SITTIG LAW Law Firm Blog

GDPR checklist for agencies

The GDPR checklist helps agencies to fulfill their data protection obligations securely. From order processing contracts and technical and organizational measures to the implementation of data subject rights - structured processes protect against risks, fines and reputational damage. This makes data protection a real competitive advantage for every agency.
Contents

The most important facts at a glance

Why data protection is existential for agencies

Marketing, advertising and digital agencies operate in a highly sensitive data protection environment. They process the personal data of customers, their customers and other data subjects on a daily basis. From contact data and analysis cookies to extensive customer databases - the spectrum is broad and the legal requirements complex.

The General Data Protection Regulation (GDPR) poses particular challenges for agencies. Unlike many other service providers, they often act as processors within the meaning of Art. 28 GDPR when they process personal data on behalf of their clients. At the same time, they are responsible for their own data processing. This dual role requires a comprehensive understanding of data protection requirements and their consistent implementation.

The relevance of a GDPR checklist for agencies results not only from the legal compliance obligation, but also from tangible economic considerations. Data protection violations can result in fines. There is also the threat of reputational damage, customer churn and, in the worst case, civil claims for damages. A systematic approach to data protection is therefore not a chore, but a central component of corporate management.

Legal basis: Understanding the GDPR

The General Data Protection Regulation forms the central legal framework for the processing of personal data in the European Union. In Germany, it is supplemented and concretized by the Federal Data Protection Act (BDSG).

The following provisions in particular are of central importance for agencies:

Art. 4 GDPR defines basic terms such as „personal data“. Personal data is any information relating to an identified or identifiable natural person. This includes not only names and contact details, but also IP addresses, cookie identifiers and other online identifiers.

Art. 6 GDPR regulates the lawfulness of the processing. All data processing requires a legal basis. For agencies, there are three main alternatives: the consent of the data subject, the necessity to fulfill a contract or the protection of legitimate interests. Particular caution is required when processing data in the context of marketing activities - the consent requirement often applies here.

Art. 28 GDPR is the central standard for order processing. If an agency processes personal data on behalf of a client, a written data processing agreement (DPA) must be concluded. This must contain detailed regulations on the subject matter, duration, type and purpose of the processing as well as the obligations and rights of both parties. If a DPA is missing or inadequate, this constitutes a data protection breach.

Art. 32 GDPR requires the implementation of technical and organizational measures (TOM) to ensure a level of protection appropriate to the risk. These measures must ensure the confidentiality, integrity, availability and resilience of the systems. The specific design depends on the state of the art, the implementation costs and the risks to the rights and freedoms of data subjects.

Art. 33 and 34 GDPR regulate the reporting obligations in the event of data breaches. If a personal data breach is detected, the competent supervisory authority must be informed within 72 hours. If there is a high risk for the data subjects, they must also be notified directly.

The dual role of agencies in data protection

Agencies occupy a complex position in data protection law, as they regularly act as both controllers and processors. This distinction is of fundamental importance for the legal obligations.

As the person responsible agencies occur when they themselves decide on the purpose and means of data processing. This is the case, for example, when processing applicant data, managing their own customer contacts or operating their own website with analysis tools. In this role, the agency bears full responsibility under data protection law and must fulfill all obligations independently.

As a processor Agencies, on the other hand, act as processors when they process personal data on behalf of and according to the instructions of a client. As a processor, the agency has considerable obligations: It must implement suitable technical and organizational measures, follow the instructions of the controller, conclude a DPA and may not involve any other processors without consent.

The mandatory documents: record of processing activities

The record of processing activities forms the core of data protection documentation. It is used for accountability and enables transparency about data processing for supervisory authorities and data subjects.

Agencies must keep two separate registers: one for the activities for which they act as controllers and one for order processing. Both registers must contain the following minimum information:

For those responsible:

  • Name and contact details of the controller and, if applicable, the data protection officer
  • Purposes of the processing
  • Description of the categories of data subjects and personal data
  • Categories of recipients to whom the data is disclosed
  • Transfers to third countries, if applicable
  • Deadlines for the deletion of the various data categories
  • General description of the technical and organizational measures

For processors:

  • Name and contact details and of each person responsible on whose behalf they are acting
  • Categories of processing operations carried out on behalf of the controller
  • Transfers to third countries, if applicable
  • General description of the technical and organizational measures

The challenge for agencies lies in the diversity of their processing activities. A typical digital agency processes data in numerous contexts: Applicant management, HR management, accounting, in-house marketing, website operations, customer support, and then there are the various services provided to clients. Each of these activities must be recorded in the directory.

The data processing agreement: the heart of agency compliance

If agencies process personal data on behalf of their clients, the conclusion of a data processing agreement (DPA) is mandatory in accordance with Art. 28 GDPR. This contract must be concluded in writing or in electronic form and contain detailed provisions on all essential aspects of the order processing.

Mandatory contents of a GCU:

The legislator specifies an extensive catalog of minimum contents in Art. 28 GDPR. The DPA must regulate:

  • Object and duration of processing
  • Nature and purpose of processing
  • Type of personal data
  • Categories of affected persons
  • Obligations and rights of the controller

In addition, the processor must in particular undertake to

  • to process data only on documented instruction
  • Confidentiality of the persons involved in the processing
  • To implement appropriate technical and organizational measures
  • Engage other processors only with permission
  • Supporting the rights of data subjects
  • To support the fulfillment of the controller's obligations
  • Delete or return all data at the end of the order
  • Provide the person responsible with all necessary information to prove the
  • To make available the fulfillment of duties
  • To enable and contribute to reviews

Technical and organizational measures

Access controlUnauthorized persons must not have physical access to data processing facilities. Agencies should implement: Access controls to offices through key systems or electronic locking systems, alarm system, logging of visitors, lockable rooms for servers and data media, clean desk policy for sensitive documents.

Access controlUnauthorized persons may not use data processing systems. Measures include: individual user accounts for each employee, secure password guidelines (minimum length, complexity, regular change), two-factor authentication for access to critical systems, automatic screen lock after inactivity, encryption of mobile devices.

Access controlUsers may only access the data for which they are authorized. Agencies need: role-based authorization concepts, regulation of read, write and delete rights according to the need-to-know principle, regular review and adjustment of authorizations, immediate deactivation of access when employees leave.

Transfer controlData may not be read, copied or deleted without authorization during electronic transmission or transport. Required are: Encryption of e-mails with sensitive content, secure data transmission, VPN connections for remote access, encrypted data carriers during physical transport, logging of data transmissions.

Input controlIt must be possible to trace who entered, changed or deleted which data and when. Agencies should implement: Logging systems that log all relevant accesses, versioning of documents, traceability of changes in databases, regular evaluation of logs.

Order controlIn the case of commissioned processing, data may only be processed in accordance with instructions. The following are necessary: clear processes for receiving and documenting instructions, regular coordination with clients, employee training on the authority to issue instructions, documentation of all processing steps.

Availability controlData must be protected against accidental destruction or loss. Agencies need: automated, regular backups, physically separated backup storage, emergency plan for system failures, uninterruptible power supply for critical systems, virus protection and firewall.

Separation requirementData collected for different purposes must be able to be processed separately. Measures include: logical or physical separation of production and test systems, separate databases for different customers or purposes, multi-client capability in deployed systems.

Designing data protection information and consents correctly

The information obligations under Art. 13 and 14 GDPR are among the most frequently neglected compliance requirements. Yet they are fundamental: data subjects must be informed about the processing of their data in a precise, transparent and easily accessible form.

Privacy policy of the agency website:

Every agency website requires a comprehensive privacy policy that describes all processing operations. This includes: Contact forms, newsletter registration, use of analysis tools, use of cookies, social media plugins, chat functions, applicant management tools.

The privacy policy must specify for each of these processing operations: Type of data processed, purpose of processing, legal basis, recipients or categories of recipients, storage period, information on data subject rights, information on the right to object, in the case of automated decisions, information on the logic involved.

Systematically implementing data subject rights

Right to informationData subjects can request information about the personal data stored about them. The agency must respond within one month and provide the following information: which categories of data are processed, for which purposes, to which recipients data has been transmitted, how long the data is stored, which data subject rights exist, where the data originates from, whether automated decision-making takes place.

Right to rectificationIf stored data is incorrect or incomplete, it must be corrected immediately. Agencies should establish processes that enable the rapid identification and correction of affected data records.

Right to erasureThe „right to be forgotten“ obliges us to erase data if one of the legal grounds for erasure applies: Data no longer required, consent withdrawn, objection lodged, data processed unlawfully, obligation to erase under EU or national law. Important: Deletion obligations may be restricted by other legal standards, such as retention obligations under tax law. In such cases, processing must at least be restricted.

Right to restriction of processingData subjects can request that their data only be stored but no longer actively processed. This is particularly relevant if the accuracy of the data is disputed or an objection to the processing has been lodged.

Right to data portabilityIf the processing is based on consent or a contract and is automated, data subjects may request to receive their data in a structured, commonly used and machine-readable format and to have it transmitted to another controller.

Right of objectionIf the processing is based on a balancing of interests or is carried out for direct marketing purposes, data subjects may object. In the case of direct marketing, processing must be stopped without exception.

GDPR checklist for agencies: practical implementation

Basic organization: 

  • Data Protection Officer appointed
  • Data protection officer appointed internally
  • Data protection management system established
  • Regular data protection training courses held for employees
  • List of processing activities created and updated
  • Data protection impact assessment carried out for high-risk processing operations

Contracts and agreements: 

  • Order processing contracts concluded with all relevant service providers
  • Order processing contracts concluded with customers
  • Joint responsibility agreements concluded (if applicable)
  • Confidentiality obligations agreed with all employees
  • Regulations on the handling of personal data anchored in employment contracts

Technical and organizational measures: 

  • Access control to premises implemented
  • Access control to IT systems implemented with password policy
  • Access control with role-based authorizations established
  • Encryption of sensitive data and data transfers ensured
  • Backup concept with spatially separated storage implemented
  • Firewall and virus protection active and up-to-date
  • Logging of access to personal data set up
  • Clean desk policy introduced
  • Processes for deleting data established

Information obligations and transparency: 

  • Complete and up-to-date privacy policy on your own website
  • Cookie banner with active consent option implemented
  • Data protection information provided upon initial contact with customers/prospects
  • Data protection information integrated into the application process
  • Declarations of consent for marketing activities designed to be legally compliant

Rights of data subjects: 

  • Processes defined for handling requests for information
  • Processes for rectification, erasure and restriction established
  • Deadlines for responding to inquiries (1 month) anchored in the process
  • Identity check regulated for data subject requests
  • Central contact address set up for data protection inquiries

Order processing: 

  • All sub-processors identified and contractually bound
  • List of sub-processors listed in GCU with customers
  • Technical and organizational measures documented in detail
  • Instruction processes defined for clients
  • Contractually regulated support for data subjects' rights

Ongoing processes: 

  • Regular review and updating of data protection documentation
  • Quarterly training courses on data protection carried out
  • Annual data protection audit carried out
  • Deletion periods regularly reviewed and implemented
  • New processing activities checked under data protection law before commencement

Data protection as a competitive advantage

Data protection is often perceived as a burdensome obligation - wrongly so. Well thought-out data protection compliance offers agencies considerable advantages: it protects against fines and reputational damage, creates trust with customers and can become a competitive differentiator.

Consistent implementation is crucial. A half-heartedly maintained register of processing activities or an incomplete order processing contract will not help in an emergency. Data protection requires commitment, resources and expertise. But the investment is worth it: it not only ensures legal compliance, but also strengthens the agency's professional profile.

Agencies that take data protection seriously signal reliability and professionalism to their customers. In times of increasing data protection sensitivity and stricter supervision, this can make all the difference. Data protection is evolving from a compliance issue into a real competitive advantage.

As a law firm specializing in IT law and data protection, we support agencies in systematically establishing and sustainably securing their GDPR compliance. From the initial consultation to contract drafting and ongoing support, we offer practical solutions that are tailored to the specific requirements of agencies.

Frequently asked questions

A data protection officer must be appointed if, as a rule, at least 20 people are permanently involved in the automated processing of personal data. In addition, there is an obligation to appoint a data protection officer if the processing is subject to a data protection impact assessment or if personal data is processed for the purpose of transmission, market or opinion research or for advertising purposes. The data protection officer can be appointed internally or externally.

The absence of a DPA constitutes a breach of Art. 28 GDPR and can be punished with fines. Furthermore, data processing without a DPA is unlawful, which can also lead to claims for damages. The DPA must be concluded before data processing begins.

Yes, a GDPR-compliant DPA must be in place for all ongoing order processing relationships - regardless of when the contractual relationship began. Agencies should proactively contact their existing customers and catch up on DPAs. The mere continued validity of old contracts is not sufficient, as these generally do not contain all the mandatory content of the GDPR.

There is no generally applicable storage period. The decisive factor is the purpose of the processing. As soon as this no longer applies, there is generally an obligation to erase data in accordance with Art. 17 GDPR. Exceptions arise from statutory retention obligations.

The GDPR also applies to all legacy data. The decisive factor is whether there is a legal basis for the continued processing in accordance with the GDPR. Consent given previously can continue to be effective if it meets the requirements of the GDPR. Otherwise, a new legal basis must be created - either by obtaining GDPR-compliant consent or by checking whether another legal basis (e.g. legitimate interest) exists. Where no legal basis exists, the data must be deleted.

Employee data protection law is subject to special requirements. Agencies must provide employees with comprehensive information about the processing of their data. This should already be done when the contract is concluded. Confidentiality obligations must be agreed with all employees who have access to personal data.

Applicant data may only be processed to carry out the application process. Applicants must be informed before or when the data is collected; a data protection declaration in the job advertisement or application form is useful. After completion of the procedure, documents of rejected applicants must generally be deleted after six months, unless longer storage is necessary to assert or defend against claims or the applicant has consented to longer storage.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form