The most important facts at a glance
- Legality as a Foundation: Every processing of personal data requires a legal basis according to Art. 6 GDPR – without it, fines are threatened.
- Transparency is a duty, not an option: Affected individuals must be comprehensively informed – about the purpose, duration, and recipients of data processing – and can request access, correction, or deletion at any time.
- Technical and organizational measures (TOMs) protect against liability: Those who integrate data protection into processes from the outset and secure them with appropriate security measures not only reduce legal risks but also strengthen the trust of customers and partners.
Why Data Protection Obligations Are Existential Today
Hardly a day goes by without a data breach being reported somewhere, a supervisory authority imposing a fine, or a company making headlines for non-compliance with the GDPR. Since the General Data Protection Regulation (GDPR) came into force, the requirements for companies processing personal data have increased significantly – and supervisory authorities are increasingly taking consistent action against violations.
The question of the obligations of companies that process personal data concerns almost every company in Germany and Europe. Whether a small online company collects customer data for shipping, a medium-sized business uses HR software, or a large corporation conducts big data analyses: the GDPR applies to all.
Legal Basis: What the GDPR Requires
The GDPR as a European Legal Framework
The General Data Protection Regulation applies directly in all EU member states and creates a uniform European data protection standard.
Core Principles of the GDPR
All data protection obligations are based on the principles set forth in Article 5 of the GDPR:
Lawfulness, fairness, and transparencyData may only be processed on a legal basis and in a way that is understandable to the data subject.
EarmarkingCollected data may only be used for the defined, legitimate purpose. Reuse for other purposes is generally not permitted.
Data MinimizationOnly data that is actually necessary for the respective purpose may be collected.
Correctness: Companies must ensure that stored data is accurate and up-to-date.
Memory LimitData must not be stored for longer than necessary. Clear deletion concepts are absolutely required.
Integrity and confidentiality: Technical and organizational measures must be taken to ensure data security.
AccountabilityCompanies must be able to actively demonstrate compliance with these principles.
Legal Basis for Data Processing
Any processing of personal data requires a legal basis. In practice, the following are particularly relevant:
- Consent: Voluntary, informed, unambiguous, and revocable—the requirements for valid consent are high.
- Performance of the ContractData may be processed if it is necessary for the performance of a contract.
- Legal Obligation: Statutory retention requirements, such as those under the German Commercial Code (HGB) or the German Fiscal Code (AO), permit the storage of such data.
- Legitimate Interests: It is necessary to balance the interests of the company against the rights of the individuals concerned. This legal basis is often misunderstood and misapplied.
Key Aspects: Central Obligations at a Glance
1. Information obligations (Art. 13 and 14 GDPR)
One of the most common deficiencies in practice: incomplete or incomprehensible data protection notices. Data subjects must be comprehensively informed about every data collection – whether via a contact form, upon conclusion of a contract, or through cookies. This includes:
- Name and contact details of the person responsible
- Purpose and Legal Basis for Processing
- Recipients or categories of recipients
- Retention period or criteria for determining the duration
- Data Subject Rights (Right to Access, Correction, Deletion, and Objection)
- Right to complain to the supervisory authority
- Notice of automated decision-making, if applicable
This information must be provided in clear, understandable language and be easily accessible—not buried in convoluted terms and conditions, but in a dedicated privacy policy.
2. Maintaining a record of processing activities
Every controller—and, where applicable, its representative—is generally required to maintain a record of all processing activities. This also applies to smaller companies if the processing is not merely occasional, poses a risk to data subjects, or involves special categories of data (e.g., health data)—which, in practice, applies to most companies.
3. Data Protection Impact Assessment (Art. 35 GDPR)
If a processing activity is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) must be carried out beforehand.
Typical cases include:
- Extensive processing of special categories of personal data (health, biometrics, religion)
- Systematic surveillance of publicly accessible areas (e.g., video surveillance)
- Deployment of new technologies, especially AI-powered profiling
The data protection impact assessment is not a one-time process but must be updated when processing changes.
4. Technical and organizational measures (Art. 25 and 32 GDPR)
Companies must integrate appropriate data protection measures right from the design stage of systems and processes.
These include:
- Encryption of data in transit and at rest
- Access controls and authorization concepts
- Pseudonymization, where possible
- Regular security tests and vulnerability assessments
- Backup and Recovery Strategies
- Employee training
The appropriateness of the measures depends on the state of the art, implementation cost, and the severity of the potential damage.
5. Notification obligation in case of data breaches (Art. 33 and 34 GDPR)
A personal data breach—such as a hacker attack, a lost laptop, or an email sent by mistake—must be reported to the relevant data protection supervisory authority within 72 hours if there is a risk to the individuals concerned. If the risk to the individuals concerned is high, they must also be notified immediately.
6. Order Processing (Art. 28 GDPR)
Whenever a company has personal data processed by external service providers—cloud providers, IT service providers, tax consultants, marketing agencies—a data processing agreement (DPA) must be concluded. This agreement must contain certain minimum contents and ensure that the data processor adheres to the same data protection standards.
7. Appointment of a Data Protection Officer (Art. 37 GDPR, § 38 BDSG)
In Germany, a company data protection officer must be appointed if, as a rule, at least 20 people are regularly engaged in the automated processing of personal data. Regardless of this threshold, an appointment is required if the company’s core activities involve the extensive processing of special categories of data or if systematic monitoring of individuals takes place.
Practical tips for companies
A Data Protection Audit as a Starting Point: Before taking any action, the current situation should be systematically assessed. What data is being processed, where, for how long, and for what purpose? An internal audit provides the necessary foundation.
Implement deletion conceptOne of the most common GDPR gaps in practice is the absence of a structured deletion concept. Clear deletion deadlines should be defined and technically implemented for each data category.
Employee awarenessThe best technical infrastructure is of little use if employees cannot recognize phishing emails or send customer data via unencrypted email. Regular training is not only recommended but also a component of the TOMs obligation.
Keep documentation complete: In the event of a dispute or an audit by regulatory authorities, companies must be able to demonstrate that they have fulfilled their obligations. The record of processing activities, records of consent, data processing agreements, and data protection impact assessments should always be up to date and accessible.
Incorporate External Expertise: Especially when dealing with complex data processing activities, IT projects, or in the wake of data breaches, it is advisable to engage an external data protection officer or an attorney with expertise in data protection law.
Checklist: Basic Data Protection Obligations for Businesses
- Privacy Policy Complete and Up-to-Date (Website, Apps, Contact Forms)
- Processing inventory maintained and kept up to date in accordance with Article 30 of the GDPR
- Legal basis for each processing activity documented
- Agreements for order processing have been concluded with all external service providers.
- Technical and organizational measures (TOMs) documented and implemented
- A data deletion policy is in place for all data categories
- Data Protection Impact Assessment conducted where required
- Data Protection Officer appointed (internal or external), if necessary
- Staff regularly trained
- Process for Handling Inquiries from Data Subjects Established
- Incident Response Plan for Data Breaches in place
- Third-country transfers reviewed and secured (SCC, Transfer Impact Assessment)
- Legally compliant implementation of cookie consent management
Data Protection as a Corporate Responsibility—and an Opportunity
The obligations that companies face when processing personal data are extensive and complex. However, those who view data protection solely as an annoying compliance task misunderstand its potential: Companies that handle data transparently and responsibly gain the trust of their customers and partners, thereby gaining a real competitive advantage.
The greatest risks lurk where processes are undocumented, external service providers process data unchecked, or data breaches are detected too late. Therefore, an early, systematic examination of one's own processing activities – ideally with expert support – is not a question of whether, but when.
SITTIG LAW provides comprehensive support to companies in fulfilling their data protection obligations – from the initial assessment and implementation of legally compliant processes to taking on the role of external data protection officer. Contact us – we are available for you.
Frequently asked questions
The GDPR generally applies to any company that processes personal data – regardless of size. There are only simplifications for micro-enterprises, for example, regarding the obligation to maintain a register of processing activities, but even then, only under strict conditions.
Personal data is any information relating to an identified or identifiable natural person – name, email address, IP address, location data, customer numbers, or even combinations of characteristics that enable identification.
In Germany, a data protection officer must be appointed if, as a general rule, at least 20 people regularly process data automatically or if the company operates in particularly sensitive areas. In case of doubt, this should be legally reviewed.
Data protection violations can be penalized with fines. In addition, there are claims for damages by those affected, reputational damage, and in serious cases, criminal consequences.
Yes. The GDPR protects natural persons. As soon as a B2B company processes data of contact persons, employees of business partners, or other natural persons – which is almost always the case – the GDPR requirements apply.
Data breaches that pose a risk to individuals must be reported to the responsible data protection supervisory authority within 72 hours. In cases of high risk, affected individuals must also be informed directly. Companies should develop an incident response plan in advance that defines clear responsibilities and procedures.
The use of customer data for direct marketing (e.g., newsletters) generally requires explicit consent. In the existing customer segment, legitimate interest can be used as a legal basis under strict conditions. However, affected individuals always have the right to object.
An external data protection officer is a specialist who works outside the company and takes on the function of the company's data protection officer. They offer the advantage of professional independence and up-to-date expertise. This is often the more economical and legally secure solution, especially for small and medium-sized enterprises.
German 
English