Are you looking for a smart start with your data protection, an external data protection officer or a project manager to conduct a data protection impact assessment?
First, I'm not a lawyer, therefore I cannot offer legal advice on data protection. But I am DEKRA certified specialist for data protection and I can support and advise you at the implementation of the legal requirements at your enterprise.
With appropriate templates and a standardized procedure gaps can be identified and solved with appropriate measures quickly. Following GDPR service offers may interest you:
You can engage me as a consultant or as an external data protection officer. For your information – an external data protection officer has no protection against dismissal by law.
You should have the FAQs topics on the radar, due to the controller has the obligation to produce supporting documents regarding to the compliance with the defined data protection measures within the enterprise to the supervisory authority.
FAQs data privacy
When do I need a privacy policy for my website?
A privacy policy for the website will be required as soon as personal data is processed or transmitted. For example, by entering personal data in a contact form or by links to external websites, where the IP address is transmitted.
When do I need a consent to the storage and processing of customer data?
In general, either you need a legal basis or consent for the storage and processing of personal data. With the consent, you may, for example, extend the storage period of the data or process the data for further purposes.
Do I have to oblige and instruct my employees to the compliance of the General Data Protection Regulation?
The controller has the obligation to produce supporting documents regarding to the compliance with the defined data protection measures within the enterprise to the supervisory authority. Therefore, it is recommended to obligate and train the employees annually.
Do I need the records of processing activities?
The law sets the limit of less than 250 employees. But as soon as you have employees, you usually process religious affiliation at the payroll accounting, this are special categories of personal data and therefore you need the records of processing activities. Irrespective of this, it is advisable to make an "inventory" of your personal data and to name the deletion periods for each category. Why are you asking yourself? With the GDPR the principle of data minimization and the storage limitation applies. Accordingly, the records can serve as a basis for the required deletion concept.
When do I need a data protection impact assessment?
You need a data protection impact assessment if the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons.
Do I need a deletion concept?
With the GDPR the principle of data minimization and the storage limitation applies, hence you should have a kind of deletion concept.
What are technical and organisational measures (TOMs)?
By law every enterprise must ensure an adequate level of protection in the processing of personal data. The technical and organizational measures are the basis for this and hence they are important cornerstones of data protection in your enterprise.
Do I need a weighing of interests for the video surveillance?
According to § 4 BDSG (Federal Data Protection Act), video surveillance in the public area is only permissible for taking charge of the domestic authority or for taking charge of the legitimate interests for specific defined purposes. Furthermore, there can be no indication that the requiring protection of somebody are overridden. These points should be evaluated and documented before installing the video surveillance.
When do I need a consent for photographs?
A consent to photographs is required as soon as you publish pictures of your employees on your homepage or in social media. You should point out that photos on the internet can be accessed by anyone. It cannot be ruled out that the photos will be used for other purposes or will be transferred to other persons.
When do I need a contract or agreement for processor?
A typical example of this is your web host or cloud provider, the processing is carried out on behalf of the controller normally. The contractor, so the processor, should provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a manner that will meet the requirements of the GDPR regulation and ensure the protection of the rights of the data subject. For this you need a contract or agreement.
PS: You do not need a contract for your tax adviser or lawyer because they are not bound by instructions.
However, if your company is in North Rhine-Westphalia or Baden-Württemberg, you need a contract for payroll accounting. Why? As the local supervisory authorities consider that payroll accounting works bound by instructions.
When do I need a data protection officer?
A data protection officer is required, if at least ten, in future 20 persons are busy with automated processing of personal data. Fitters or production workers are not included, as they do not work regularly but occasionally with personal data.
How do I deal with the national companies or agencies in the group, where the registered office is not in the EU but in a third country?
If personal data are transferred to countries outside the EU (so-called third countries such as Serbia, USA or China), either it requires an EU adequacy decision, i.e. as for Switzerland, or appropriate safeguards.
Appropriate safeguards could be, either the EU standard data protection clauses (must be adopted unchanged) or binding corporate rules (BCR), which is suitable for international companies with internal data exchange.