„Innovations optimize your receivables management. Subscribe to the atriga newsletter and be the first to know!“
atriga News
Kristin Pagnia, data protection officer at atriga GmbH, in conversation: "Data protection must be actively lived in the company". (2/2)
The example of H&M described in the last newsletter shows quite clearly: the federal and state authorities are getting serious, the grace period for violations of the GDPR is over. Companies should not take the risk lightly. For atriga, this is a matter of course: the Langen-based company took on the challenge of the GDPR at a very early stage and made data protection a top priority: in January last year, the management appointed Kristin Pagnia, atriga’s in-house lawyer for many years, as the new data protection officer (DPO). She replaces an external service provider previously entrusted with this task. We spoke with Kristin Pagnia about the background and opportunities of this decision and got an initial summary.
What were your first steps as atriga’s internal data protection officer?
In the first few months, we examined all data protection processes again and looked to see in which areas we could improve even more. After all, data protection is not only about protecting privacy, it must be actively lived by all players. Our clients and their customers, i.e. the debtors in the collection process, must be sure that they can rely on us when it comes to data protection. This applies equally to our employees, applicants and other stakeholders. Unfortunately, the planned workflow for my first steps as internal data protection officer was thrown into turmoil by the Corona pandemic.
From one moment to the next, atriga sent most of its staff to the home office in March last year. Suddenly, communication was only possible via video conferences. As a result, the focus of my work was initially on issues such as the creation of home office guidelines and the examination of video conferencing providers in terms of data protection. In addition, there were questions of employee data protection in connection with the classic Corona questions of the employer on holiday stays of the employee, stays in risk areas and the use of Corona-related health data.
“Our IT development department works according to the concept of ‘privacy by design’: Data protection requirements are automatically integrated into our solutions and products.”
Kristin Pagnia, in-house lawyer and internal data protection officer at atriga
You are now a ‘Data Protection Officer IHK’, what new things did you learn during the extensive course?
For me as a lawyer, the legal topics were largely repetition. I found it interesting to gain insights into IT topics. So far, I had only dealt with this area in the context of day-to-day business, i.e., in the implementation of projects of the IT department that touched on data protection or legal issues. atriga’s own IT development department works according to the concept of ‘privacy by design’ anyway: Data protection requirements are automatically integrated into our solutions and products. Through the course, I have now worked through many terms or defined them more deeply, which I otherwise did not question in detail or where I only had half-knowledge. With the various lecturers at the Chamber of Industry and Commerce, it was interesting to experience how differently practitioners from different areas approach data protection topics.
How do potential clients recognise how their debt collection partner is positioned in terms of data protection?
As a rule, this can be seen by taking a detailed look at the website. For example, the data protection officer should be named there and a data protection statement should be provided that complies with the requirements of the GDPR. On our website, you can also see that we are constantly training and engaging in the area of data protection. For example, we are a member of the Gesellschaft für Datenschutz und Datensicherheit e.V. (GDD). (GDD) and are also represented there in working groups. We are also members of the data protection working group of the BDIU (Bundesverband Deutscher Inkasso-Unternehmen e.V. – Federal Association of German Debt Collectors) and I am the deputy chairperson of the data protection working group of the Bundesverband Credit Management e.V. (BvCM). (BvCM). In addition, we have repeatedly been certified by large groups as having ‘exemplary data protection’ within the scope of comprehensive DSGVO audits here in the company.
What can happen if you don’t work 100 per cent in accordance with the law in the area of data protection and how drastic the penalties can be can be seen in the case of H&M, among others. Ultimately, it is not only about avoiding fines, but also about protecting the personal data entrusted to you by customers, debtors, employees, applicants and others as best as possible and being a partner you can trust.
Do you have a final tip for clients?
With much pleasure! Clients should take a particularly critical look at the data protection-compliant data collection of their potential service provider in digital communication and dunning processes. Especially when using machine learning or AI-supported processes, there are a number of lurking risks that can have a negative impact on the reputation of your own company.
A look at the website of a debt collection company reveals this:
- Are the name and address of the person responsible mentioned and does the company have a data protection officer?
- Is there a data protection declaration?
- Does the data protection declaration or other information explain what happens to the data when contact is made with the debt collection company?
- Is information provided on the rights and obligations of the parties involved?
