The most important facts at a glance
- Data protection is a top priority: The responsibility for complying with the GDPR lies with management and cannot be delegated.
- Preventive measures save costs: Systematic data protection measures prevent expensive fines and reputational damage
- Continuous adaptation required: Data protection is not a one-time project, but requires regular review and updating.
Why data protection is indispensable for companies
In today's digital business world, data protection measures within a company are no longer just a legal obligation, but a crucial competitive factor. Since the General Data Protection Regulation (GDPR) came into force, companies have faced the challenge of rethinking their data processing activities and ensuring legal compliance.
Understanding and applying legal principles
The GDPR as a foundation
The General Data Protection Regulation forms the foundation for all data protection measures in European companies. It is supplemented by the Federal Data Protection Act, which contains specific national regulations. Article 5 GDPR defines the principles for the processing of personal data:
Legality, Processing in good faith, transparencyAll data processing must be based on one of the legal grounds mentioned in Article 6 GDPR. The most common are consent, performance of a contract, legal obligation, and legitimate interests.
EarmarkingData may only be collected for specified, explicit, and legitimate purposes. Subsequent use for other purposes is generally not permitted.
Data MinimizationOnly data that is necessary for the respective purpose may be processed. This principle compels companies to critically review their data collection practices.
Principle of Accountability: Demonstration of Compliance
The principle of accountability enshrined in Article 5(2) of the GDPR is particularly significant. Companies must not only act in compliance with data protection regulations but also be able to demonstrate that they have taken all necessary measures. This principle makes comprehensive documentation of all data protection activities essential.
Technical and organizational measures
Fundamentals of Technical Security
Article 32 GDPR requires controllers and processors to implement appropriate technical and organizational measures. These must ensure a level of security appropriate to the risk.
Encryption and pseudonymization are the primary focus here. Modern encryption methods such as AES-256 should be implemented for both data transmission and data storage. Pseudonymization reduces risk by separating identifiers from the actual data records.
Access Controls must ensure that only authorized persons have access to personal data. This includes both physical access to servers and workstations and logical access to IT systems.
Organizational security measures
The organizational measures are often underestimated, but just as important as the technical components. These include:
Employee TrainingRegularly raising awareness among all employees about data protection topics is essential. Training should not only occur upon hiring but continuously.
Incident Response Procedures: Companies must establish procedures for handling data breaches. The GDPR requires that such breaches be reported to the supervisory authority.
Data Protection Impact Assessment (DPIA)A DPIA must be carried out for processing operations that entail a high risk to the rights and freedoms of natural persons.
Technical and organizational measures (TOM)
| Measure | Technical | Organizational |
| 1. access control | Chip card locking system, security doors, light barriers, video surveillance, code lock | Visitor logging, key chip list, role-based server room authorizations |
| 2. access control | User/password authentication, anti-virus software, smartphone encryption, USB locking | User profile management, password rules, verified cleaning staff |
| 3. access control | Role-based authorization concept, data carrier encryption, access logs | Minimum number of administrators, regulated assignment/withdrawal of rights, certified data destruction |
| 4. transfer control | VPN, firewall, e-mail encryption | Documentation of recipients and deletion periods |
| 5. input control | Logging of all data entries/changes/deletions | Individual user names, documented instructions, authorization concept |
| 6. order control | – | Careful selection of contractors, ongoing review, DP contracts in accordance with Art. 28 GDPR, monitoring rights, employee obligations |
| 7. availability control | Outsourced data backup (STRATO AG data center) | Backup & recovery concept, tested data recovery |
| 8. separation requirement | Separate production/test systems, logical client separation | Authorization concept, defined database rights |
| 9. system load capacity | Load distribution across parallel systems, regular updates/patches | Incident response process, documented data breach procedure |
| 10. regular review | Defined test routine, data protection-friendly default settings | Revision of audit reports, data protection management, commissioned processing based on instructions |
Setting up a data protection management system
Establish governance structure
An effective data protection management system begins with clearly defined responsibilities. Management bears overall responsibility and should appoint a data protection officer if the legal requirements are met.
Under Article 37 of the GDPR, the appointment of a data protection officer is mandatory in the following cases:
- At public authorities
- If the core activity requires extensive, regular, and systematic monitoring of data subjects
- If the core business consists of extensive processing of special categories of data
- When employing more than 20 employees (Art. 38 GDPR)
Create and maintain a process directory
The record of processing activities is the core of data protection compliance. It must document all processing activities and include the following information:
- Name and contact details of the controller and the data protection officer
- Purposes of the processing
- Categories of Data Subjects and Personal Data
- Categories of Recipients
- Transfers to Third Countries
- Deletion deadlines
- Technical and organizational measures
Professional advice can help ensure that the directory is legally compliant and practical.
Practical implementation tips for companies
Step-by-step implementation
Phase 1: Planning, Specification, DSFAAll relevant data, IT systems, and processes are selected with the goal of ensuring legally compliant processing.
Phase 2: ImplementThe processing functions as well as the technical and organizational measures, including the establishment of auditability, will be implemented.
Phase 3: Control, Verify, and AssessThe ongoing operations are controlled and monitored, and the test results are evaluated with regard to compliance with legal requirements and the effectiveness of the measures.
Phase 4: ImproveBy eliminating deficits in fundamental rights restrictions concerning the processing function, measures, and controlling, the results can be improved after the decision of the person responsible.
Documentation and Proof
Comprehensive documentation is essential for the accountability principle. Keep records of:
- Training measures and participant lists
- Data Protection Impact Assessments Conducted
- Incident Response Measures
- Regular reviews and audits
Data Protection Checklist for Businesses
Basic Compliance Measures
- Record of processing activities created and current
- Privacy policy available and legally compliant
- Technical and organizational measures implemented
- Data Protection Officer appointed (if necessary)
- Employee training conducted
- Order processing agreements concluded
- Incident response process established
- Data subject rights management implemented
Website and Online Marketing
- Cookie Banner Legally Compliant
- Data protection-compliant configured tracking tools
- Newsletter Signup with Double Opt-In
- Social Media Integration checked
- Contact forms SSL encrypted
- Hosting agreements reviewed
Human Resources
- Applicant data processing regulated
- Employee data protection documented
- Employee data exit process established
IT security and technology
- Access permissions regularly reviewed
- Implemented encryption for sensitive data
- Privacy-compliant backup strategies
- Install software updates promptly
- Cloud Services Tested for Data Protection
Data Protection as a Success Factor
Data protection measures in companies are far more than an annoying duty. They build trust with customers and business partners, reduce legal risks, and can become a real competitive advantage. Companies that take data protection seriously and implement it professionally position themselves as trustworthy partners in an increasingly data-driven economy.
The complexity of data protection law and ever-evolving case law often make expert guidance indispensable. Investments in professional data protection consulting pay off in the long run through avoided fines, reduced liability risks, and strengthened trust from business partners.
We are happy to assist you with your questions regarding the legally compliant implementation of data protection measures in your company, drawing on our expertise. Our many years of experience in IT law and data protection enable us to develop customized solutions for your company's specific requirements.
Frequently asked questions
The appointment is mandatory for public bodies if the core activity requires extensive regular monitoring, if extensive processing of special categories of data takes place, if at least 20 people are regularly employed, or if a data protection impact assessment is required. Even without a legal obligation, the appointment can be advantageous.
No, technically necessary cookies do not require consent. However, tracking cookies and marketing cookies generally require consent.
The register of processing activities must be kept up to date. Consent forms should be retained for the duration of data processing plus any applicable statutes of limitations.
A DPIA is required under Article 35 GDPR for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. This includes systematic evaluations of personal aspects (profiling), extensive processing of special categories of data, or systematic extensive monitoring of public areas.
Notification to the supervisory authority within 72 hours if there is a risk to the rights and freedoms of data subjects. In the event of a high risk, the data subjects must also be notified.
A regular review is required; the GDPR does not specify exact intervals. An annual review is recommended, more frequently for critical systems.
Yes, external data protection officers are possible and often advantageous, as they bring specialized expertise and objectivity. However, a data processing agreement is not sufficient.
The costs vary greatly depending on the company size and complexity. Small companies can expect to pay a few thousand euros, while large companies may require six-figure sums.
Yes, the GDPR generally applies to all companies that process personal data. However, there are certain simplifications for small businesses with fewer than 20 employees regarding the register of processing activities.
In addition to fines, civil claims for damages from affected individuals are also threatened. Supervisory authorities can additionally issue orders for data processing, impose temporary or final restrictions, or prohibit processing completely. Reputational damage and loss of customer trust are often more severe than the direct financial consequences.
German 
English