Frequently asked questions
Over the course of our many years of work, we repeatedly encounter the same topics, questions and problems.
These, for example:
Before data are processed, the legal situation must be clarified. A data processing can take place for example if it is necessary for the fulfilment of a contract with the person concerned or the consent of the person is present. If you are unsure – ask us.
Have you taken the appropriate TOMs (technical and organisational measures) in your company? The answer depends entirely on the data you are processing. Patient files or credit card data require a higher security standard than the addresses of your business partners.
Any processing of personal data must be based on a legal basis. That can be consent, but it doesn’t have to be. On the contrary, consents often have disadvantages, for example that they must be revocable. We will work with you in each individual case to determine the most secure and practicable legal basis.
Yes, of course. Make sure you carefully select the service providers and stay in close contact with them. You, as well as your service provider, are liable for any defects and data breaches. Secure yourself with a legally compliant contract and the corresponding checks. We help you with this and offer suitable sample templates.
The following applies to Germany: with a high degree of probability yes. If ten or more employees in your company handle personal data, a Data Protection Officer (DPO) is required by law. The latter must have the appropriate specialist knowledge, is not to receive instructions on exercising their tasks, and reports to management.
We advise internal data protection officers or provide you with a qualified, external DPO. We generally consider the latter to be the better choice. Why? Talk to us.
Advertising is everywhere these days. Companies can not to do without it, customers sometimes find it undesirable. There are some stumbling blocks here. Advertising in writing is generally permitted. Advertising by fax, telephone or e-mail is a bit more complicated.
Let us advise you on this complex subject. We have various tools for our customers, such as a practical guide.
Training, training, training.
From a data protection perspective, the only good employee is an informed and sensitized one: the best guidelines and policies are useless if employees do not actively pursue data protection and keep this topic in the back of their minds when performing their tasks.
So: ‘classroom training‘ at least for the management level and all sensitive areas/departments. And at least one online privacy training course for all other employees. [We have just the thing for you].
The magic word: encryption. With this simple measure, extremely unpleasant scenarios can be avoided. You don’t have to agree on eternally long passwords for each data exchange, but can use shared passwords with several employees and service providers for a longer period of time. This means, for example, that incorrectly sent mails no longer pose a threat to you. Even mobile devices should always be encrypted.
This may feel like it, but it is not true from a data protection point of view. There must be a legal basis for any transfer of personal data, including within a group of companies. It’s not nuclear physics, you just have to take care of it.
We have made good experiences with our customers with our concept of the “Framework Agreement on Data Protection in the Group”. Talk to us.
Yes, you do. Companies must not only comply with the rules, they must also be able to prove compliance (cf. Art. 5 para. 2 GDPR).
An important part is also the documentation of the processing activities (. Depending on the size and structure of the company, this can become quite complex and cumbersome if you try to do this with on-board tools from Excel and Word documents. Save yourself the time and effort and take a look at our [DS-Doku].