protection Commissioner, Prof. Dr. Johannes Caspar, classified the violation as follows: “This case documents a serious disregard for employee data protection (…). The fine imposed is accordingly appropriate in its amount and suitable to deter companies from violating the privacy of their employees”.
This example clearly shows that the federal and state authorities are getting serious and the period of grace for violations of the GDPR is over. Companies should not take the risk too lightly. For atriga, this is a matter of principle: the Langen-based company took on the challenge of the GDPR at a very early stage and made data protection a top priority: in January last year, the management appointed Kristin Pagnia, atriga’s in-house lawyer for many years, as the new data protection officer (DPO). She replaces an external service provider previously entrusted with this task. We spoke with Kristin Pagnia about the background and opportunities of this decision and got an initial summary.
“Switching from an external to an internal data protection officer provides the opportunity to be closer to the company, the employees and the issues.”
Kristin Pagnia, in-house lawyer and internal data protection officer at atriga
What are the advantages of an internal data protection officer?
Kristin Pagnia: The change from an external to an internal data protection officer offers the opportunity to be closer to the company, the employees and the issues. For example, I can organise data protection training courses in a completely different way if they are designed precisely to meet the requirements of the individual departments and if I combine collection expertise with the requirements of European data protection. As an internal data protection officer, you also have the task of advising and training. It is a great challenge to anchor data protection in the company in such a way that it is recognised as a matter of course by every superior and employee and is seen as an opportunity.
What is the reason for choosing an internal DPO?
Every company is free to choose whether to have an internal or external DPO. We decided to switch to an internal solution because atriga continues to grow strongly. The tasks that arise in the area of data protection are too extensive to outsource them. An internal DPO is on site and can be integrated into the processes in a completely different way than an external DPO who also works for other companies.
What are the particular data protection challenges of the debt collection industry?
The debt collection industry receives thousands of data records every day. It is responsible for the personal data of debtors and clients. This is data that must be handled very sensitively and where there must be no data mishaps. In addition, the debt collection industry often works together with credit agencies, for example to credit debtors. Compliance with the GDPR is essential in this area as well. And the principle of data economy always applies everywhere: extract the maximum amount of information from a minimum amount of data, while complying with the extensive information obligations towards all persons involved.
In the next atriga newsletter on 30 August 2021, you can read, among other things, how clients can tell how their debt collection partner is positioned in terms of data protection.
