Data Protection Consulting

Data protection is a fundamental right and helps to build trust with customers, employees and protects the basic right to informal self-determination. Furthermore smart data protection supports your digitalization and helps to define sustainable digital infrastructures.

The basic data protection regulation (GDPR) applies to the processing of personal data within the EU and non-European companies, that process data within the EU. In practice, it mainly affects companies and government agencies. The more sensitive the data processing, the higher the requirements. Excluding data processing in the personal and family area.

What data is considered personal data under the GDPR?

Personal data is all information that relates to a natural person or makes a natural person identifiable. This includes almost all data if it is associated with a person. Personal data includes:

• name
• address
• email address
• application documents
• protocols on access of persons to buildings
• picture and video material on which persons are recognizable
• IP addresses
• the vehicle number plate
• video or photo recordings
• etc.

Documentation obligations result essentially from the principle of accountability. Those are responsible for data protection and must be able to prove at any time, that they meet the requirements of data protection. The documentation is a key factor for the  implementation of data protection processes.

Among other things, the implementation of data security trainings, the establishment of a data security management or the concept of deletion and authorization needs to be documented.

1. Strengthening of trust towards employees and customers
2. Ensuring compliance
3. Pragmatic data protection supports processes and does not complicate them
4. Protection from fines
5. Protection against image damage
6. Data protection gives modern IT structure
7. Data protection is a fundamental rights protection

Data protection is a management task! The management is responsible for the implementation of data protection requirements.
Ultimately, however, each employee is also responsible for the compliance of data protection within the scope of his/her own role. The management and the executives are responsible for planning and implementing suitable measures for the implementation of data privacy. This also requires the establishment of an effective data privacy management system. Data privacy officers execute the function of advising on the implementation and working towards data security.

The obligation to order a DPO basically exists if parts of your business purpose include the processing of personal data (e.g. recruitment agency or call centre) or if more than 10 persons are regularly employed with the processing of personal data (e.g. the case with large personnel departments).

The data protection officer may be whoever has the necessary qualifications and in particular the necessary specialist knowledge. Both, internal employees and external service providers can be appointed as data protection officers. Data protection officers are not bound by instructions in their work and should be free towards conflicts of interest. For this reason, they are usually directly assigned to the management. Due to possible conflicts of interest, managing directors are excluded from the role of data protection officers.

The protection policy is regulated in the Articles 12 to 14 GDPR and is a part of the DSGVO which will be revised in the future. Currently, the information in accordance to these articles must always be provided when personal data is processed. As this often leads to organisational problems in practice, the data protection declaration is often outsourced to the company’s website in order to provide information to those who are affected in the most pragmatic way possible.

Data privacy training is not explicitly required by law. However, the GDPR requires the implementation of appropriate measures to ensure data protection. This includes the regular training of employees involved in the processing of personal data. In practice, it is not necessarily the craftsman working on customer assignments who needs to be trained. The employees of the personnel department and the IT administrators do need to be trained!

A breach of data protection ultimately means that the regulations of the GDPR or other data protection regulations were not observed. However, since minor violations of data protection are commonplace and even occur at the supervisory authorities, the term data protection violation usually refers to reportable data protection breakdowns or violation subjects to a fine. A data protection breach results from the fact that rules are not observed, for example: Companies have not implemented a deletion concept or data has been stolen.

If a violation of data protection occurs in your company, you are obliged under Art. 33 GDPR to report it to the supervisory authority within 72 hours, which is responsible for your company. Most supervisory authorities have an online form for this purpose. It is possible to make a preliminary notification to comply with the tight deadline, if the matter has not been fully clarified yet. However, a data protection breach can only be assumed if the breach also poses a risk to the rights and the freedom of the data subjects.