Data Protection and Privacy Consulting

Since 1994, the Data Warehouse has been able to demonstrate experience in data protection and data privacy consulting.

This includes, among other things, the position of external data protection officers, auditing and consulting on data privacy issues. Of course, we can also incorporate our technical expertise into the consulting if required.

We are happy to support you in fulfilling your legal requirements.
Frequently asked questions:

Who needs a data protection officer?

Any company in which at least 10 employees have permanent access to automatically processed data (e.g. by computer), personal data or special categories of personal data are processed. The legal basis is §38 or §22 BDSG (German federal data protection regulation (new) ) and DSGVO(GDPR).

Which negative effects should be avoided?

The new version of the BDSG, valid as of 25 May 2018, incorporates a number of changes based on the European Basic Data Protection Regulation (DSGVO/GDPR). These include, among other things, the active duty to report violations of data protection, the change in the penal provisions and the documentation obligations.

The data protection officer supports the management in the implementation of internal data protection and thus protects the company from data privacy scandals and the associated negative press coverage. As numerous examples have shown, this is particularly relevant for companies whose products are aimed at private end customers.

e.g. trouble with the supervisory authority

Increasingly, competitors, disgruntled employees or customers are turning to data protection regulators.

e.g. fines against management and companies

Pursuant to § 42 and 43 para. BDSG (new), anyone who does not appoint a data protection officer, or does not appoint one in the prescribed manner, or does not appoint one on time, is acting in violation of the law. The administrative offence can be punished with a fine of up to two hundred thousand euros or up to 4% of the annual turnover. The fine can be imposed both on the management itself and on the company. .

Which regulations must my company comply with when processing personal data?

Here the BDSG gave exact guidelines (annex to §9 BDSG), in the GDPR "only" the appropriate state of the art is mentioned. The weighing according to the state of the art is carried out by weighing the risks.

For comparison, the annexes to §9 BDSG (old):

If personal data are processed or used automatically, the internal organisation of the authorities or the company must be designed in such a way that it meets the special requirements of data protection. In particular, measures must be taken that are suitable for the type of personal data or data categories to be protected,

deny unauthorised persons access to data processing equipment used to process or use personal data (access control),
prevent data processing systems from being used by unauthorised persons (access control),
to ensure that persons authorised to use a data processing system have access only to data subject to their right of access and that personal data cannot be read, copied, altered or removed without authorisation during processing, use or after storage (access control),
ensure that personal data cannot be read, copied, altered or removed without authorisation during their electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish to which bodies the transmission of personal data by data transmission equipment is foreseen (transfer control),
to ensure that it is subsequently possible to verify and establish whether and by whom personal data have been entered, altered or removed in data processing systems (input control),
to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the customer (order control),
ensure that personal data are protected against accidental destruction or loss (availability control),

to ensure that data collected for different purposes can be processed separately.

One measure pursuant to sentence 2 numbers 2 to 4 is, in particular, the use of state-of-the-art encryption procedures.

in BDSG (new) and GDPR and others:

...(It)...  appropriate and specific measures shall be taken to safeguard the interests of the data subject. Taking into account the state of the art, implementation costs and the nature, scale, circumstances and purposes of the processing, as well as the different likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, these may include in particular:

technical and organisational measures to ensure that processing is carried out in accordance with Regulation (EU) 2016/679,
measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered, modified or removed,
raising the awareness of those involved in processing operations,
Appointment of a data protection officer,
Restriction of access to personal data within the Controller and by processors,
Pseudonymisation of personal data,
encryption of personal data,
ensuring the ability to ensure the confidentiality, integrity, availability and resilience of systems and services relating to the processing of personal data, including the ability to rapidly restore availability and access in the event of a physical or technical incident,
the establishment of a procedure for the regular review, evaluation and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing, or
specific procedural rules ensuring compliance with the provisions of this Act and Regulation (EU) 2016/679 in the event of a transfer or processing for other purposes.

and (§62 BDSG (new)):

If personal data are processed on behalf of a responsible person by other persons or bodies, the responsible person must ensure compliance with the provisions of this Act and other provisions on data protection. The rights of the data subjects to information, correction, deletion, limitation of processing and compensation for damages shall in this case be asserted against the person responsible.
A controller may only entrust the processing of personal data to processors who, by means of appropriate technical and organisational measures, ensure that the processing is carried out in accordance with the legal requirements and that the rights of the data subjects are protected.
Processors may not engage the services of other processors without the prior written consent of the controller. Where the controller has granted the processor a general authorisation to use other processors, the processor shall inform the controller of any intended use or replacement. In this case, the controller may prohibit the involvement or replacement.
If a processor adds another processor, he shall impose the same obligations under his contract with the controller under paragraph 5 on that processor as apply to him, unless those obligations are already binding on the processor under other provisions. If a further processor fails to fulfil these obligations, the processor instructing him shall be liable to the person responsible for compliance with the obligations of the further processor.
Processing by a processor must be carried out on the basis of a contract or other legal instrument which binds the processor to the controller and which determines the subject, duration, nature and purpose of the processing, the nature of the personal data, the categories of data subjects and the rights and obligations of the controller. The contract or other legal instrument shall provide in particular that the processor shall
acts only on the documented instructions of the person responsible; if the processor is of the opinion that an instruction is unlawful, he must inform the person responsible immediately;
ensures that the persons authorised to process the personal data are obliged to maintain confidentiality unless they are subject to an appropriate legal obligation of confidentiality;
assist the controller by appropriate means to ensure compliance with the provisions relating to the rights of the data subject;
returns or deletes all personal data after completion of the processing services at the discretion of the data controller and destroys existing copies, unless there is an obligation to store the data under a legal provision;
provides the data controller with all necessary information, in particular the protocols drawn up in accordance with § 76, to prove compliance with his obligations;
enables and contributes to any checks carried out by the person responsible or by an auditor appointed by him;
complies with the conditions set out in paragraphs 3 and 4 for the use of the services of another processor;
takes all necessary measures pursuant to section 64, and
assist the controller in complying with the obligations set out in Articles 64 to 67 and 69, taking into account the nature of the processing and the information available to him.
The contract referred to in paragraph 5 shall be drawn up in writing or electronically.
A processor who determines the purposes and means of the processing in breach of this provision shall be deemed to be the controller in respect of such processing.

It may also be issued by the technical supervisory authority in the case of public bodies. The customer must ensure that the technical and organisational measures taken by the contractor are complied with before data processing begins and then regularly. The result must be documented.

Document Actions