Data Protection Compliance in Germany

Data Protection Compliance in Germany in Three Steps

All companies and NPOs need data protection concepts

Whether start-ups or international group companies, banks or insurances, or even nonprofit organizations, like charitable foundations, associations or federations: Anyone who processes personal data in Germany commercially will have to take due account of data privacy and compliance.

GDPR Compliance Germany | Legal Advice

Features of data protection compliance in Germany

This does not only involve compliance with the rules of the European General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu). Privacy rules are also contained in numerous other laws that set out special industry-specific aspects of data protection or overlapping issues treated, for instance, in the

  • Telecommunications Act,
  • Social Security Codes,
  • Anti Money Laundering Act, or
  • Payment Services Supervision Act.

Data protection concept must be demonstrable at all times

Under the provisions of the GDPR, the major responsibility of any organization is no longer limited to "living" in compliance with data protection requirements - as was actually common practice in the old Federal Data Protection Act - but also to be able at all times to actively demonstrate such concept as part of the so-called accountability.


Privacy and Cyber Security in Germany 2023
(Chapter in the Law Review series)

Our privacy experts contributed a chapter on data protection in Germany to the handbook The Privacy, Data Protection and Cybersecurity Law Review.

Read here for free

Three steps to legal certainty in data protection

WINHELLER's data protection experts provide cross-industry advice to domestic or foreign companies or nonprofit organizations and develop tailor-made data protection compliance concepts depending on the type, size, and focus of an enterprise.

In this context, we proceed in three steps:

1. Vulnerability assessment of data protection system

  • Analysis of the existing data protection organization by on-site or remote interviews with the responsible persons and examination of documents and contracts
  • Where necessary, audit and assessment of the existing data protection concept
  • Identification of defects and weaknesses
  • Risk assessment based on identified weaknesses taking account of developments in the legal framework, the focus of supervisory authorities, and the market situation
  • Recommendation of specific actions to minimize the risks for the data subjects and the resulting liability risk for the data controller

2. Individual data protection concept

  • Preparation of a data protection concept meeting your requirements
  • Advice on how to fulfill your documentation obligations
  • Preparation of information on data processing to be provided to data subjects according to Articles 13, 14 GDPR, particularly the preparation of legally compliant privacy statements for websites
  • Assistance in preparing and maintaining a record of processing activities pursuant to Article 30 GDPR for controllers and processors
  • Implementation and/or adaptation of contract management (preparation of data processing agreements, EU standard contractual clauses, joint control agreements, intra-group agreements, shared services agreements, non-disclosure agreements, confidentiality declarations, etc.); review and, if necessary, revision of privacy-related clauses in contracts, articles of association, general terms and conditions, etc.)
  • Where necessary, preparation or adaptation of company agreements relating to data protection or to the introduction and maintenance of technical systems
  • Advice on the implementation of the technical and organizational measures (TOM) required under the GDPR
  • Preparation of legally compliant declarations of consent and advice on the practical and technical implementation of opt-in/opt-out solutions
  • Ensuring data minimization by the technical design and default privacy settings (privacy by design/default)
  • Preparation of a concept for the storage and/or deletion of data
  • Advice on required data protection impact assessments pursuant to art. 35 GDPR
  • Introduction of a process designed to ensure and implement the rights of data subjects (access, rectification, erasure, blocking of data, rights of revocation and objection)
  • Introduction of a process for the notification of data breaches or data incidents (data breach management)
  • Preparation of a training concept for enhancing employee awareness

3. Long-term assistance in your daily business on all matters of data protection law

  • Role as an external data protection officer for your organization and/or providing consultancy and support to the internal data protection officer on an individual case basis
  • Advice on contracts with customers and external service providers or in case of data exchanges within a group of companies at the national or international level
  • Handling complaints by data subjects
  • Assistance in communications with the competent supervisory authority
  • Employee or manager training
  • Feasibility studies and expert opinions on planned projects
  • Coordination of your data protection concept with your IT security officer
  • Consultancy for works council or staff council representatives

Our services in German data protection compliance

If you are seeking assistance in making your company or nonprofit organization fit in terms of data protection, our team will be glad to assist you. We will be pleased to prepare an individual proposal for your organization. Let us take the burden of privacy compliance off your shoulders, while you concentrate on your day-to-day business.

Your attorney for data protection compliance

Our attorneys for any questions relating to data protection compliance are happy to help. The easiest way to reach us is by e-mail ( or by phone (+49 69 76 75 77 80). Please do not hesitate to contact us with any questions.

Do you need support?

Do you have questions about our services or would you like to arrange a personal consultation? We look forward to hearing from you! Please fill in the following information.

Or give us a call: +49 69 76 75 77 80