The introduction of the EU General Data Protection Regulation has led to greater responsibility for companies when processing personal data.
Here is a brief overview:

Data Protection Officer

Under certain conditions, you are obliged to appoint a data protection officer and to register him or her with your supervisory authority. As a rule, this is automatically the case if you have more than 20 employees. Through the newly introduced obligation to notify, the supervisory authorities can precisely track which companies are obliged to appoint a data protection officer. Failure to appoint a data protection officer, despite the obligation to do so, may result in fines.

Prohibition with reservation of permission

Personal data may only be processed by you if you can rely on a legal basis to do so. In addition to the basic Article 6 of the EU General Data Protection Regulation, there are a variety of other provisions in your national legislation that you must take into account in data protection. Data processing without specific legal permission is prohibited. A violation can lead to heavy fines.

Data subjects' rights

Your employees, customers, service providers, in short: all the people whose data you process have a

  • Right to information,
  • a right to rectification of data
  • a right to data transmission; and
  • Data blocking.

It can

  • Opposition

against certain processing operations and, under certain conditions, you may also request the processing of your personal data.

  • Deletion

of data may be required.

You must ensure that you can comply with these rights within the prescribed time limits.

Data protection management

In order to comply with the requirements of the EU General Data Protection Regulation, you need a system that is able to manage all interactions in data protection. Without many years of experience and the corresponding expertise, this is a time-consuming and costly undertaking. Since the EU General Data Protection Regulation came into force, more and more data subjects are aware of their rights and, from experience, are quick to turn to the supervisory authorities. This way, you can quickly come into the focus of supervisory authorities who are obliged to consistently pursue compliance with the General Data Protection Regulation.

Overview of processing activities

Normally, you are obliged to keep an overview of your processing of personal data in accordance with Art. 30 of the EU General Data Protection Regulation and to prove this to the supervisory authority upon request. This is easier said than done. Without an analysis of all company processes, it is not possible to prepare the inventory. The organisation of keeping this overview also brings challenges. Where often only the legal requirements are processed, it is easily overlooked that the overview of processing activities is the central tool for data protection compliance. An interactive directory makes your life easier. Sluggish filing of information in dead files is just dead weight.

Technical and organisational measures

If you process personal data, you are obliged to ensure its security. This is done through so-called technical and organisational measures. The measures you need to take depend on the risks your data processing entails for your data subjects. The necessary risk analyses and data protection impact assessments should be carried out by an expert and, above all, an independent party if you do not want to fall into unnecessary cost traps.

Basic principles

For all processing of personal data, you must always ensure that you comply with the basic principles of the EU General Data Protection Regulation. These are the principles of

  • Legality
  • Processing in good faith
  • Transparency
  • Earmarking
  • Data minimisation
  • Correctness
  • Memory limitation
  • Integrity and confidentiality
  • Accountability

For each processing operation you keep in your overview of processing activities, you must have taken each individual principle into account. Otherwise, you risk heavy fines from your supervisory authority.

Involvement of service providers

Depending on the extent to which you use service providers, you have to observe certain requirements. You may need to conclude order processing agreements (AVV) or joint responsibility agreements. You need to be particularly careful when it comes to hiring companies that are not established in the European Union. Without legal expertise, this can be expensive. Already in the past, the supervisory authorities have severely sanctioned contractual deficiencies when engaging service providers or subcontractors.


The most time-consuming thing, however, is that you now have to document everything but really everything in data protection. It is not your data subjects who have to prove that you have violated data protection, no, it is you who has to prove that you comply with all data protection requirements (reversal of the burden of proof). Incidentally, this applies not only to data subjects, but also to supervisory authorities. Without an orderly documentation management, it will therefore be difficult.

We at THALES are at your disposal to help you cope with all these duties with now more than ten years of expertise as a

  • Adviser,
  • Project Manager
  • External data protection officers

and when it comes down to it, quite simply as your

  • Lawyer.