For each compliance cluster you can find in our guide the relevant:
Tasks: What has to be done in order to be compliant?
Guidance: Have the supervisory authorities or other public bodies provided any guidance?
Legislation: What does the legislative text say?
The way of information provision in the company should be defined and documented. This may be carried out by means of a transparency directive.
Notification of data subjects about relevant data processing activities, either by means of electronic or physical privacy notices.
ᐅ DSAB Bayern: Informationspflichten Sprache (Auslegungshilfe) (15.05.2019)
ᐅ DSAB Bayern: Informationspflichten am Telefon (Auslegungshilfe) (15.05.2019)
ᐅ DSAB Bayern: Informationspflichten im Verein (Auslegungshilfe) (15.05.2019)
ᐅ EDPB: Working Paper 260 zur Transparenz (Leitlinie) (11.04.2018)
ᐅ DSAB Bayern: Beschluss der DSK zur Informationspflicht bei Ärzten (DSK-Beschluss) (05.09.2018)
The way the company deals with (potential) security compromises should be defined and documented. Suitable means: data breach directive.
To ensure timely and appropriate action in case of a suspected security compromise, the establishment of a specialized "data breach team" is recommendable. Their contact points should be made available to all employees.
A process for handling data subject requests must be defined and documented. Suitable means: data subject rights directive.
Assignment of responsiblities (e.g. for answering access to information requested by data subjects). Suitable means: data subject rights directive.
For each potential marketing activity, the criterias for a lawful marketing should be defined and documented. Suitable means: personalized marketing directive.
The documented process should define both the conditions under which automated decision-making may take place and the technical and organizational means required.
Suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests – such as the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision – have to be implemented.
The controller must inform the data subject about the existence of an automated decision-making and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject at the time when personal data are obtained.
A consent directive should inform about the way consent can be obtained and how withdrawals are to be implemented.
Where consent is deemed the suitable legal basis, it must be ensured it is sought in a lawful way. This may be facilitated by consent templates that must be adapted to the individual case.
A consent management system should be implemented to ensure that the data subject may withdraw their consent at any time.
A data deletion directive should inform about the way personal data is being deleted once it is not needed any more for the respective legitimate processing purpose. Data deletion concepts might further detail retention requirements related to particular data processing activities.
Both data that is accessible via digital means and data that is in physical shape must be deleted in a secure and non-reversable way. The company must install respective deletion technology.
The process should at least inform about (1) who is responsible for the documentation, (2) by which means the documentation should take place and (3) in which way data processing activities are to be documented. This might be accomplished by a documentation directive.
The documentation should be realized either by manual or technical means such as a data protection management system.
All internal and external data protection risks to personal information have to be identified in order to determine as to whether sufficient technical and organizational security measures have been implemented.
It should be defined which technical and / or organizational measures must be implemented under which circumstances.
The controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the detected data protection risks.
Once implemented, the effectiveness of the safeguards must be verified regularly and, where required, updated in response to new risks or deficiencies.
According to the "need-to-know-principle", the access rights of a particular position in the company must be limited to the extend necessary for the fulfillment of the position's tasks. It must be defined by whom and under which conditions access rights are being allocated. The process could be defined in a data security directive.
The criterias might be defined in a data transfer directive.
Since data protection contracts are one of the most important prerequisites of lawful data processing, the processing must not start before the relevant contract has been concluded.
The conditions might be defined in a transborder data flow directive.
Data transfers to third countries must take place based on an adequate level of protection.
A process for establishing processing compliance should be defined and documented. A processing analysis directive should include templates for the systematic analysis of individual data processing activities covering all potentially applicable Implementation Clusters.
It must be ensured that the lawfulness of processing activities is being assessed before the start of processing.
ᐅ DSK: Kurzpapier Nr. 5. Datenschutz-Folgenabschätzung nach Art. 35 DS-GVO (17.12.2018)
ᐅ DSK: Kurzpapier Nummer 14. Beschäftigtendatenschutz (24.09.2020)
ᐅ DSK: Kurzpapier Nr. 15. Videoüberwachung nach der Datenschutz-Grundverordnung
ᐅ DSK: Kurzpapier Nr. 17. Besondere Kategorien personenbezogener Daten
ᐅ DSK: Kurzpapier Nr. 20. Einwilligung nach der DS-GVO (22.02.2019)
For each potential webtracking activity, the criterias for a lawful webtracking should be defined and documented. Suitable means: webtracking directive.
Where consent is deemed necessary, it must be ensured it is sought in a lawful way by means of a consent management tool.
Since the German law provides for extra provisions regarding the processing of personal data in the employment context, the respective additional requirements and restrictions should be outlined in an employment data protection directive.
The information officer should be appointed by means of an appointment certificate.
The appointed information officer must be notified to the competent data protection authority.
A data protection management directive may be a suitable means to fulfill this requirement.
Depending on the size of the company, each business department should provide for data protection contact points that are familiar with data protection requirements.
The responsibility for each data processing must be assigned to an individual role / person in the business departments. Suitable means: data protection management directive.
The data protection management directive should define the way risks are being detected, assessed, monitored and mitigated.
It should be regulated how the awareness of legal and data protection department(s) of cases with data protection relevance can be ensured.
When should the legal / data protection department be involved in cases with data protection relevance and who are the respective contact persons? These questions should be answered in the data protection management directive.
When should the legal / data protection department of another group company be involved in cases with data protection relevance and who are the respective contact persons? These questions should be answered in the data protection management directive.
Data processing compliance is regularly assessed by means of data protection audits. Such audits should take place at least every two years.
The current data protection status is to be continuously reported to the parent brand company (data protection officer).
Compliance with the accountability requirement may be achieved by cluster-specific directives that inform about the way the core data protection principles – lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality – are safeguarded.
Binding directives defining how the company ensures compliance with the core data protection princples should, on a regular basis, be challenged with respect to their actual implementation. Reports of systematic and independent audits of the compliance level achieved may serve as a valuable accountability mean.
Which laws require the implementation of data protection measures?
The General Data Protection Regulation applies directly in all EU and EEC member states and is the primary law to govern data protection also in Germany. "Opening clauses" allow member states to regulate specific topics such as employee data protection. Nevertheless, if a national law is in conflict with the GDPR, the European law prevails.
The regulations of the Federal Data Protection Act supplement those of the GDPR regarding comprehensive topics such as the processing of employee data and contain specifications on matters that are already regulated in the GDPR such as data protection rights. In addition, the BDSG regulates the processing of federal public entities.
Each German "Bundesland" provide for at least one data protection authority that is equipped with comprehensive enforcement power. Among others, the competent authority may carry our investigations, request access to personal data and access to premises and order a ban on data processing. Most importantly, data protection authorities may also impose heavy fines on companies for incompliance with the law.
Finance risks may not only result from fines but also from data protection incidents that have come to the public's attention. So-called "data breaches" regularly hit the headlines of popular news channels. Once, the media has become aware of an incident, the reputational damage resolving from it is hard to contain.
If a company processes sensitive data or permanently tasks more than 20 employees with then processing of personal data, a data protection officer has to be appointed and notified to the competent data protection authority. Since the requirements of the GDPR need to be fulfilled independently of the necessity to appoint a data protection officer, many companies voluntarily appoint an officer.
Depending on the company' size, the proper implementation of data protection measures and the timely response to data protection requests may require the establishment of a data protection management organization. In many organizations, so-called data protection managers or data protection ambassadors are tasked with a variety of functions such as the sensitization of employees, the drafting of processing records and the reporting of incidents to the legal or data protection department.
While some companies have already implemented certain data protection means, other ones start from scratch. The respetive implementation level may be determined by means of a status analysis that should be carried out by an independent internal or external entity. The outcome of the analysis should be documented in an audit report that informs about the most critical data protection risks detected.
The further implementation of data protection measures should take place according to a binding action plan. It is of hugh importance to allocate roles and responsibilities in a transparent way to ensure a smooth processing of data protection tasks within all relevant departments. This may be realized by means of guidelines and templates.
You need assistance with the implementation of data protection requirements?
familiar with implementation particularities of small and large businesses
experienced in communication with data protection authorities
known for our pragmatic approach, understanding data protection as enabling praxis