The most frequently asked questions about our service and data protection.
Find out more about our services, packages and prices at heyData, your external data protection officer-as-a-software.
heyData's customers receive a powerful combination of effective data protection software and personalized expert guidance. Our digital platform makes it simple and reliable to take control of your data protection, while our team of data protection lawyers are some of the most knowledgeable in their field.
Data protection is not a question of company size. The data protection regulations - and unfortunately also the fines - affect the self-employed as well as corporations. Investing in data protection measures early on can ensure that they scale with your company and avoid the need for any disruptive changes down the line.
You can get an approximate cost estimate by visiting our price overview.
You can find an overview of our packages and how they differ here.
The heyData platform helps you gain control over key data protection processes that are critical for your business - from auditing, to retrieving important documents, to training employees.
Onboarding: Introduction of all relevant employees to heyData platform.
Digital 360° Audit: Screening your departments for data protection compliance.
Documentation: The heyData platform provides automated creation of all privacy-related documents, as well as expert guidance on how to enhance your privacy level.
Continuous Support: Proactive monitoring of all data protection topics via our platform with a personal contact person.
We work predominately in English and German, but other languages are available on request.
Here you will find all the answers to the topics that fall under the category of data protection.
17 German supervisory authorities monitor compliance with data protection regulations. Your data protection officer is obligated to ensure compliance with these data protection regulations in accordance with Art. 39 (1) DSGVO.
If you do not comply, your company can expect fines of up to 20 million euros or 4% of annual sales. In addition, such infringement will result in a loss of confidence and trust in your company, which is priceless.
Even if you do not need a data protection officer, your company must still comply with all data protection requirements. However, you definitely need a data protection officer if one or more of the following criteria apply to your company:
These are the most frequently asked questions
In general, it is not only a question of the number of employees. Even if you are not obliged to appoint a data protection officer, your company must still comply with all data protection requirements. A data protection officer is required in any case if one or more of the following criteria apply to your company:
The data protection officer has the following tasks:
A part-time internal data protection officer invests 20% of his or her working time in data protection tasks. This can cost the company between 5,000 and 15,000 euros per year, depending on the effort involved.
If one hires a full-time internal data protection officer, the costs are the same as for the part-time data protection officer, but without a pro-rata salary calculation. The costs for full-time data protection officers can range from 45,000 to 65,000 euros per year, depending on the company and the tasks. The average investment is 55,000 euros.
The costs for external data protection officers vary greatly and depend on many factors. Lawyers and law firms can charge hourly rates of 250 EUR and more, while external data protection officers with a certificate of professional competence often earn somewhat less.
It is important to mention that an external data protection officer pays for many cost items, e.g. further training, working materials, and is basically liable for mistakes in the advice.
Our data protection solution offers your company, among other things:
Based on your needs, we will create a customised offer and communicate it to you in a transparent way (no hidden extra fees). For more information see our pricing page.
If you are looking for an external data protection officer (DPO), there are a few things you should look out for. Here are the most important points to tick off your checklist:
The most frequently asked questions and answers to our data protection consultation
There are various contacts for questions about data protection.
We offer the use of a team of state-certified lawyers and attorneys who specialise in companies of different sizes and industries.
A data protection advisor, also called a data protection officer (DPO), is a person who assists companies and organisations in implementing data protection regulations. His or her role is to check compliance with data protection laws and regulations and to protect the personal data of customers, employees and others.
Specifically, a data protection advisor may undertake the following tasks:
We take care of all this and also offer software that simplifies the life of both the employee and the employer.
Violations of the General Data Protection Regulation (GDPR) can be punished by competent data protection authorities with significant fines. The amount of the fines depends on the severity of the violation and the economic damage caused.
In detail, the following sanctions can be imposed for violations of the GDPR:
In addition, persons whose rights have been violated by breaches of the GDPR may also assert claims for damages against the company. It is also possible that competitors or consumer protection agencies send warning letters to a violating company, for which the company must pay.
It is therefore important that companies and organisations comply with the requirements of the GDPR and check their processes and systems for data protection compliance.
Data protection breaches can be reported to different places depending on where the breach occurred and what type of breach it is. Here are some possible places to go:
It is important to emphasise that there are different contact points in each federal state, so it makes sense to find out about the responsibilities in advance.
These are the most frequently asked questions
No, there is no official obligation stated in the General Data Protection Regulation (GDPR). However, there is an indirect obligation, because a company must ensure that personal data is processed in accordance with the requirements of the GDPR and should of course also train its employees in this sense.
Such training aims to make employees aware of the careful handling of personal data and to provide them with the necessary knowledge and skills to avoid data protection breaches. Data protection training should therefore take place regularly, especially for new employees and when data protection regulations change.
The exact requirements for data protection training can vary depending on the country and industry. However, in the European Union there are some requirements that apply to all companies that process personal data.
According to Article 39 of the General Data Protection Regulation (GDPR), one of the responsibilities of a data protection officer for companies is to ensure that employees receive regular training to ensure that they are able to fulfil their data protection obligations. Training should be adapted according to the specific tasks and needs of the employees.
Employees who process personal data should receive regular training. In addition, it may be necessary to provide even more frequent training in the event of changes to data protection regulations or the introduction of new technologies or procedures that have an impact on the processing of personal data.
The costs for data protection training can vary depending on the scope and content of the training.
For customers who opt for the Professional or Enterprise package, data protection training is of course already included in the price; in the Basic package, on the other hand, training can be booked individually at any time. The exact prices may vary, however, depending on individual needs.
It is important to note, however, that the price for data protection training is only part of the overall service offered by heyData. For companies that work with us, we also take on the role of external data protection officer and deliver support in the implementation of technical and organisational measures, a comprehensive digital audit and many other benefits.
These are the most frequently asked questions
Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.
Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.
Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.
If you want to introduce technical and organisational measures in your company, there are some steps you should follow:
The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.
These are the most frequently asked questions
On 12 May 2023, the Federal Council passed the Whistleblower Protection Act, which is the national implementation of the EU Whistleblower Directive. It is expected to come into force in mid-June 2023. This law was passed to better protect whistleblowers and provide them with a safe way to report wrongdoing at their employers.
First, companies with 250 or more employees must set up internal whistleblowing systems. These systems are designed to enable employees to report wrongdoing safely and confidentially. Companies with 50-249 employees have a transition period until 17 December 2023.
An anonymous whistleblower protection system offers whistleblowers the opportunity to report grievances safely and confidentially without fear that their identity will be revealed. This can help ensure that more employees are willing to report wrongdoing because they feel safe and do not have to fear negative consequences. Such a system can help companies respond to and remedy grievances more quickly, which can ultimately help build trust in the company among employees and the public.
Yes, our whistleblowing solution mattersOut can also be booked as a stand-alone product. Just get in touch with us.
Companies in the public sector as well as cities and municipalities with more than 10,000 inhabitants are covered by the law and must offer whistleblowing systems from mid-June 2023. These systems are designed to enable citizens to report wrongdoing securely and confidentially.
The procedure for submitting the notification must be possible orally or in writing and, if desired, also in person.
The internal reporting office must acknowledge receipt of the report to whistleblowers within seven days.
Within three months, MROS must inform the whistleblower what action has been taken as a result. E.g. the initiation of internal investigations or the forwarding of the report to the competent authority.
In the whistleblower system, reports are usually received by case managers, persons of trust, or ombudspersons.
Potential case managers should consider people who do not have conflicts with other activities. This means that, for example, positions of responsibility in data protection matters (DPO), anti-money laundering, or other similar areas are perfect for this role.
Ideally, the case manager should have expertise in the area of the Whistleblower Protection Act or be willing to undergo further training in this area. Individuals with experience in handling sensitive information and ensuring confidentiality may be particularly suitable.
To fill the position of case manager, it is a good idea to consider someone from the human resources department or the legal department, provided they are not in a senior position. People in these departments often have an understanding of compliance issues and legal aspects relevant to dealing with whistleblower reports.
Yes, it is important to train the case manager regularly. We recommend training at least once a year to ensure that the case manager has the necessary expertise and is familiar with the latest developments in the area of the Whistleblower Protection Act. Regular training keeps case managers up to date and enables them to deal effectively and competently with incoming reports.
Training employees on whistleblowing is a recommended measure to make the use of whistleblower software known and attractive. However, there is no legal obligation for employees to use the software, as they are legally allowed to go directly to government whistleblowers. However, companies usually prefer that internal grievances are dealt with internally.
Upon request, we provide training for employees to inform them about the whistleblowing process, the benefits of reporting whistleblowing internally and how to use the whistleblower software safely. Such training typically covers the importance of whistleblowing to corporate integrity, the confidentiality of reports, protection against reprisals, and the possible consequences of misuse or false reporting.
The training is designed to encourage employees to report potential wrongdoing or illegal behavior internally rather than going to external agencies. The training provides employees with the necessary knowledge and awareness to identify potential risks and grievances at an early stage and to act appropriately.
These are the most frequently asked questions
It is not recommended to simply copy a privacy policy from another website. Each website has its own requirements and practices for handling personal data. A generic privacy policy may not meet your specific needs and may have legal consequences. It is advisable to create a customised privacy policy for your website.
It is important to regularly review and update your privacy policy to ensure that it complies with current legal requirements and reflects your business practices. Changes in the way you collect or use personal data should be communicated transparently in your privacy policy.
If you want to use Google Analytics to collect data about your website visitors, there are some privacy issues you should be aware of. Here are some important points:
These are the most frequently asked questions
A data protection audit is necessary to ensure that organisations process personal data in a lawful and secure manner. The GDPR imposes significant obligations to protect personal data. By conducting a data protection audit, you can ensure compliance, identify risks, and implement necessary improvements.
A data protection audit can be conducted internally by an organisation's data protection officer or data protection team. Alternatively, the organisation can engage external auditors or data protection officers who specialise in data protection and GDPR compliance. The choice depends on the organisation's resources, expertise, and specific requirements.
A data protection audit usually includes the following essential components:
The frequency of data protection audits depends on various factors, such as the size of the organisation, the type of data processing activities, and the risk associated with data processing. Although the GDPR does not prescribe a specific frequency, it is recommended to conduct regular audits, at least annually as is the case with heyData, or when there are significant changes in data processing operations.
After our data protection audit, the organisation receives a detailed report on the findings, recommendations and identified non-conformities. Based on this report, the organisation can develop an action plan to address the issues identified during the audit. The necessary changes and improvements should then be implemented to strengthen data protection and ensure compliance with the GDPR.
Yes, failure to comply with the General Data Protection Regulation can result in significant fines. Depending on the type and severity of the breach, organisations can be fined up to €20 million or 4% of their annual global turnover - whichever is higher. It is critical for organisations to prioritise data protection and conduct regular audits to minimise the risk of data breaches.
Conducting regular data protection audits demonstrates an organisation's commitment to protecting personal data and complying with data protection regulations. This increases the trust of partners and customers by guaranteeing that their data is handled responsibly and securely. By conducting audits and demonstrating GDPR compliance, organisations can improve their reputation and build stronger relationships with their stakeholders.
Although the GDPR does not provide a specific framework for audits, there are guidelines and best practices to help organisations conduct data protection audits. For example, the International Organisation for Standardisation (ISO) has developed the ISO/IEC 27701 standard, which provides guidelines for auditing data protection management systems. In addition, national data protection authorities and data protection organisations may offer specific guidance adapted to local requirements.
Yes, organisations can bring in external experts such as data protection officers or auditors who specialise in GDPR policies and data protection issues. These experts can provide valuable insight and expertise and ensure a thorough and independent assessment of an organisation's data protection practices.
These are the most frequently asked questions
The frequency of carrying out a data protection impact assessment depends on several factors, including the type of data processing, the occurrence of changes or new risks, and the privacy relevance of the processing. In general, it is advisable to review and update the DPIA on a regular basis.
Article 35(2) of the GDPR states that the "controller" shall conduct the DPIA. As a rule, the data controller is responsible for carrying out the data protection impact assessment and for involving the advice of the data protection officer, internal or external.
Failure to conduct a required data protection impact assessment can result in significant penalties under the GDPR, including fines of up to €10 million or 2% of the global annual turnover of the previous fiscal year, whichever is greater.
The DPIA usually consists of three main parts:
The data protection officer plays an essential role in the performance of the DPIA. He or she advises the controller or processor on how to conduct the DPIA, reviews the results, and ensures that the DPIA is conducted in compliance with the GDPR.
Not all companies are obliged to conduct a DPIA. The obligation to conduct a DPIA arises from Article 35 of the GDPR and only concerns processing operations that involve a high risk to the rights and freedoms of natural persons, in particular when using new technologies.
Although it is possible to perform a DPIA yourself, it is often advisable to consult a data protection law expert or a data protection officer due to the complexity of the requirements of the GDPR.
The GDPR provides a set of guidelines for conducting a DPIA. It is important that you familiarize yourself with these guidelines and incorporate them into your DPIA. In addition, consulting with an external data protection expert or data protection officer can help ensure compliance.
These are the most frequently asked questions
The General Data Protection Regulation (GDPR) is an EU legal framework that regulates the protection of personal data in companies and organizations. It entered into force on May 25, 2018 and contains rules for the processing, storage and transfer of personal data of EU residents.
The GDPR applies to all companies that process personal data of EU citizens, regardless of whether the company is based inside or outside the EU. It affects small and medium-sized enterprises as well as large corporations.
The GDPR grants individuals a number of rights, including the right to access their stored data, the right to rectify incorrect data, the right to have their data deleted ("right to be forgotten"), the right to data portability and the right to object to the processing of their data.
Companies must take various measures to comply with the GDPR. These include appointing a data protection officer (if required), conducting data protection impact assessments, implementing appropriate technical and organizational measures to protect personal data, obtaining data subjects' consent for data processing, and reporting data breaches.
Violations of the GDPR can result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is greater. The actual amount of the fine depends on the nature, severity, and duration of the breach.
A data processor is a person or organization that processes personal data on behalf of a data controller. The processor acts according to the instructions of the controller and is subject to certain legal obligations under the GDPR.
The length of time for which personal data may be stored depends on the purpose of the data processing. Companies must store personal data for as long as is necessary to fulfill the purpose of the processing. In some cases, specific retention periods may be imposed by other laws or regulations.
A data breach refers to a security incident in which personal data is inadvertently or unlawfully accessed, disclosed, altered, or destroyed. When a data breach occurs and high risks to data subjects are expected, there is an obligation to assess and report it to the relevant supervisory authority and, in some cases, to the data subjects.
Internally, it is an important task of an internal or external data protection officer pursuant to Art. 39 (1) GDPR to point out compliance with data protection provisions. 17 Supervisory authorities monitor compliance with data protection regulations on the government side.
Customers of heyData get the very best of combining helpful data protection software and highly personalized expert support. With the heyData platform, you get your data protection under control. At the same time, our specialist lawyers are true experts in their field and also know the ins and outs of your business.
These are the most frequently asked questions
Creating a record of processing activities as early as possible is recommended, ideally when you start your business. This way, you can ensure compliance with the GDPR from the start and significantly reduce the risk of data breaches.
A register of processing activities offers a number of key benefits. It helps minimise data breaches, which prevents potential financial penalties and reputational damage. It also fosters trust with your customers and partners, which promotes long-term relationships and a positive corporate reputation. It also provides clear internal documentation, which is beneficial for data protection audits and cooperation with data protection authorities.
The complexity depends on the size and scope of the company. For small and medium-sized companies it can be manageable, while larger companies have to put in more effort. For these reasons, our clients very often turn to us when they need fast and effective support so that they do not have to spend weeks creating these documents.
Yes, the register of processing activities should be updated regularly. As business processes can change and new data protection requirements emerge, it is important to keep the record up to date. Regular review and updating ensures that data protection risks continue to be appropriately assessed and managed.
These are the most frequently asked questions
According to Article 4 - number 12 - of the General Data Protection Regulation, a data breach is a breach of security that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
Identifying a data breach can be complex. Signs may include unusual system activity, reports of stolen or lost devices, or unexplained data loss. According to Article 33 paragraph 1 of the GDPR, regular monitoring is required to identify such incidents.
According to Article 33 paragraph 1 of the General Data Protection Regulation, if you discover a data breach, you must notify the competent data protection authority without undue delay and, where possible, within 72 hours of becoming aware of the breach. This should include mitigation measures such as changing passwords or blocking access.
Failure to report a data breach can result in significant fines under Article 83 of the GDPR. These can be up to €20 million or up to 4% of annual global turnover, whichever is higher.
As an affected person, you have first and foremost the right to be informed of the data breach in accordance with Article 34 of the GDPR, as well as the right to lodge a complaint with the competent data protection authority in accordance with Article 77 of the GDPR. Finally, you may also be entitled to financial compensation.
These are the most frequently asked questions
The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.
A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.
Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.
The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.
The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.
Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.
These are our potential customers FAQ
heyData stands out with its tailor-made, actionable recommendations crafted to meet your specific needs. Our platform, complemented by expert legal advice, ensures a hassle-free overview and management of your privacy obligations.
In addition, you are provided with a vast selection of compliance trainings, assistance for all necessary data protection documentation, a powerful vendor risk management tool, a secure data protection vault, and much more.
heyData is equipped to handle compliance with EU GDPR. The EU GDPR doesn’t only apply to companies that are based in the EU, but rather to all companies that offer goods or services in the EU or track the behavior of persons based in the EU, regardless of where they are based. As the most important privacy law in the world, the GDPR inspired many of the privacy legislations that were adopted over the last years in the USA, and is generally considered to be the main benchmark in terms of data protection law. This means that applying GDPR standards can be beneficial even for companies that don’t need to comply directly with the GDPR, as these will cover obligations arising from local laws in almost all cases.
Our platform is continually updated by our team of legal experts to reflect the latest GDPR regulations and compliance standards, ensuring your business is always ahead in compliance matters.
First of all, you will have a call with one of our representatives, who will assess your situation and requirements. After that we will create a customized offer based on your needs and from there, if you decide to sign up with us, we will start our onboarding process and make sure that in a few weeks, you will be up and running with your GDPR compliance.
These are the most frequently asked questions
The answer to this is complicated, as it depends on various factors. Article 5, paragraph 1 of the GDPR speaks of an "appropriate" duration, which depends on the purpose of the data processing. Irrespective of this, statutory retention periods must be observed.
Yes, you may, but not without restrictions. According to the Competition Act, consent is often required, which should be obtained and the association's privacy policy should provide transparent information about this.
Associations are obliged to provide comprehensive information to all persons whose data they process. This includes what data is collected, why it is collected and how long it is stored.
In specific cases, if no other basis of record is relevant, the association must obtain the explicit, informed, and unambiguous consent of the data subjects if it wishes to use personal data for certain purposes.
In cases where data processing could pose a high risk to the rights and freedoms of data subjects, a data protection impact assessment is required. This assesses the risks and defines measures to mitigate them.
These are the most frequently asked questions
As a rule, the tax advisor is responsible for compliance with the GDPR. This also applies if the tax advisor processes the personal data on behalf of a third party, e.g. a company or a private individual. However, the tax advisor can be supported by an external data protection officer, such as the experts offered by heyData.
Tax consultants may only process personal data that is required to fulfill their professional duties. In particular, this includes data required to prepare tax returns, to audit annual financial statements and to advise clients.
Tax advisors must provide clients with comprehensive information about the processing of their personal data. To this end, they must provide clients with the following information in particular:
Tax advisors must guarantee clients the rights provided for in the GDPR. In particular, this includes the right to information, rectification, erasure, restriction of processing, objection and data portability.
When transferring personal data to third countries, tax advisors must ensure that there is an adequate level of protection for the data. This can be achieved by means of a contractual agreement with the recipient of the data or by applying a legal system in the third country that is comparable to the EU level of data protection.
In the event of breaches of the GDPR, tax advisors must inform the competent supervisory authorities. In some cases, they must also inform the data subjects.
Severe sanctions can be imposed for violations of the GDPR. For example, a fine of up to 20 million euros or 4% of the company's global annual turnover can be imposed.
These are the most frequently asked questions
No, heyAcademy is not a standalone product, but an add-on to our all-in-one compliance solution. It is specifically designed to be integrated into the existing compliance learning environment and provide a seamless, centralized learning experience for both administrators and users. As an extension of our compliance solution, heyAcademy enables data protection training to be more efficient and targeted.
Yes, heyAcademy is available as an add-on, regardless of the existing package you have with heyData. Existing heyData admins can activate or deactivate heyAcademy for their employees directly in the platform, allowing for a flexible and seamless extension of your data protection management.
If you have any further questions or are interested in a demo of heyAcademy, don't hesitate to contact us. We will be happy to help you take your company's data protection expertise to the next level.
With heyAcademy, you can easily and intuitively create courses, select content, and assign them directly to specific individuals or teams. The platform offers a central administration interface that simplifies the organization of training courses.
Our pricing structure is flexible and based on the size of your team. We offer annual and monthly payment options to give you more flexibility. Prices range from €399 per year (there are also monthly payment options with corresponding prices).
Access is via the course management page in the heyData platform. As soon as heyAcademy is activated for your company, a "Create course" button will appear.
After completing a course, participants receive a unique certificate that you can create in heyAcademy, which confirms their acquired knowledge and can be shared on platforms such as LinkedIn.
In the privacy policy, the information about cookies should contain the following points briefly and clearly:
These points should help users to quickly understand your cookie practices and effectively manage their privacy settings.
The audit report informs about necessary information in the cookie banner, implementation suggestions and contains a sample text for the cookie banner.
In case of inquiries, heyData helps customers to categorize cookies and points out associated risks.
No, heyData does not take over the categorization of unnecessary cookies or the complete technical setup of the cookie banner.
Cookies for language settings, shopping cart, search terms, log-in data, and payment processing (without analysis of user behavior) as well as Flash cookies for media content may be set without consent. These are cookies that are essential for the operation of a website and its basic functions.
These are the most frequently asked questions.
A deletion concept under the GDPR is a systematic plan that defines how personal data that is no longer required or whose retention period has expired is deleted securely and in compliance with data protection regulations. It ensures that data is only stored for as long as necessary and supports compliance with the data protection principles of the GDPR.
An erasure period is simply the period of time set for the final deletion of certain types of data or personal information. This period is determined by the start of data processing and the specified retention period. Legal obligations for certain types of data can also contribute to the definition of deletion periods.
In order to fulfill documentation and accountability obligations, it is crucial to regularly review and update the deletion concept. Regular reviews ensure that the deadlines for deleting personal data are not only met, but also remain up to date.
Inadequate data processing in your company in accordance with GDPR standards can have serious consequences. Initial non-compliance may result in a warning, but if the inadequate practices continue, it can lead to more serious consequences, including possible reprimands, temporary or permanent bans on data processing and significant financial penalties of up to €20 million or 4% of the company's annual global turnover.
An effective deletion concept includes identifying all personal data that your company processes, defining retention periods based on legal requirements and the purpose of the processing, and implementing secure deletion procedures. Regular training for employees and the establishment of procedures for reviewing and updating the concept are also important.
Yes, the GDPR stipulates that personal data must be securely erased in both digital and physical form. Digital data should be deleted in such a way that it cannot be recovered, and physical documents should be destroyed in such a way that the information is no longer readable.
Carefully review the request, identify all locations where the data in question is stored, and delete the data according to your deletion policy. Document the process and inform the requester that the deletion has been carried out.
These are the most frequently asked questions.
A data protection seal is like a certificate that is awarded to companies that demonstrably comply with high data protection standards and are GDPR-compliant. It serves as a visible sign of your commitment to protecting the personal data of your customers and partners.
The duration of the process can vary and depends on the current status of your data protection measures and the size of your company. heyData strives to make the process as efficient and smooth as possible and will work with you to create a realistic timeline.
Yes, the seal is tied to ongoing compliance with GDPR standards. heyData provides ongoing monitoring and support to ensure that your company remains compliant after receiving the seal.
The privacy seal strengthens the trust of your customers as it shows that you take their personal data seriously. This can improve customer loyalty and encourage potential customers to choose your services or products.
No, heyData provides the tools to obtain the Privacy Seal and offers them to you for free when you purchase one of our Professional or Enterprise packages, in which we already offer a comprehensive package to make your business privacy compliant.