Your authorized representative for
data protection and compliance
We are independent and competent.
Here you will find our topic-specific reporting points.
Whistleblower reporting office
Reports under the Whistleblower Protection Act
Data protection incident / Databreach
Reporting of data breaches under the General Data Protection Regulation and Databreaches
Reporting of information security incidents (ISO 27001, VDA ISA)
Reporting other type
If you have any questions, please feel free to contact us.
Compliance with laws, directives and standards is becoming increasingly important.
Surveys show that the vast majority of companies do not comply with all regulations.
However, the possible penalties have increased extremely, so that a reorientation is recommended.
We are the right partner for you if you want to be secure in the long term.
We look after many customers and thus have a broad insight into the problems of day-to-day business.
We review your data protection concept, identify any gaps and make suggestions for remediation.
We support you in responding to inquiries from supervisory authorities and data subjects correctly in terms of form, time and content.
For efficiency reasons, we work with self-assessments.
You can also use something similar with your service providers (e.g., processors).
Ideally, we get a fixed contact person, this can also be your consulting house.
Our team consists of
Data protection officers, auditors, lawyers and IT experts.
External data protection officer
Do you need an external data protection officer?
(According to §38 BDSG: "...insofar as they usually employ at least 20 persons constantly
with the automated processing of personal data..."
see also info)
We are your competent and efficient partner.
(Data protection officer with TÜV certificate)
Effective data protection means
A self-assessment based on Excel is used to determine the maturity level.
Results from subsidiaries can be aggregated.
Affected party and customer inquiries
We support you in responding to your stakeholder and customer inquiries.
They receive concrete suggestions on their starting points.
We can recommend suitable law firms for legal advice.
Communication with the country DPO
It is important to inform the authorities openly and correctly (in terms of time, form, content).
Audits of processors
With the selection of the order processor, you have assumed the responsibility for the assigned processing by its
supplier. This part must be monitored.
Privacy Impact Assessments
We perform impact assessments at:
- in case of DATA-BREACH
- for new types of processing
Compliance - How does it work?
You implement the requirements of the supervisory authorities, certifiers and customers
into internal guidelines in a legally compliant manner.
We monitor the implementation of your corporate guidelines,
independently and competently
Together, we define the scope of monitoring (locations, topics, inspection interval).
Based on standard checklists, we perform a self-assessment and document the maturity level in a report.
Monitoring and consulting
Together we adapt the checklist and define a program for monitoring.
In defined cycles you will receive a status report including deviations and improvement potentials.
For reasons of independence, we are available for discussion of the findings but not for their processing.
In addition to monitoring, we offer the establishment of a complaints office for the various topics.
This usually serves as an independent point of contact for internal and external parties for defined topics.
You would like a quote or have a question
When is a data protection officer mandatory?
According to §38 BDSG:
"...insofar as they usually employ at least 20 persons constantly with the automated processing of personal data...".
This means as soon as more than 19 persons are employed in the company with automated processing of personal data, such as in a CRM or merchandise management system, a data protection officer is required.
In addition, a data protection officer may also be necessary in case of processing of "special categories" of personal data, regardless of the number of employees.
Examples of special categories:
- political opinions,
- religious beliefs,
- trade union membership,
- health data
What is personal data?
According to the GDPR, Art 4.1:
"personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject")...".
This means all data that allow conclusions to be drawn about a data subject are considered personal data.
Examples of individual data with personal reference:
- Contact data (e.g. address)
- IP addresses
- telephone number
- Car license plate number
- place of birth
- physical characteristics (e.g. height, hair color)
- connections and relationships (e.g. reference to employer, club membership)
- Health data (e.g. reference to physical disability)
- Biometric data (e.g. fingerprint)
- Other data (e.g. products purchased)
Who are data subjects in the sense of data protection?
The GDPR defines in Art. 4.1 as a "data subject" any natural person. This means that any natural person whose identifiable data is processed in any form by an organization becomes a data subject.
- Contacts at suppliers, customers, banks, government offices, etc.
- Newsletter subscribers
- Website visitors
- Participants of events
What is a processing directory and what is its purpose?
According to Art. 30 GDPR:
"Each controller and, where applicable, its representative shall keep a register of all processing activities under its responsibility....".
This means that all processing of personal data within the company's area of responsibility, including processing that has been outsourced, must be listed in this directory in accordance with the GDPR. It is generally required regardless of whether a data protection officer has been appointed or not.
The following data must be included in the processing directory:
- Name and contact details of the data controller
- Purposes of the processing operations
- Legal basis of the processing
- Description of the categories of data subjects
- Description of categories of personal data
- Categories of recipients, including recipients in third countries
- transfers of personal data to third countries, if applicable
- envisaged time limits for erasure
- Description of technical and organizational measures (TOM).
The directory serves to provide an overview and transparency of the processing operations. In addition, the processing directory is a tool for the activities of the data protection officer, as well as for the competent supervisory authority to fulfill its tasks.
What are technical and organizational measures (TOM)?
According to Art. 32 GDPR:
"...the controller and processor shall take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk...".
This lists the protective measures with which the company maintains an appropriate level of data protection in accordance with the requirements of the GDPR and the BDSG.
- Access control (locking system in the building, server room, etc.)
- Access control (secure passwords, user role management, etc.)
- Access control (logging of accesses and changes, etc.)
- User management (in software, electronic access systems, etc.)
What must be observed with cookies?
First of all, a distinction should be made between whether a cookie is technically necessary and does not allow recognition/assignment of data to a user, and whether the data stored in the cookie can be assigned to a user (thus personal data).
In the first case, no action is necessary. In the 2nd case, as soon as personal data is stored, the user (data subject) must actively consent to the processing of the data.
An opt-in solution is therefore necessary here and the user must actively consent to the data processing by means of a cookie. An opt-out solution is not sufficient here.
Note: Presumably, the upcoming e-privacy regulation will regulate the handling of cookies even more strictly. This regulation will probably come into force in 2020/21.
What is meant by tracking?
In terms of privacy, tracking means collecting and storing data that a user generates through their interactions.
- History of visited web pages is stored in order to place interest-based advertising with the user.
- Identifying how a user arrived at a website
- Mouse tracking on a computer allows the exact reconstruction of which actions were performed by the user.
- geo-tracking via GPS in cell phones or car navigation systems
Tracking often takes place on the Internet by setting cookies. A distinction is made here between:
- First-party cookies
The website operator sets cookies to store user data.
- Third-party cookies
These allow third parties to analyze the "net behavior" of a user, e.g. to display targeted advertising