Data Protection Compliance in Germany in Three Steps

Under the provisions of the GDPR, the major responsibility of any organization is no longer limited to "living" in compliance with data protection requirements - as was actually common practice in the old Federal Data Protection Act - but also to be able at all times to actively demonstrate such concept as part of the so-called accountability.

WINHELLER's data protection experts provide cross-industry advice to domestic or foreign companies or nonprofit organizations and develop tailor-made data protection compliance concepts depending on the type, size, and focus of an enterprise.

In this context, we proceed in three steps:

• Analysis of the existing data protection organization by on-site or remote interviews with the responsible persons and examination of documents and contracts
• Where necessary, audit and assessment of the existing data protection concept
• Identification of defects and weaknesses
• Risk assessment based on identified weaknesses taking account of developments in the legal framework, the focus of supervisory authorities, and the market situation
• Recommendation of specific actions to minimize the risks for the data subjects and the resulting liability risk for the data controller

• Preparation of a data protection concept meeting your requirements
• Advice on how to fulfill your documentation obligations
• Preparation of information on data processing to be provided to data subjects according to Articles 13, 14 GDPR, particularly the preparation of legally compliant privacy statements for websites
• Assistance in preparing and maintaining a record of processing activities pursuant to Article 30 GDPR for controllers and processors
• Implementation and/or adaptation of contract management (preparation of data processing agreements, EU standard contractual clauses, joint control agreements, intra-group agreements, shared services agreements, non-disclosure agreements, confidentiality declarations, etc.); review and, if necessary, revision of privacy-related clauses in contracts, articles of association, general terms and conditions, etc.)
• Where necessary, preparation or adaptation of company agreements relating to data protection or to the introduction and maintenance of technical systems
• Advice on the implementation of the technical and organizational measures (TOM) required under the GDPR
• Preparation of legally compliant declarations of consent and advice on the practical and technical implementation of opt-in/opt-out solutions
• Ensuring data minimization by the technical design and default privacy settings (privacy by design/default)
• Preparation of a concept for the storage and/or deletion of data
• Advice on required data protection impact assessments pursuant to art. 35 GDPR
• Introduction of a process designed to ensure and implement the rights of data subjects (access, rectification, erasure, blocking of data, rights of revocation and objection)
• Introduction of a process for the notification of data breaches or data incidents (data breach management)
• Preparation of a training concept for enhancing employee awareness

• Role as an external data protection officer for your organization and/or providing consultancy and support to the internal data protection officer on an individual case basis
• Advice on contracts with customers and external service providers or in case of data exchanges within a group of companies at the national or international level
• Handling complaints by data subjects
• Assistance in communications with the competent supervisory authority
• Employee or manager training
• Feasibility studies and expert opinions on planned projects
• Coordination of your data protection concept with your IT security officer
• Consultancy for works council or staff council representatives