THALES DSMS - The THALES data protection management system


As lawyers who advise in the sensitive areas of data protection and information security, we know that orderly data protection management without appropriate technical support remains wishful thinking. That is why we always manage our clients via our in-house THALES DSMS. This, of course, at no additional cost to you.

The THALES DSMS is a web-based application based on a software solution that meets all data protection and information security requirements and is combined with our many years of law firm expertise. It is a SaaS service (Software as a Service) that can be used anytime and anywhere.

You as a client and your employees receive read and write access to this system from us as required. This means that the current status of your data protection management is always transparent for you and you can meet your accountability to supervisory authorities at any time - virtually from a standing start. Access is possible via all common end devices.

Since the system is managed by us, you only have to deal with it yourself to the extent you wish. Of course, your employees can be instructed in the system if required.

If you or your employees want to work in the system, the selection menus in each module (processing directory, technical-organisational measures, document pyramid, and much more), which we have compiled to suit your industry, will help you to process your data quickly and efficiently.

In addition, due to our many years of activity in almost all matters, we have corresponding templates for the creation of AVV (order processing agreements), declarations of consent, data protection information, guidelines and directives etc.

Security and accountability

The THALES DSMS only uses secure data centres in Germany. This guarantees a high data protection standard as well as good availability of our systems. Furthermore, our hosting partners are ISO 27001 certified and have a regularly audited information security management system (ISMS) in place.

All data exchanged (sent and received) between a computer used and the THALES DSMS is secured with SSL/TLS encryption. Third parties are therefore unable to view the data traffic.

It goes without saying that we have a proper order processing agreement in accordance with Art. 28 DSGVO with our order processors who support us in the operation of the THALES DSMS and we regularly satisfy ourselves of compliance with all security standards.

In this way, you can easily and securely fulfil your documentation and accountability obligations at any time via our THALES DSMS. In all modules, you can also download your data protection documentation as a file export (e.g. Word, Excel, CSV or PDF documents) for further use at the touch of a button.

The related data protection information as an authorised user of our THALES DSMS can be viewed at

Order processing agreements (AVV) on the THALES DSMS

You always have an overview of your commissioned processing operations via our THALES DSMS. You can upload a customer or service provider and the associated data and contracts for each commissioned processing in accordance with Article 28 of the GDPR, document them and store them for us to check. In addition, you can easily use the integrated self-disclosure for service providers to fulfil your control obligations in a straightforward manner.

Technical and organisational measures (TOM)

Both your own technical-organisational measures for the security of your data and those of your order processors are simply and clearly documented and checked by us. The same applies to the applications and systems you use.

Register of Processing Activities (VVT)

The directory of processing activities with all the necessary information is available to you at any time. Our templates also allow you to quickly create the directory should there still be a need for action.

Since the directory is linked to other modules of the THALES DSMS, such as commissioned processing, data and IT inventory, technical and organisational measures, etc., changes in one place are immediately adopted in the other. This ensures data integrity and up-to-dateness at all times and enables a holistic review of your processing activities from all necessary aspects.

In addition, you can optionally include your specialist departments in the processing of the VVT by assigning corresponding write authorisations through our office. Since the system documents every change made to the directory, the necessary auditing security is also ensured.

At the push of a button, it is possible to create an internal directory or the mandatory directory for supervisory authorities according to Art. 30 DSGVO in file format at any time.

Extinguishing concept

Since we also store the required storage period and deletion periods for the respective processing activities (expertise ensured), we can create a corresponding deletion table via the THALES DSMS, which then only needs to be implemented in your company. The latter is certainly still a challenge, but we will support you in word and deed.

Tasks, measures and project plan

Without a planned approach, goals are difficult to achieve. This also applies to the development of a data protection management system. As our client, we create an action and project plan tailored to your specific needs in the THALES DSMS and document the progress of the project in it, which you can view at any time.

Using the task management in the THALES DSMS, we can also involve your employees at any time and delegate tasks and remind them of tasks to be completed.

Other functions ...

The THALES DSMS offers many more functions for data protection management. These include among others

  • a secure communication system,
  • a Secure Data Room for the secure exchange of data,
  • task and report management,
  • the secure documentation of data protection and security incidents,
  • the processing of data subject submissions (e.g. assertion of the right to information, correction, deletion)
  • Preparation of necessary contracts for joint responsibility (Joint Controllership, Art. 26 GDPR)