 of the next talk at R2R. This is B and Ethereum translating for you. So data, data protection, data trust is important, privacy is important, but how can we do this the right way? And what is wrong about that? So we have two presenter here telling about this. And this next talk about them is about the very creative ways of implementing data protection and what we can say about this. So enjoy. Hey, thank you very much. Then welcome everyone to this talk. Welcome to everyone. Hello and good morning. Today we're talking about data protection wildlife or subtitles. Now it's getting wild. And we don't want to do this alone by us, but together with you. My name is Christina. I'm doing things with IT security and data protection. And you can find me on Twitter at css underscore made. And you want to have this talk in an interactive way. So you see the link to our pad where you can participate in some voting and some surveys. Is this data protection? Is this out or is it fresh? Okay, so let's begin with a brief introduction. So what's the problem here that we want to have a look at? What you've seen very often and what usually happens with the first brief, which that happening is that the security of your data is very important to our company. Why is this so cute? Well, so for me as a consumer, I don't really care whether whether it's important for company or portal is important or not, because there are laws, there are regulations, and every company, everyone has to stick to them. So this sentence, the security of your data is a part to us is is a bit of a kind of showing us. So so we usually see them at company where that really don't do not take care of that. Just just another block of compliance was given coming from some text generator as a kind of text template for data protection. So add your life again. We brought a few examples for you and we go through them as long as it fits together with Katrin. So these examples are mixed, chosen in a mixed way. Some interesting stuff we found and together with you we're going to go to them and watch whether whether it is actual data protection, whether it's a kind of art or it is whether it was just junk and we can clean it up. And so okay, so final line in as well. So what do we have here? So we have Erika, no add here. So we have a data protection consent form. It was as long that we can even put it onto one form. So there's a second form in here. So here you improve, you shoot same there, your content. And the next one is an actual approval. So is it content, is it approval? Is it the same thing? Is it something different? Is it even relevant here? So this is, if you look at this here, this is about, you can see here is that the order here is about someone ordering beer. But Christina, do I even need to give consent here? Do I need to actually approve here? But what do we do here? So for me, this is an art. So do we need this here? No, we don't need this. This is not even necessary. So this is even wrong in both kind of ways. I don't need a consent here. I don't need approval here. But here we have an actual contract. So any kind of, we handle personal data here and data here, this gets, this is implicit with the contract. So this kind of form is not even necessary here. So let's have a look at the path later on together with the Herald. So everyone, please have a look at the path and a vote for whether these examples are the one, the other of the third. So you want to continue? Okay. So we have another approval here. And we see these approvals very often in data protection forms, data protection vouchers. It's a very nice case here. So if you want to overlook this on Twitter again, there's a long story behind that. So this is about the approval by WENTER. So the WENTER approves that data may be passed to contractors. So why are we talking about data protection here? So we have a WENTER agreement. And part of that, if something is broken there, I want the owner to actually repair that. And they don't do this by themselves. And they usually contract us for that. We need to work on the personal data there. Yeah. So I would say that the contract with a landlord should suffice because it's obvious that the contractor will need some information to fulfill the contract. But I would say they do need to know where they have to go to fulfill the contract, but one way, one contact would be enough. And yeah, it'd be nice for them to have the phone number. So maybe you need a phone number, maybe you need email. And of course your landlord can also make an appointment for you. Or maybe a postcard. I mean, back then when there was no email, I know, back in my day. But still, not everyone had a phone number, not everyone had a landline. And still it worked with just a piece of paper in your postbox. And it worked as well. So yeah, when someone should come, they will need an address and maybe a contact info. And yes, we will assume that the contractors will handle this professionally. Okay, effects. Let's continue with the funny stuff. Okay, for those who maybe can't read it properly, we want to send you effects with personal information to keep in with the law. We want to ask you to send it to answer us by fax and agreed that only the proper personnel can handle the access the information. But that's not how it works. So if you send something to a big company, and that's only one fax and I send something as a doctor, maybe, and I send sensible information of a colleague of mine to this central fax number, I don't know, that's probably not a good idea. On the other hand, who uses fax nowadays? If I have something really important and I have to send it, especially health data or information, I should just use something that's included. Or a letter, not a postcard, a letter. And I put it in there. I glue it closed, a closed, and nowadays the post is not using horses and riders anymore. But normally, if you send something away, it's usually there at the following day. But this, this fax, I would say it's art. I don't know. It's definitely culture and it should probably be kept as a memento, at least, as an anecdote that you can talk about. In the past, people are voting and we will continue with a hairdresser. So the pandemic had some interesting flowers blossoming, especially with creativity and data protection as well. So we know that from doctors, but now as well from the hairdresser, because contact tracing and stuff. Now there's a form at the hairdresser. Yeah, so I really like this form because this is something that each person gets on their own. I think we know it from back then when restaurants were still allowed to open and they had a signature list. And you could see the last 30 people who signed it. And you know the next 20 people will also see everything. That was not protecting data, nor at all. And then the unions and other official places, they gave out lists and said those lists are internal lists. So you can have it all in one place, but to the public you should have one piece of paper per person. And here you can see that this is for one person and what they were signing was not an agreement or something like that, but it was just they were confirming that they are healthy, are mostly healthy. Let's see how reasonable this is, but yeah, one paper per person, one form per person. And there are just a few hints and explanations. And even though the hairdresser has to collect this data, still each of the 16 German states made it clear that as a customer you have to be informed what will happen with this data. That's part of the GDPR, that you are informed what happens to the data. And they did it quite well here. They explained why and what's the reason for the data collection, what the rights the consumer has are. But yeah, the nicest thing is here, how long is it being collected and saved? And this hairdresser really said, these rules are changing all the time and probably it'll be around three weeks. So the people on Twitter said it's probably the most honest information they ever received. And yeah, probably it's about three weeks. Maybe it'll be six, I don't know. But it's mentioned. It's pretty good. It's pretty well done. And it's honest nowadays. In these days, this is honest. Then we have an example from a school. On first glance, it's funny. On first glance, you really have to consider a few things. So this is an explanation that the replacement plan of a school cannot be published in the Internet anymore. It must not be published anymore. Such replacement plans for our important for students, they have to know where they should be at the certain times, what they should bring, and maybe already know who will be teaching them. So this is a replacement plan whenever a teacher is sick. So who will be replacing them? And some people were certainly thinking about it here, but they only saw the problem, not the solution. So they did not keep thinking. I think we see that very often that people only see the problem, why something does not work, but they don't really look for solutions that will still keep private data private, how to still do something, because that's the important point. Just because one version of something is not allowed does not mean that you can't do it anymore, or that data protection will make your life harder. So data protection does not mean you cannot do anything. It just means that a certain version might not work, but maybe you have another solution. So these replacement plans, every one of us knows them, at least people in Germany will know that, parents will know it, or people who still remember their school time. It's of course very helpful if there's not just one print out somewhere in the school, but if you can actually see that digitally or online, because it's really annoying if you are at school eight in the morning or maybe earlier, and then you realize, well, the first lessons will just not happen, I could have slept longer. So it would be nice if you could just go to the website and check what will happen, and then you can do that from home. You do not have to be there, and then you're up to date immediately. The problem, of course, is that the names of the teachers are often written in there. With our example, if you just go back a minute, for a moment, ah, yeah, we did not put in the proper picture. If it says, Hamayah will do class 9a, and this other teacher has some other class, well, it's hard for me to tell that, but you could have a profile who is there for certain teachers. If that's necessary, I don't know, but do I really need the name in a replacement plan? No, I don't. The base information I need is, do I have art classes or sport classes today, or does it not happen? Who the teacher is? Nice to know, but is it really necessary? So maybe I can't prepare. So this art teacher is terrible, so I want to know before. Or I'm happy because this sports teacher is great. Or the teacher says, well, today you can just choose what you're doing. But in general, I don't need that information. I just need to know what classes I have, so I can prepare. I can bring materials that I need. And yeah, maybe I just shorten the names or I just leave them out. And what's great, but could be great, is I'm not putting it online. So I have it in an area that's password protected on the school home page. That would also be a solution. How we do it doesn't really matter. Of course, I could put it online in the public space. If there's only the class and the kind of class that's happening or being dropped, if I do not have all the names of the students and the teachers in there, then it doesn't really matter. So of course, I should keep all the names offline. There shouldn't be a replacement list with the names. But if there's just a shorthand for the teachers that the teachers will know, you can add that, of course. But of course, these nicknames for the teachers should never be explained anywhere else publicly. Otherwise, it's just useless. But these nicknames is a very classic case of pseudomization. I'm not using the real name, the full name, but the nickname. So this is something we will talk about some more. So can we say a few words about pseudonymization, pseudonyms? And don't mix it up with ananomization, which happens quite often. So the trick with pseudonyms is that in a certain context, you know who this is about. So you have this alignment here. Within that context. And you have access to the full information there. But without this context, this information is for people not in this context. In our example, the abbreviation of the teacher's name, then the information is not available there. It's not possible to get access to this information if you are outside this context. And for me, this is a very nice example. And it also tells me that junk solutions are always junk, independent of data protection itself. So, for example, at our school, there's an overview of the email addresses of our teachers. And if you then assume that if this list also had all the abbreviations there, which we then referred to in this population plan, then we would have this problem again, because then outside the context, this information would be accessible. But anyway, everything is better than just having the paper that was originally printed at the bulletin board and have this in the internet. But there are even schools out there who have found a solution with the external app. And then there is a solution on where people have a very large screen at the specifically located in the school. And people can see this there. But if there are any very last minute changes there and people don't have installed the app, they have a problem. So, as an advocate for data protection, and as a mother, I would and if the school were telling my kids that they either have to be there physically or would have to install one specific app, but then on the other hand, I have had a look at the app and the app's permission and everything looked okay for that one. But as you said, junk solutions are junk. So, as a school, you can just demand that people install a certain software. If this software has some data protection problems. So, for example, in my class, we had a class chat in WhatsApp, but that's what all the pupils, all the kids set up by themselves. So, this is just a private matter. The school has nothing to do with that. But on the other hand, if a teacher or the school itself would set up a WhatsApp chat, then all hell would proclaim those. Because WhatsApp is considered evil there. So, if the school then demands that everybody uses WhatsApp to and creating an official channel there, then the data protection officer would have to have to look into that. But in the best case, or maybe another junk solution. But let's step away from the specific guidelines for devices and apps. So, we are almost at the end of our talk here. So, let's have a look at a very, very recent context here. Addressed from parcel services. So, maybe a couple of people saw this in lower sex only. People above 80 were supposed to invite you to for vaccinations. And so, the local ministry didn't want to do this all by themselves. So, they asked an external contractor for that. So, they asked Deutsche Post. But they said that because of data protection laws, they were not allowed to pass a draft list to the Deutsche Post. And so, they asked the Deutsche Post to use their own databases. But Deutsche Post doesn't have any information about the actual age. So, what do you do? So, they thought that they can derive the approximate age of people by their first names. Because certain first names are very frequent, very common for old people, others for young people. So, they just invited people with very old sounding names. So, actually, here the problem was not data protection, but the actual execution of that here. And that people did not think about creating a reasonable solution for that or didn't get any advice for that, who could have told them that there are ways to do this the right way. So, here, I mean, with all this corona stuff, people are always claiming that data protection is preventing, data protection is stopping and stuff. And in 95% of cases, this is actually not true. This is not about data protection here. But there is a law about these registers. And there is actually regulations that which literally said that the state is not allowed to put this data to private companies. But if you look at the execution, then it wouldn't have been necessary to give this data to that. Because in such a large, large state like Lower Saxony, there's not just this one, one ministry, but there are several other public offices who who would have been able to do that. Because it's quite a difference on whether you have to send 2 million letters or just 500 letters. And the countries in Lower Saxony would have been allowed to use this data to invite people for vaccination. So, if they have given this to some thoughts, and if the data protection officer of Lower Saxony would have been in there, then she would have told people that countries would have been allowed to do that. And there wouldn't be any private companies involved in there. And then nobody would have to guess whether Edeltraut would be 80 or five. So again, another case of people just taking the very first solution they could think of without thinking whether there are any better solutions for that. And when things went haywire, then again, they told everyone data protection was the cause, which was not the case. So, we had at the end of our talk here. So, we have one more example here, a very nice thing here. And we don't have to, we don't really have to comment on this one. Cookies. Cookies. So, something's happening here. Christina and I looked at that and we thought, well, this can't be true. I mean, it's clear. People need to approve, need to consent to, need to approve data being used for tracking. There are a couple of other legal ways that allows you to handle personal data. There's something which is called berechtigtes Interesse, which is official interest. So, as a consumer, I can opt out of that. So, it's exactly the opposite of the approval. So, a colleague of mine wrote this with approval. It's asked first, then should, and with berechtigtes Interesse, it should first and then ask. It's opt out. So, the problem with that is about marketing, about tracking. So, we consider this so here, but the switches here, the checkmarks are always on. And it, it turns out that here in this cookie content tool, it's, you have to, you have to switch off hundreds and hundreds of these checkmarks. So, this is about the, this is the website of Veld, which is from Springer, and so Christina had a look and look at the, all the third parties in that list. So, it turns out that even in the first with everything, everyone started with start. So, it turns out that it, that was not the full list. And so, I looked at the full list here and I just thought, we are WTF. So, okay, so questions. So, we have a few minutes here. So, so let's look at Q and A. Of course, the questionnaire. So, first of all, thank you for the great talk. It was very entertaining. So, let's see. So, number one, consent or agreement or approval should be disposed of. That was the Edeka example. That was wrong in two ways. Then example two. So, currently that's actually data protection. So, that was repair services. Well, I think that's interesting because there's also a story with agencies that were also discussing this. And also, we were talking about this on Twitter with two colleagues of mine. Right after the GDPR started. So, there was a hashtag with the two of those. X-Files GDPR. And some of our examples are from this collection. And just recently, we thought, well, this is an X-File because this is insane. But then a colleague from Southern Germany told me, well, I was told that I am not allowed to use this data. But not everyone is of the same opinion here. And that's one of the problems in Germany that a federal system is, in theory, a great idea. But in some areas, especially when it's about a pandemic that is the whole country or the whole of the EU or the whole of the world, then it doesn't work if everyone does their own thing. And yeah, of course, there is a data protection minister. But he is not the head of everything. He just handles a few areas. I think health insurance and such things. But each state has their own people who can make their own decisions. And what do you think how often it happened to me in my law office? So I had to ask people, well, where are you? And I had to think, ah, that's the data protection officer, such and such, who usually saw the things that in that way. And then I had to adjust my answers. And theoretically, we are one country and everything should be the same everywhere. But that's just theory. So what are the other examples? So the facts. So what was that about? It was the agreement to send a fact via facts. So first, it most people were saying it's art, but then probably can be discarded one. And one person even said facts can be discarded off entirely. For example, for the hairdresser, I think the best answer was can be disposed of after three weeks. Yeah, it's data protection. So it's data protection that can be disposed of after three weeks. Yeah, that's nice. So this is not an agreement. That's important. People should agree that their personal data is collected and worked with. So if there is a law that insists that people have to collect the data and then dispose them after four weeks, you do need an additional agreement. I don't know where this myth came from. I'm sick of people telling me, yeah, I need an agreement. Otherwise, it's not working. But yeah, it's not. Sometimes it's necessary, of course. So if you join a newsletter, then of course you have to sign an agreement or have to agree to it. That's no other option. But if you work for someone, you do not have to sign an agreement for your employer to pay your money. She's allowed to do that. She's allowed to use your payment information or your money, your banking information, because there is a contract. So if you had a free choice, that's another question because there's a power difference. And this has to be... So if you apply for a job and they tell you, well, you'll get the answer next week, but you certainly agree to be joining our talent pool, right? So all kinds of data has to be given voluntarily. And well, there's a power difference that can be questionable. And of course, you have to be properly informed. So example five, that looks very much like art. So the school example, well, it is data protection in a way. But the reasoning, we cannot put this online. Everyone who knows about online thought, well, this is basically art. So art meets data protection. So question, why not a login? Why not a password protected area? And yeah, that was our question exactly. Well, you could give out a password to the students and there is software that only lists those changes that are applicable to the person, to the student. So you don't even need to read everything that's happening in the school. You will only see what's applicable to you. So there's a lot of solutions. And there's a lot of solutions that are GDPR conform. And schools just have to want to do it properly. So the other examples, example five, something with state collected data. So we could not give the data, the address information to the mail service. The audience says, this is art. I would agree. It's like improv comedy or improv theater. Definitely. I would watch the movie. But I think we have an art affectionate audience here. So the next example, it's everything is example five now. Tasty cookies. And pretty much everyone agrees that it should be discarded off. And it's just absurd in many cases. And just the amount is insane. The amount of people who have a legitimate interest in the data, which is advertisement in many cases. So we did not even look for the longest one. There is even more than we found or than we showed. It doesn't even work if I reject the cookies. So if I click on reject, does it really keep them from collecting the data? Or is it not like that? Doesn't it even work? Yeah. So sometimes they first collect the data and then they say, well, we have a legitimate interest. And of course you have to understand how ad networks work. They don't work by well, just turning things off. They are interconnected and still the data will be collected and yeah. So this whole system is very irrational and just marketing. And of course cookies in themselves, they're not evil. Some are even necessary for having the website work properly. And for those, you don't have to agree. Those you don't have to approve of. Well, you don't have to approve. But is the advertisement really legitimate interest? Well, from a lost end point, I would really doubt it. And I would assume that if I visit a website and they have a tool for cookies like this, that until I click yes or no, nothing will be recorded. So nothing, no tracking should be running until I really click or agree or disagree. So whenever I were talking to companies, I was tell, we tell them nothing can happen until that is clicked. And they'd look at me like a car, like that's not possible. And of course, it's possible. I've seen people do it, especially rejecting. That's interesting. Look at it. When you visit your next website, there's a green and very nice and big. Yes, agree. And yeah, everything. But whenever you want to change something, then most of the time you have to click on further information or preferences or just individual choosing. I rarely see. Yeah, no, I don't want that reject everything. And when I see that, I'm happy. I'm happy as a data protection officer. And I'm happy as a private person who does not want to have unnecessary clicks. And yes, you feel respected when you see that. And especially in our context and at the debug, a small reminder to programmers. This stuff does not magically appear. Somebody programs that. That's the way it is. Yeah, so we are mostly through if you want to talk. We are definitely with a accent in other. And here it will continue at 12 30 with solving problems of the Anthropocene.