Data Protection Basics

Due to budget or time constraints, companies sometimes neglect compliance with GDPR. To avoid this, heyData provides you with a requirements list of data protection basics for businesses:

Personal Data - Alt

Personal data

This refers to any information that relates to an identifiable individual and is subject to special protection.

Learn more
Data Officer - Alt

Data Protection Officer

Responsibility for data protection can be assumed internally within the company or by external experts.

Learn more
Data Security - Alt

Data Protection & Data Security

Often used in the same context, there is nevertheless a difference between the two terms.

Learn more
Contact - Alt

Conclusion of a Data Processing Agreements (DPAs)

The processing of personal data by third parties is also subject to regulation under the GDPR.

Learn more
Verzeichnis - Alt

Records of Processing Activities

Documentation of all processing activities involving personal data.

Learn more
Tom - Alt

Technical & Organizational Measures (TOM)

Ensure adequate personal data protection management.

Learn more
Personal Data - Alt

Personal Data

This refers to any information that relates to an identifiable individual and is subject to special protection.

According to the GDPR, personal data is any information that pertains to an identifiable or identified natural person. Data subjects are identifiable if they can be identified directly or indirectly, in particular by means of an association with an identifier such as a name, an identification number, a location or other characteristics. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account data, license plates, customer numbers, e-mail addresses or addresses. This data is therefore subject to special protection, since every person has a right to informational self-determination.

Quick info

  • Information about an identifiable person
  • Identifiability: direct or indirect
  • Protection: right to informational self-determination
Data Officer - Alt

Data Protection Officer

Responsibility for data protection can be assumed internally within the company or by external experts.

Data protection can be managed within a company either internally or externally. The introduction of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) has extended the scope of companies that are required to appoint a data protection officer. If your company falls under this category, you will need to choose between an internal or external data protection officer. An internal data protection officer is a viable option, but only if the employee has the necessary expertise and resources. As such, many companies prefer to engage an external data protection officer.

Quick info

  • Internal or external data protection officer
  • Often mandatory to have a data protection officer
  • For internal: capacity and knowledge necessary
Data Security - Alt

Data Protection & Data Security

Often used in the same context, there is nevertheless a difference between the two terms.

Without data protection, a company cannot guarantee a credible online presence. If this topic is neglected, loss of image, loss of customers, fines and sanctions are the resulting consequences. The Data Protection Act regulates all relevant provisions concerning personal data processing in companies. Every company operating in the EU is obliged to comply with data protection regulations. Data from customers, the workforce or business partners must be protected, otherwise fines or sanctions may be imposed.

Data security goes hand in hand with data protection. However, it is not concerned with the protection of personal data, but with practical courses of action relating to IT security. In order to comply with the data protection basics, companies should always be able to demonstrate a data security concept that includes not only personal data, but all data streams to be processed.

Data security can be increased and safeguarded through the use of:

  • a current web browser 
  • up-to-date (encryption) software, firewall and antivirus software
  • user accounts with rights distribution 
  • secure passwords from backups
  • rights assignment for downloads
  • raising the awareness of employees 
  • being careful with unknown attachments 
  • avoiding the publication of personal data

Quick info

  • Data protection: necessary for establishing credible online presence
  • Data security: practical ways of acting with regard to IT security
Contact - Alt

Conclusion of Data Processing Agreements (DPAs)

The processing of personal data by third parties is also subject to regulation under the GDPR.

With the introduction of the GDPR in May 2018, the directive on commissioned data processing formerly known in the BDSG was renewed. This involves the conclusion of a contract (an DPA) with service providers or partners who process personal data on behalf. Accordingly, companies must proceed very carefully when selecting potential service providers and review their activities at regular intervals. In general corporate practice, these operations include, for example, payroll processing, sales activities, or the use of marketing and analytics tools. Thus, significant areas of cooperation with other companies are affected by this regulation.

Conclusion of Data Processing Agreements (DPA) 

Quick info

  • Regulation of order processing
  • Companies must choose service providers carefully
  • Activity review regularly necessary
Verzeichnis - Alt

Records of Processing Activities

Documentation of all processing activities involving personal data.

Pursuant to Art. 30, the GDPR requires that data controllers create a so-called record of processing activities in which all processing activities that deal with personal data are recorded.


This is by far one of the most important documents in the entire GDPR, because it affects all companies. As soon as a company processes personal data, it is required to neatly document these processes in this directory. Of course, this also applies to processors. Although many claim that the creation only affects companies with more than 250 employees, this exception only applies if the processing of personal data is only occasional. However, this is only true in the rarest of cases. If special categories of data are involved, such as health data, religion or similar, the obligation to create and maintain a processing directory applies anyway.

Record of Processing Activities

Quick info

  • Directory for processing activities
  • All companies are affected
  • Exception: occasional data processing
Tom - Alt

Technical & Organizational Measures (TOM)

Ensure adequate personal data protection management.

The GDPR, which has been in effect since May 2018, includes the technical and organizational measures (TOM) previously outlined in the BDSG. These measures have become increasingly important under the GDPR, as they define appropriate processes and outline the steps to take in the event of a data protection breach. Thus, a suitable management for data protection is to be established. Of course, it is also obvious that the more serious the risk of violations (e.g., in the case of very sensitive data), the more detailed and extensive the processes and their descriptions must be. Consulting with the appointed data protection officer is always recommended.

Technical and organizational measures

Quick info

  • Appropriate data breach processes
  • TOMs must be more detailed for sensitive data

Discover more

You can also find more information on our knowledge pages and in the heyData magazine.

Magazine

Discover our magazine articles.

Learn more

Studies

Learn more about data protection in our studies.

Learn more