Data protection for companies simply explained

Creating a privacy policy or data protection manual

Under the EU General Data Protection Regulation, companies are required to comply with the legal requirements in data protection not just selectively, but structurally. Specifically, this means that in the event of an audit, a company must not only be able to prove that it was acting in compliance with data protection regulations at a certain point in time. Rather, it must be able to demonstrate that the company is continuously run in compliance with data protection requirements. The legal basis for this can be found in Article 5 (2) of the EU General Data Protection Regulation.
Therefore, the data protection supervisory authorities generally recommend that companies – depending on their size – address the data protection requirements by creating either a privacy policy or a data protection manual.

To that end, our Privacy Kit for smaller companies comes with a privacy policy and our Compliance Kit 2.0 for larger companies is structured in such a way that it offers an integrated data protection manual.

Keeping a record of processing activities

Companies are also required to document their processing activities in a written record. In other words, after reviewing a company’s record of processing activities, an employee from a supervisory authority who does not have detailed information about your processing activities should be able to obtain a general overview of items including which employees process data, how data is processed, which data is processed, when data is deleted, and which technical security measures are in place. The legal basis for this is Article 30 of the EU General Data Protection Regulation.
Therefore, both the Privacy Kit and the Compliance Kit 2.0 come with templates to document your processing activities in a written record. We also issue recommendations and explain which processing activities a company must document first. If needed, we can provide you with forms which are partially filled out but which you need to complete. The completed documents can then be uploaded to the Privacy Kit or the Compliance Kit 2.0. This means that they are automatically versioned and given a time stamp. It also means that your company is automatically in compliance with the increasing mandate to document ongoing data protection practices at your company.

Contracts with third-party service providers

When outsourcing data processing activities, companies are required to conclude a data protection contract with the service provider (i.e., a so called Data Processing Addendum). According to the authorities, this usually applies to the following:

  • data processing work for wage and salary statements or financial accounting
  • advertising address list processing
  • the outsourcing of a portion of the in-house telecommunications system operation
  • the outsourcing of the email administration or data services concerning websites
  • data recording, microfilming, or data conversion
  • backup storage
  • data carrier disposal

The legal basis for this is articulated in Article 28 of the EU General Data Protection Regulation. The Privacy Kit or Compliance Kit 2.0 also comes in handy here: first, to obtain contract templates and, second, to upload concluded contracts, so that you can document your company’s compliance with the legal requirements for data protection.

Infografik EN

IT security and data protection

By increasing fines for violations, the EU General Data Protection Regulation has reinforced the requirement for companies to keep their IT systems secure in accordance with industry standards (as regulated by law in Article 32 of the EU General Data Protection Regulation). In other words, companies must provide sufficient means to ensure that their IT systems are always up to date with the latest technology, to the extent that this is customary in the industry and affordable. As you can tell by the wording, since this requirement depends on specific case-by-case details, it is subject to constant variability and cannot be pinned down beforehand.
But one thing is certain: If IT systems significantly fall below minimum standards, they must not be used to process personal data. The data protection supervisory authorities will therefore gradually enforce compliance with certain minimum standards. This includes, for example, notebook encryption, server-side email encryption, and deactivating operating systems that can no longer be updated. Furthermore, the supervisory authorities usually interpret the IT security requirements to mean that companies should continuously review their IT requirements – in analogy to, for example, the requirements for ISO27001 certification in information security management.

The Privacy Kit and the Compliance Kit 2.0 both include templates to document your company’s IT measures, as well as a data protection concept. Moreover, we keep a list of minimum IT standards which, in our opinion, companies should not undercut; the list can also be used to quickly check your company’s in-house IT.

Website privacy policy and information for data subjects

Under the EU General Data Protection Regulation, data subjects must be notified about data processing operations (see Articles 13 and 14 of the EU General Data Protection Regulation). In other words, when a company collects and processes a data subject’s personal data, the data subject needs to receive detailed information explaining what the data is being used for.

This also applies to data collection on a website. Therefore, we usually recommend that you both notify the data subject and post a website privacy policy since you thereby comply with your information obligations. The Privacy Kit and the Compliance Kit 2.0 both offer the appropriate templates.

Appointing a data protection officer and notifying the data protection supervisory authority

Companies are required to appoint a data protection officer. The requirement is based on Article 37 of the EU General Data Protection Regulation (possibly in conjunction with Section 38 of the BDSG (Federal Data Protection Act)). The data protection officer must be registered with the supervisory authority. Most data protection supervisory authorities have meanwhile launched a web portal on their website, where companies can register their data protection officer.

The Privacy Kit includes the appointment of a data protection officer for small companies. The Compliance Kit 2.0 offers internal or external data protection officers all the tools they need to implement data protection.

Raising awareness and training employees

The EU General Data Protection Regulation is to be understood as stating that the company or data protection officer must train employees (this can be inferred from the “accountability obligation” in Article 5 (2) of the EU General Data Protection Regulation). The scope of training depends on the industry and company size and can vary by department. Due to the increase in requirements obliging companies to verify compliance with data protection, companies are required to document the implementation of training measures.

Furthermore, employees must be mandated to comply with data protection requirements when commencing work at a company. The Privacy Kit and the Compliance Kit 2.0 both offer templates for this. The Privacy Kit and the Compliance Kit 2.0 also give you access to our web-based eLearning platform which you can use to train your employees – by email – in data protection. Successful completion of the training is archived in an audit-proof manner. The Privacy Kit includes the basic training modules and the Compliance Kit 2.0 comes with the full selection of available training modules. All training modules are available in both German and English. If necessary, our web-based eLearning system can be purchased separately from the Privacy Kit or Compliance Kit 2.0

Data protection impact assessment

If systems carry out high-impact processing, companies must conduct a detailed data protection check (i.e., a data protection impact assessment according to Article 35 of the EU General Data Protection Regulation). The Privacy Kit and the Compliance Kit 2.0 include templates for this check which, after processing, can be archived in our system to ensure that the legally required documentation is in place.

Reporting obligations in the event of data breach

Under the EU General Data Protection Regulation, the increasing mandate to inform the supervisory authority or, additionally, the data subject in the event of data loss is particularly critical for companies. Details can be found in Article 33 of the EU General Data Protection Regulation.

The Privacy Kit and the Compliance Kit 2.0 include the appropriate templates as well as accompanying materials to help manage the process of data breach.

Exercising the rights of data subjects

Under the EU General Data Protection Regulation, data subjects are entitled to assert certain rights (e.g., to information, erasure, rectification, freezes, publication, etc.) in the workplace. The objective is to give data subjects the opportunity to exercise a say, as protected by their fundamental legal rights, in how their personal data is to be used.

Here, too, the Privacy Kit and Compliance Kit 2.0 contain diagrams and templates, which you can use to respond to data subjects in compliance with data protection law when they assert their rights.

Get advice now

Call-back service

 

Arrange a consultation