Data Protection Compliance in Germany in Three Steps

Whether start-ups or international group companies, banks or insurances, or even charitable nonprofit organizations, like foundations, associations or clubs: Anyone who processes personal data commercially will have to take due account of data protection.

WINHELLER's data protection experts provide cross-industry advice to domestic or foreign companies or nonprofit organizations and develop tailor-made data protection compliance concepts depending on the type, size, and focus of an enterprise.

In this context, we proceed in three steps:

• Analysis of the existing data protection organization by on-site or remote interviews with the responsible persons and examination of documents and contracts;
• Where necessary, audit and assessment of the existing data protection concept;
• Identification of defects and weaknesses;
• Risk assessment based on identified weaknesses taking account of developments in the legal framework, the focus of supervisory authorities, and the market situation;
• Recommendation of specific actions to minimize the risks for the data subjects and the resulting liability risk for the data controller.

• Preparation of a data protection concept meeting your requirements;
• Advice on how to fulfill your documentation obligations;
• Preparation of information on data processing to be provided to data subjects according to Articles 13, 14 GDPR, particularly the preparation of legally compliant privacy statements for websites;
• Assistance in preparing and maintaining a record of processing activities pursuant to Article 30 GDPR for controllers and processors;
• Implementation and/or adaptation of contract management
  (preparation of data processing agreements, EU standard contractual clauses, joint control agreements, intra-group agreements, shared services agreements, non-disclosure agreements, confidentiality declarations, etc.); review and, if necessary, revision of privacy-related clauses in contracts, articles of association, general terms and conditions, etc.
• Where necessary, preparation or adaptation of company agreements relating to data protection or to the introduction and maintenance of technical systems;
• Advice on the implementation of the technical and organizational measures (TOM) required under the GDPR;
• Preparation of legally compliant declarations of consent and advice on the practical and technical implementation of opt-in/opt-out solutions;
• Ensuring data minimization by the technical design and default privacy settings (privacy by design/default);
• Preparation of a concept for the storage and/or deletion of data;
• Advice on required data protection impact assessments pursuant to art. 35 GDPR;
• Introduction of a process designed to ensure and implement the rights of data subjects (access, rectification, erasure, blocking of data, rights of revocation and objection);
• Introduction of a process for the notification of data breaches or data incidents (data breach management);
• Preparation of a training concept for enhancing employee awareness.

• Role as an external data protection officer for your organization and/or providing consultancy and support to the internal data protection officer on an individual case basis;
• Advice on contracts with customers and external service providers or in case of data exchanges within a group of companies at the national or international level;
• Handling complaints by data subjects;
• Assistance in communications with the competent supervisory authority;
• Employee or manager training;
• Feasibility studies and expert opinions on planned projects;
• Coordination of your data protection concept with your IT security officer;
• Consultancy for works council or staff council representatives

If you are seeking assistance in making your company/NPO fit for data protection, our team will be glad to assist you. We will be pleased to prepare an individual proposal for your organizations.