Requirements of the GDPR

The introduction of the EU General Data Protection Regulation has led to greater responsibilities for companies when processing personal data. Here is a brief overview:


Data Protection Officer

Under certain conditions, you are obliged to appoint a data protection officer and to register him or her with your supervisory authority. This is often the case with more than ten employees. The newly introduced reporting obligation allows the supervisory authorities to track exactly which companies are obliged to appoint a data protection officer and whether a data protection officer has been appointed. Failure to appoint a data protection officer, despite the obligation to do so, can result in fines.


Prohibition with reservation of permission

Personal data may only be processed by you if you can rely on a legal basis for doing so. In addition to the basic Article 6 of the EU General Data Protection Regulation, there are a number of other provisions in your national legislation that you must take into account in data protection. Data processing without specific legal permission is prohibited. A violation can lead to heavy fines.


Data subjects' rights

Your employees, customers, service providers, in short: all people whose data you process have a right to privacy.

  • Right to information
  • a right to rectification of data
  • a right to data transfer and data blocking.

It can Opposition against certain processing operations and, under certain conditions, you may also object to the processing of your personal data. Deletion of data are required. You must ensure that you can comply with these rights within the prescribed time limits.


Data protection management

In order to comply with the requirements of the EU General Data Protection Regulation, you need a system that is able to manage all interactions in data protection. Without many years of experience and the corresponding expertise, this is a time-consuming and costly undertaking. Since the entry into force of the EU General Data Protection Regulation, more and more data subjects are aware of their rights, and experience shows that they are quick to turn to the supervisory authorities. In this way, you can quickly become the focus of supervisory authorities who are obliged to consistently pursue compliance with the General Data Protection Regulation.


Overview of processing activities

Normally, you are obliged to keep an overview of your processing of personal data in accordance with Art. 30 of the EU General Data Protection Regulation and to prove this to the supervisory authority upon request. This is easier said than done. Without an analysis of all company processes, it is not possible to create the inventory. The organisation of keeping this overview also brings challenges. Where often only the legal requirements are processed, it is easily overlooked that the overview of processing activities is the central tool for data protection compliance. An interactive directory makes your life easier. Sluggish filing of information in dead files is just dead weight.


Technical and organisational measures

If you process personal data, you are obliged to ensure its security. This is done through so-called technical and organisational measures. The measures you need to take depend on the risks your data processing entails for your data subjects. The necessary risk analyses and data protection impact assessments should be carried out by an expert and, above all, an independent party if you do not want to unnecessarily fall into cost traps.


Basic principles

For all processing of personal data, you must always ensure that you comply with the basic principles of the EU General Data Protection Regulation. These are the principles of

  • Legality
  • Processing in good faith
  • Transparency
  • Earmarking
  • Data minimisation
  • Correctness
  • Memory limitation
  • Integrity and confidentiality
  • Accountability

For each processing operation you keep in your overview of processing activities, you must have taken each individual principle into account. Otherwise, you risk heavy fines from your supervisory authority.

Involvement of service providers

Depending on the extent to which you use service providers, you have to observe certain requirements. You may need to conclude order processing agreements (AVV), or joint responsibility agreements. You need to be particularly careful when it comes to hiring companies that are not established in the European Union. Without legal expertise, this can be expensive. Already in the past, supervisory authorities have severely sanctioned contractual deficiencies when engaging service providers or subcontractors.



The most costly thing, however, is that you now have to document everything, but really everything in data protection. It is not your data subjects who have to prove that you have violated data protection, no, it is you who has to prove that you comply with all data protection requirements (reversal of the burden of proof). Incidentally, this applies not only to data subjects, but also to supervisory authorities. Without an orderly documentation management, it will therefore be difficult.


We at THALES are at your disposal to help you cope with all these duties with now more than ten years of expertise as a

  • Advisor
  • Project Manager
  • External data protection officers

And if it ever comes down to it, quite simply as your

  • Lawyer


Employee data protection

One of the most uncharted areas in data protection is employee data protection. The General Data Protection Regulation does not contain a single provision that regulates employee data protection. However, German lawmakers have gone to great lengths to provide additional safeguards for employee data in the new Federal Data Protection Act. This is understandable, because employees are dependent on their employers. However, the mass of regulations that you must therefore observe ranges from the Federal Data Protection Act to the Telecommunications Act to individual labour law regulations and collective agreements. Topics like

  • Private use of e-mail accounts
  • Bring Your Own Device (BYOD)
  • Publication of staff photos
  • Permissible questions in the application procedure
  • Special storage period of parts of the personal file
  • Legally compliant handling of applicant data
  • Internal investigations
  • Staff monitoring
  • Company agreements
  • Consents from employees
  • Ancillary labour laws
  • Collective agreements
  • and much more, are hardly manageable for almost every company in terms of data protection law. In order to maintain an overview here, THALES offers you the legally necessary expertise and over ten years of experience. And if necessary, we also take care of the implementation.