"Privacy Law": Recent blog posts
25.02.2019 - Olga Stepanova
19.12.2018 - Olga Stepanova
02.10.2018 - Olga Stepanova
Data Protection Compliance in Germany in Three Steps
All companies and NPOs need data protection concepts
Whether start-ups or international group companies, banks or insurances, or even charitable nonprofit organizations, like foundations, associations or clubs: Anyone who processes personal data commercially will have to take due account of data protection.
The data protection concept must be demonstrable at all times
This does not only involve compliance with the rules of the European General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu). Privacy rules are also contained in numerous other laws that set out special industry-specific aspects of data protection or overlapping issues treated, for instance, in the Telecommunications Act, the Social Security Codes, the Anti Money Laundering Act, or the Payment Services Supervision Act. In addition, the so-called ePrivacy directive, which is intended to provide specific rules for data protection in e-commerce, will come soon.
Under the provisions of the GDPR, the major responsibility of any organization is no longer limited to "living" in compliance with data protection requirements – as was actually common practice in the era of the old Federal Data Protection Act – but also to be able at all times to actively demonstrate such concept as part of the so-called accountability.
Three steps to legal certainty in data protection
WINHELLER's data protection experts provide cross-industry advice to domestic or foreign companies or nonprofit organizations and develop tailor-made data protection compliance concepts depending on the type, size, and focus of an enterprise.
In this context, we proceed in three steps:
1. Vulnerability assessment of data protection system
- Analysis of the existing data protection organization by on-site or remote interviews with the responsible persons and examination of documents and contracts;
- Where necessary, audit and assessment of the existing data protection concept;
- Identification of defects and weaknesses;
- Risk assessment based on identified weaknesses taking account of developments in the legal framework, the focus of supervisory authorities, and the market situation;
- Recommendation of specific actions to minimize the risks for the data subjects and the resulting liability risk for the data controller.
2. Individual data protection concept
- Preparation of a data protection concept meeting your requirements;
- Advice on how to fulfill your documentation obligations;
- Preparation of information on data processing to be provided to data subjects according to Articles 13, 14 GDPR, particularly the preparation of legally compliant privacy statements for websites;
- Assistance in preparing and maintaining a record of processing activities pursuant to Article 30 GDPR for controllers and processors;
- Implementation and/or adaptation of contract management
(preparation of data processing agreements, EU standard contractual clauses, joint control agreements, intra-group agreements, shared services agreements, non-disclosure agreements, confidentiality declarations, etc.); review and, if necessary, revision of privacy-related clauses in contracts, articles of association, general terms and conditions, etc.
- Where necessary, preparation or adaptation of company agreements relating to data protection or to the introduction and maintenance of technical systems;
- Advice on the implementation of the technical and organizational measures (TOM) required under the GDPR;
- Preparation of legally compliant declarations of consent and advice on the practical and technical implementation of opt-in/opt-out solutions;
- Ensuring data minimization by the technical design and default privacy settings (privacy by design/default);
- Preparation of a concept for the storage and/or deletion of data;
- Advice on required data protection impact assessments pursuant to art. 35 GDPR;
- Introduction of a process designed to ensure and implement the rights of data subjects (access, rectification, erasure, blocking of data, rights of revocation and objection);
- Introduction of a process for the notification of data breaches or data incidents (data breach management);
- Preparation of a training concept for enhancing employee awareness.
3. Long-term assistance in your daily business on all matters of data protection law
- Role as an external data protection officer for your organization and/or providing consultancy and support to the internal data protection officer on an individual case basis;
- Advice on contracts with customers and external service providers or in case of data exchanges within a group of companies at the national or international level;
- Handling complaints by data subjects;
- Assistance in communications with the competent supervisory authority;
- Employee or manager training;
- Feasibility studies and expert opinions on planned projects;
- Coordination of your data protection concept with your IT security officer;
- Consultancy for works council or staff council representatives
If you are seeking assistance in making your company/NPO fit for data protection, our team will be glad to assist you. We will be pleased to prepare an individual proposal for your organizations.
Your attorneys for data protection compliance
Let us take the burden of privacy compliance off your shoulders, while you concentrate on your day-to-day business. Your contact in case of any questions relating to data protection concepts is Attorney Olga Stepanova. The easiest way to reach us is by e-mail (firstname.lastname@example.org) or by phone (+49 (0)69 76 75 77 80). Please do not hesitate to contact us with any questions.