Compliance Guide

For each compliance cluster you can find in our guide the relevant:

Tasks: What has to be done in order to be compliant?

Guidance: Have the supervisory authorities or other public bodies provided any guidance?

Legislation: What does the legislative text say?







Transparency



    Procedure for information provision

    The way of information provision in the company should be defined and documented. This may be carried out by means of a transparency directive.


    Information of data subjects

    Notification of data subjects about relevant data processing activities, either by means of electronic or physical privacy notices.



Art. 13 GDPR: Information to be provided where personal data are collected from the data subject

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
    1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
    2. the contact details of the data protection officer, where applicable;
    3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
    5. the recipients or categories of recipients of the personal data, if any;
    6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
  2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
    1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    3. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    4. the right to lodge a complaint with a supervisory authority;
    5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.


Art. 14 GDPR: Information to be provided where personal data have not been obtained from the data subject

  1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
    1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
    2. the contact details of the data protection officer, where applicable;
    3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    4. the categories of personal data concerned;
    5. the recipients or categories of recipients of the personal data, if any;
    6. where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
  2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
    1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    2. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
    3. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
    4. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    5. the right to lodge a complaint with a supervisory authority;
    6. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
    7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  3. The controller shall provide the information referred to in paragraphs 1 and 2:
    1. within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
    2. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
    3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
  4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  5. Paragraphs 1 to 4 shall not apply where and insofar as:
    1. the data subject already has the information;
    2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
    3. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
    4. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.


Data Breach



    Process for handling security compromises

    The way the company deals with (potential) security compromises should be defined and documented. Suitable means: data breach directive.


    Allocation of responsibilities / contact points for handling (potential) security compromises

    To ensure timely and appropriate action in case of a suspected security compromise, the establishment of a specialized "data breach team" is recommendable. Their contact points should be made available to all employees.



Art 33 GDPR: Notification of a personal data breach to the supervisory authority

  1. 1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. 1The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. 2That documentation shall enable the supervisory authority to verify compliance with this Article.


Art 34 GDPR: Communication of a personal data breach to the data subject

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
  3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
    1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
    2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
    3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.


Data Subject Rights



    Process for handling data subject requests

    A process for handling data subject requests must be defined and documented. Suitable means: data subject rights directive.


    Assignment of responsibilities for handling data subject requests

    Assignment of responsiblities (e.g. for answering access to information requested by data subjects). Suitable means: data subject rights directive.



Art. 15 GDPR: Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where the personal data are not collected from the data subject, any available information as to their source;
    8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. 1The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.


Art. 16 GDPR: Right to rectification

1The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Art. 17 GDPR: Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    4. the personal data have been unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defence of legal claims.


Art. 21 GDPR: Right to object

  1. 1The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.


Art. 77 GDPR: Right to lodge a complaint with a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
  2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.


Art. 79 GDPR: Right to an effective judicial remedy against a controller or processor

  1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
  2. 1Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. 2Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.


Art. 80 GDPR: Representation of data subjects

  1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
  2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.


Art. 82 GDPR: Right to compensation and liability

  1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
  2. 1Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. 2A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
  3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
  4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
  5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
  6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).


Personalized Marketing



    Criteria for lawful marketing activities

    For each potential marketing activity, the criterias for a lawful marketing should be defined and documented. Suitable means: personalized marketing directive.



Section 7 UWG: Unacceptable nuisance

  1. A commercial practice which constitutes an unacceptable nuisance to a market participant shall be illegal. This shall apply to advertising particularly in cases where it is apparent that the solicited market participant does not want this advertising.
  2. An unacceptable nuisance shall always be assumed in the case of
    1. advertising using a medium of commercial communication not listed under nos. 2 and 3 which is suited to distance marketing and through which a consumer is persistently solicited although it appears that he does not want this;
    2. advertising by means of a telephone call, made to a consumer without his prior express consent, or made to another market participant without at least the latter's presumed consent;
    3. advertising using an automated calling machine, a fax machine or electronic mail without the addressee’s prior express consent; or
    4. advertising using a communication
      1. where the identity of the sender on whose behalf the communication is transmitted is concealed or kept secret or
      2. which violates section 6 (1) of the Telemedia Act (Telemediengesetz) or in which the recipient is prompted to call up a website which violates said provision or
      3. where there is no valid address to which the recipient can send an instruction to terminate transmission of communications of this kind, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates.
  3. Notwithstanding subsection (2) no. 3, an unacceptable nuisance shall not be assumed to exist in the case of advertising using electronic mail if
    1. the entrepreneur has obtained from the customer the latter’s electronic mail address in connection with the sale of goods or services;
    2. the entrepreneur uses the address for direct advertising of his own similar goods or services;
    3. the customer has not objected to this use; and
    4. the customer is clearly and unequivocally advised, when the address is collected and each time it is used, that he can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates.


Automated Individual Decision Making



    Process for lawful automated individual decision making

    The documented process should define both the conditions under which automated decision-making may take place and the technical and organizational means required.


    Implementation of suitable measures to safeguard data subject rights and freedoms and legitimate interests

    Suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests – such as the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision – have to be implemented.


    Information about the existence of automated decision-making

    The controller must inform the data subject about the existence of an automated decision-making and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject at the time when personal data are obtained.



Art. 22 GDPR: Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  2. Paragraph 1 shall not apply if the decision:
    1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
    3. is based on the data subject’s explicit consent.
  3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.


Retention / Deletion



    Definition and documentation of retention / deletion procedures and periods

    A data deletion directive should inform about the way personal data is being deleted once it is not needed any more for the respective legitimate processing purpose. Data deletion concepts might further detail retention requirements related to particular data processing activities.


    Implementation of suitable deletion technology

    Both data that is accessible via digital means and data that is in physical shape must be deleted in a secure and non-reversable way. The company must install respective deletion technology.



Art. 17: Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    4. the personal data have been unlawfully processed;
    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defence of legal claims.


Documentation



    Process for documentation of processing activities

    The process should at least inform about (1) who is responsible for the documentation, (2) by which means the documentation should take place and (3) in which way data processing activities are to be documented. This might be accomplished by a documentation directive.


    Documentation of processing activities

    The documentation should be realized either by manual or technical means such as a data protection management system.



Art. 30 GDPR: Records of processing activities

  1. 1Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. 2That record shall contain all of the following information:
    1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
    2. the purposes of the processing;
    3. a description of the categories of data subjects and of the categories of personal data;
    4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
    5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    6. where possible, the envisaged time limits for erasure of the different categories of data;
    7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
  2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
    1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
    2. the categories of processing carried out on behalf of each controller;
    3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    4. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
  3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
  4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
  5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.


Data Security



    Risk Identification

    All internal and external data protection risks to personal information have to be identified in order to determine as to whether sufficient technical and organizational security measures have been implemented.


    Concept for establishing and maintaining appropriate data security

    It should be defined which technical and / or organizational measures must be implemented under which circumstances.


    Implementation and maintanance of appropriate security safeguards

    The controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the detected data protection risks.


    Process for monitoring effectiveness of implemented security measures

    Once implemented, the effectiveness of the safeguards must be verified regularly and, where required, updated in response to new risks or deficiencies.


    Definition and documentation of process for access right allocation

    According to the "need-to-know-principle", the access rights of a particular position in the company must be limited to the extend necessary for the fulfillment of the position's tasks. It must be defined by whom and under which conditions access rights are being allocated. The process could be defined in a data security directive.



Art. 32 GDPR: Security of processing

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
  4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.


Data Transfer



    Definition and documentation of criteria for lawful involvement of third parties (such as service providers) in data processing

    The criterias might be defined in a data transfer directive.


    Conclusion of relevant data processing contracts

    Since data protection contracts are one of the most important prerequisites of lawful data processing, the processing must not start before the relevant contract has been concluded.



Art. 28 GDPR: Processor

  1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
  2. 1The processor shall not engage another processor without prior specific or general written authorisation of the controller. 2In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  3. 1Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. 2That contract or other legal act shall stipulate, in particular, that the processor:
    1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. takes all measures required pursuant to Article 32;
    4. respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
    5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
    6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
    7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
    8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

    With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
  4. 1Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. 2Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
  5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
  6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
  7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
  8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
  9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
  10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.


Art. 29 GDPR: Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.


Art. 26 GDPR: Joint controllers

  1. 1Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. 2They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. 3The arrangement may designate a contact point for data subjects.
  2. 1The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. 2The essence of the arrangement shall be made available to the data subject.
  3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.


Transborder Information Flows



    Definition and documentation of conditions of lawful data transfer to third countries

    The conditions might be defined in a transborder data flow directive.


    Where necessary: implementation of additional security safeguards for data transfer

    Data transfers to third countries must take place based on an adequate level of protection.



Art. 46 GDPR: Transfers subject to appropriate safeguards

  1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
  2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
    1. a legally binding and enforceable instrument between public authorities or bodies;
    2. binding corporate rules in accordance with Article 47;
    3. standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
    4. standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
    5. an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
    6. an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
  3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
    1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
    2. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
  4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
  5. 1Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. 2Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.


Art. 47 GDPR: Binding corporate rules

  1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:
    1. are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
    2. expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
    3. fulfil the requirements laid down in paragraph 2.
  2. The binding corporate rules referred to in paragraph 1 shall specify at least:
    1. the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
    2. the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
    3. their legally binding nature, both internally and externally;
    4. the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
    5. the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
    6. the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
    7. how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
    8. the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
    9. the complaint procedures;
    10. the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
    11. the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
    12. the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
    13. the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
    14. the appropriate data protection training to personnel having permanent or regular access to personal data.
  3. 1The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. 2Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).


Art. 49 GDPR: Derogations for specific situations

  1. 1In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
    1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
    3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    4. the transfer is necessary for important reasons of public interest;
    5. the transfer is necessary for the establishment, exercise or defence of legal claims;
    6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    7. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
    2Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. 3The controller shall inform the supervisory authority of the transfer. 4The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
  2. 1A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. 2Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
  3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
  4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
  5. 1In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. 2Member States shall notify such provisions to the Commission.
  6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.


Webtracking



    Criteria for lawful webtracking activities

    For each potential webtracking activity, the criterias for a lawful webtracking should be defined and documented. Suitable means: webtracking directive.


    Consent management tool

    Where consent is deemed necessary, it must be ensured it is sought in a lawful way by means of a consent management tool.



§ 25 TTDSG: Schutz der Privatsphäre bei Endeinrichtungen

  1. 1Die Speicherung von Informationen in der Endeinrichtung des Endnutzers oder der Zugriff auf Informationen, die bereits in der Endeinrichtung gespeichert sind, sind nur zulässig, wenn der Endnutzer auf der Grundlage von klaren und umfassenden Informationen eingewilligt hat. 2Die Information des Endnutzers und die Einwilligung haben gemäß der Verordnung (EU) 2016/679 zu erfolgen.
  2. Die Einwilligung nach Absatz 1 ist nicht erforderlich,
    1. wenn der alleinige Zweck der Speicherung von Informationen in der Endeinrichtung des Endnutzers oder der alleinige Zweck des Zugriffs auf bereits in der Endeinrichtung des Endnutzers gespeicherte Informationen die Durchführung der Übertragung einer Nachricht über ein öffentliches Telekommunikationsnetz ist oder
    2. wenn die Speicherung von Informationen in der Endeinrichtung des Endnutzers oder der Zugriff auf bereits in der Endeinrichtung des Endnutzers gespeicherte Informationen unbedingt erforderlich ist, damit der Anbieter eines Telemediendienstes einen vom Nutzer ausdrücklich gewünschten Telemediendienst zur Verfügung stellen kann.


Employment



    Definition and documentation of criteria for lawful employee data processing according to German law

    Since the German law provides for extra provisions regarding the processing of personal data in the employment context, the respective additional requirements and restrictions should be outlined in an employment data protection directive.


Section 26 FDPA: Data processing for employment-related purposes

  1. 1Personal data of employees may be processed for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and staff council. 2Employees’ personal data may be processed to detect crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.
  2. 1If personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. 2Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. 3Consent shall be given in written or electronic form, unless a different form is appropriate because of special circumstances. 4The employer shall inform the employee in text form of the purpose of data processing and of the employee’s right to withdraw consent pursuant to Article 7 (3) of Regulation (EU) 2016/679.
  3. 1By derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for employment-related purposes shall be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. 2Subsection 2 shall also apply to consent to the processing of special categories of personal data; consent must explicitly refer to these data. 3Section 22 (2) shall apply accordingly.
  4. 1The processing of personal data, including special categories of personal data of employees for employment-related purposes, shall be permitted on the basis of collective agreements. 2The negotiating partners shall comply with Article 88 (2) of Regulation (EU) 2016/679.
  5. The controller must take appropriate measures to ensure compliance in particular with the principles for processing personal data described in Article 5 of Regulation (EU) 2016/679.
  6. The rights of participation of staff councils shall remain unaffected.
  7. Subsections 1 to 6 shall also apply when personal data, including special categories of personal data, of employees are processed without forming or being intended to form part of a filing system.
  8. 1For the purposes of this Act, employees are
    1. dependently employed workers, including temporary workers contracted to the borrowing employer;
    2. persons employed for occupational training purposes;
    3. participants in benefits to take part in working life, in assessments of occupational aptitude or work trials (persons undergoing rehabilitation);
    4. persons employed in accredited workshops for persons with disabilities;
    5. volunteers working pursuant to the Youth Volunteer Service Act or the Federal Volunteer Service Act;
    6. persons who should be regarded as equivalent to dependently employed workers because of their economic dependence; these include persons working at home and their equivalents;
    7. federal civil servants, federal judges, military personnel and persons in the alternative civilian service.

    2Applicants for employment and persons whose employment has been terminated shall be regarded as employees.


Data Protection Organization




    Appointment of information officer

    The information officer should be appointed by means of an appointment certificate.


    Registration of information officer with the competent data protection authority

    The appointed information officer must be notified to the competent data protection authority.


    Definition and documentation of data protection roles

    A data protection management directive may be a suitable means to fulfill this requirement.


    Contact points for data protection

    Depending on the size of the company, each business department should provide for data protection contact points that are familiar with data protection requirements.


    Allocation of processing responsibility

    The responsibility for each data processing must be assigned to an individual role / person in the business departments. Suitable means: data protection management directive.


    Process for continuous assessment and monitoring of operational, legal and other data protection risks

    The data protection management directive should define the way risks are being detected, assessed, monitored and mitigated.


    Process for regular reporting of data protection status to legal and data protection department(s)

    It should be regulated how the awareness of legal and data protection department(s) of cases with data protection relevance can be ensured.


    Process and criteria for involvement of legal and data protection department(s) in data protection matters

    When should the legal / data protection department be involved in cases with data protection relevance and who are the respective contact persons? These questions should be answered in the data protection management directive.


    Process and criteria for involvement of other group companies in data protection matters with group relevance

    When should the legal / data protection department of another group company be involved in cases with data protection relevance and who are the respective contact persons? These questions should be answered in the data protection management directive.


    Data protection audits

    Data processing compliance is regularly assessed by means of data protection audits. Such audits should take place at least every two years.


    Where applicable: involvement of parent brand company (data protection officer)

    The current data protection status is to be continuously reported to the parent brand company (data protection officer).



Art. 37 GDPR: Designation of the data protection officer

  1. The controller and the processor shall designate a data protection officer in any case where:
    1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
  2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
  3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
  4. 1In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. 2The data protection officer may act for such associations and other bodies representing controllers or processors.
  5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
  6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
  7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Art. 39 GDPR: Tasks of the data protection officer

  1. The data protection officer shall have at least the following tasks:
    1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
    2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    4. to cooperate with the supervisory authority;
    5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
  2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Art. 42 GDPR: Certification

  1. 1The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 2The specific needs of micro, small and medium-sized enterprises shall be taken into account.
  2. 1In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). 2Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
  3. The certification shall be voluntary and available via a process that is transparent.
  4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
  5. 1A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. 2Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
  6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
  7. 1Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. 2Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.
  8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.


Accountability



    Proof of compliance with core data protection principles

    Compliance with the accountability requirement may be achieved by cluster-specific directives that inform about the way the core data protection principles – lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality – are safeguarded.


    Regular assessment of processing compliance

    Binding directives defining how the company ensures compliance with the core data protection princples should, on a regular basis, be challenged with respect to their actual implementation. Reports of systematic and independent audits of the compliance level achieved may serve as a valuable accountability mean.



Art. 5 GDPR: Principles relating to processing of personal data

  1. Personal data shall be:
    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).




What you should do before starting with the implementation





General Data Protection Regulation (GDPR)

The General Data Protection Regulation applies directly in all EU and EEC member states and is the primary law to govern data protection also in Germany. "Opening clauses" allow member states to regulate specific topics such as employee data protection. Nevertheless, if a national law is in conflict with the GDPR, the European law prevails.


Federal Data Protection Act (BDSG)

The regulations of the Federal Data Protection Act supplement those of the GDPR regarding comprehensive topics such as the processing of employee data and contain specifications on matters that are already regulated in the GDPR such as data protection rights. In addition, the BDSG regulates the processing of federal public entities.



Authority enforcement

Each German "Bundesland" provide for at least one data protection authority that is equipped with comprehensive enforcement power. Among others, the competent authority may carry our investigations, request access to personal data and access to premises and order a ban on data processing. Most importantly, data protection authorities may also impose heavy fines on companies for incompliance with the law.


Reputational damage

Finance risks may not only result from fines but also from data protection incidents that have come to the public's attention. So-called "data breaches" regularly hit the headlines of popular news channels. Once, the media has become aware of an incident, the reputational damage resolving from it is hard to contain.



Data Protection Officer

If a company processes sensitive data or permanently tasks more than 20 employees with then processing of personal data, a data protection officer has to be appointed and notified to the competent data protection authority. Since the requirements of the GDPR need to be fulfilled independently of the necessity to appoint a data protection officer, many companies voluntarily appoint an officer.


Data protection organization

Depending on the company' size, the proper implementation of data protection measures and the timely response to data protection requests may require the establishment of a data protection management organization. In many organizations, so-called data protection managers or data protection ambassadors are tasked with a variety of functions such as the sensitization of employees, the drafting of processing records and the reporting of incidents to the legal or data protection department.



Status analysis

While some companies have already implemented certain data protection means, other ones start from scratch. The respetive implementation level may be determined by means of a status analysis that should be carried out by an independent internal or external entity. The outcome of the analysis should be documented in an audit report that informs about the most critical data protection risks detected.


Formal steps

The further implementation of data protection measures should take place according to a binding action plan. It is of hugh importance to allocate roles and responsibilities in a transparent way to ensure a smooth processing of data protection tasks within all relevant departments. This may be realized by means of guidelines and templates.






Assistance

You need assistance with the implementation of data protection requirements?

Unbenanntes Dokument


We are

familiar with implementation particularities of small and large businesses

experienced in communication with data protection authorities

known for our pragmatic approach, understanding data protection as enabling praxis