The most frequently asked questions about our service and data protection.
Find out more about our services, packages and prices at heyData, your external data protection officer-as-a-software.
heyData's customers receive a powerful combination of effective data protection software and personalized expert guidance. Our digital platform makes it simple and reliable to take control of your data protection, while our team of data protection lawyers are some of the most knowledgeable in their field.
Data protection is not a question of company size. The data protection regulations - and unfortunately also the fines - affect the self-employed as well as corporations. Investing in data protection measures early on can ensure that they scale with your company and avoid the need for any disruptive changes down the line.
You can get an approximate cost estimate by visiting our price overview.
You can find an overview of our packages and how they differ here.
The heyData platform helps you gain control over key data protection processes that are critical for your business - from auditing, to retrieving important documents, to training employees.
Onboarding: Introduction of all relevant employees to heyData platform.
Digital 360° Audit: Screening your departments for data protection compliance.
Documentation: The heyData platform provides automated creation of all privacy-related documents, as well as expert guidance on how to enhance your privacy level.
Continuous Support: Proactive monitoring of all data protection topics via our platform with a personal contact person.
We work predominately in English and German, but other languages are available on request.
Here you will find all the answers to the topics that fall under the category of data protection.
17 German supervisory authorities monitor compliance with data protection regulations. Your data protection officer is obligated to ensure compliance with these data protection regulations in accordance with Art. 39 (1) DSGVO.
If you do not comply, your company can expect fines of up to 20 million euros or 4% of annual sales. In addition, such infringement will result in a loss of confidence and trust in your company, which is priceless.
Even if you do not need a data protection officer, your company must still comply with all data protection requirements. However, you definitely need a data protection officer if one or more of the following criteria apply to your company:
These are the most frequently asked questions
In general, it is not only a question of the number of employees. Even if you are not obliged to appoint a data protection officer, your company must still comply with all data protection requirements. A data protection officer is required in any case if one or more of the following criteria apply to your company:
The data protection officer has the following tasks:
A part-time internal data protection officer invests 20% of his or her working time in data protection tasks. This can cost the company between 5,000 and 15,000 euros per year, depending on the effort involved.
If one hires a full-time internal data protection officer, the costs are the same as for the part-time data protection officer, but without a pro-rata salary calculation. The costs for full-time data protection officers can range from 45,000 to 65,000 euros per year, depending on the company and the tasks. The average investment is 55,000 euros.
The costs for external data protection officers vary greatly and depend on many factors. Lawyers and law firms can charge hourly rates of 250 EUR and more, while external data protection officers with a certificate of professional competence often earn somewhat less.
It is important to mention that an external data protection officer pays for many cost items, e.g. further training, working materials, and is basically liable for mistakes in the advice.
Our data protection solution offers your company, among other things:
Based on your needs, we will create a customised offer and communicate it to you in a transparent way (no hidden extra fees). For more information see our pricing page.
If you are looking for an external data protection officer (DPO), there are a few things you should look out for. Here are the most important points to tick off your checklist:
The most frequently asked questions and answers to our data protection consultation
There are various contacts for questions about data protection.
We offer the use of a team of state-certified lawyers and attorneys who specialise in companies of different sizes and industries.
A data protection advisor, also called a data protection officer (DPO), is a person who assists companies and organisations in implementing data protection regulations. His or her role is to check compliance with data protection laws and regulations and to protect the personal data of customers, employees and others.
Specifically, a data protection advisor may undertake the following tasks:
We take care of all this and also offer software that simplifies the life of both the employee and the employer.
Violations of the General Data Protection Regulation (GDPR) can be punished by competent data protection authorities with significant fines. The amount of the fines depends on the severity of the violation and the economic damage caused.
In detail, the following sanctions can be imposed for violations of the GDPR:
In addition, persons whose rights have been violated by breaches of the GDPR may also assert claims for damages against the company. It is also possible that competitors or consumer protection agencies send warning letters to a violating company, for which the company must pay.
It is therefore important that companies and organisations comply with the requirements of the GDPR and check their processes and systems for data protection compliance.
Data protection breaches can be reported to different places depending on where the breach occurred and what type of breach it is. Here are some possible places to go:
It is important to emphasise that there are different contact points in each federal state, so it makes sense to find out about the responsibilities in advance.
These are the most frequently asked questions
No, there is no official obligation stated in the General Data Protection Regulation (GDPR). However, there is an indirect obligation, because a company must ensure that personal data is processed in accordance with the requirements of the GDPR and should of course also train its employees in this sense.
Such training aims to make employees aware of the careful handling of personal data and to provide them with the necessary knowledge and skills to avoid data protection breaches. Data protection training should therefore take place regularly, especially for new employees and when data protection regulations change.
The exact requirements for data protection training can vary depending on the country and industry. However, in the European Union there are some requirements that apply to all companies that process personal data.
According to Article 39 of the General Data Protection Regulation (GDPR), one of the responsibilities of a data protection officer for companies is to ensure that employees receive regular training to ensure that they are able to fulfil their data protection obligations. Training should be adapted according to the specific tasks and needs of the employees.
Employees who process personal data should receive regular training. In addition, it may be necessary to provide even more frequent training in the event of changes to data protection regulations or the introduction of new technologies or procedures that have an impact on the processing of personal data.
The costs for data protection training can vary depending on the scope and content of the training.
For customers who opt for the Professional or Enterprise package, data protection training is of course already included in the price; in the Basic package, on the other hand, training can be booked individually at any time. The exact prices may vary, however, depending on individual needs.
It is important to note, however, that the price for data protection training is only part of the overall service offered by heyData. For companies that work with us, we also take on the role of external data protection officer and deliver support in the implementation of technical and organisational measures, a comprehensive digital audit and many other benefits.
These are the most frequently asked questions
Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.
Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.
Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.
If you want to introduce technical and organisational measures in your company, there are some steps you should follow:
The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.
These are the most frequently asked questions
On 12 May 2023, the Federal Council passed the Whistleblower Protection Act, which is the national implementation of the EU Whistleblower Directive. It is expected to come into force in mid-June 2023. This law was passed to better protect whistleblowers and provide them with a safe way to report wrongdoing at their employers.
First, companies with 250 or more employees must set up internal whistleblowing systems. These systems are designed to enable employees to report wrongdoing safely and confidentially. Companies with 50-249 employees have a transition period until 17 December 2023.
An anonymous whistleblower protection system offers whistleblowers the opportunity to report grievances safely and confidentially without fear that their identity will be revealed. This can help ensure that more employees are willing to report wrongdoing because they feel safe and do not have to fear negative consequences. Such a system can help companies respond to and remedy grievances more quickly, which can ultimately help build trust in the company among employees and the public.
Yes, our whistleblowing solution mattersOut can also be booked as a stand-alone product. Just get in touch with us.
Companies in the public sector as well as cities and municipalities with more than 10,000 inhabitants are covered by the law and must offer whistleblowing systems from mid-June 2023. These systems are designed to enable citizens to report wrongdoing securely and confidentially.
The procedure for submitting the notification must be possible orally or in writing and, if desired, also in person.
The internal reporting office must acknowledge receipt of the report to whistleblowers within seven days.
Within three months, MROS must inform the whistleblower what action has been taken as a result. E.g. the initiation of internal investigations or the forwarding of the report to the competent authority.
In the whistleblower system, reports are usually received by case managers, persons of trust, or ombudspersons.
Potential case managers should consider people who do not have conflicts with other activities. This means that, for example, positions of responsibility in data protection matters (DPO), anti-money laundering, or other similar areas are perfect for this role.
Ideally, the case manager should have expertise in the area of the Whistleblower Protection Act or be willing to undergo further training in this area. Individuals with experience in handling sensitive information and ensuring confidentiality may be particularly suitable.
To fill the position of case manager, it is a good idea to consider someone from the human resources department or the legal department, provided they are not in a senior position. People in these departments often have an understanding of compliance issues and legal aspects relevant to dealing with whistleblower reports.
Yes, it is important to train the case manager regularly. We recommend training at least once a year to ensure that the case manager has the necessary expertise and is familiar with the latest developments in the area of the Whistleblower Protection Act. Regular training keeps case managers up to date and enables them to deal effectively and competently with incoming reports.
Training employees on whistleblowing is a recommended measure to make the use of whistleblower software known and attractive. However, there is no legal obligation for employees to use the software, as they are legally allowed to go directly to government whistleblowers. However, companies usually prefer that internal grievances are dealt with internally.
Upon request, we provide training for employees to inform them about the whistleblowing process, the benefits of reporting whistleblowing internally and how to use the whistleblower software safely. Such training typically covers the importance of whistleblowing to corporate integrity, the confidentiality of reports, protection against reprisals, and the possible consequences of misuse or false reporting.
The training is designed to encourage employees to report potential wrongdoing or illegal behavior internally rather than going to external agencies. The training provides employees with the necessary knowledge and awareness to identify potential risks and grievances at an early stage and to act appropriately.
These are the most frequently asked questions
It is not recommended to simply copy a privacy policy from another website. Each website has its own requirements and practices for handling personal data. A generic privacy policy may not meet your specific needs and may have legal consequences. It is advisable to create a customised privacy policy for your website.
It is important to regularly review and update your privacy policy to ensure that it complies with current legal requirements and reflects your business practices. Changes in the way you collect or use personal data should be communicated transparently in your privacy policy.
If you want to use Google Analytics to collect data about your website visitors, there are some privacy issues you should be aware of. Here are some important points:
These are the most frequently asked questions
A data protection audit is necessary to ensure that organisations process personal data in a lawful and secure manner. The GDPR imposes significant obligations to protect personal data. By conducting a data protection audit, you can ensure compliance, identify risks, and implement necessary improvements.
A data protection audit can be conducted internally by an organisation's data protection officer or data protection team. Alternatively, the organisation can engage external auditors or data protection officers who specialise in data protection and GDPR compliance. The choice depends on the organisation's resources, expertise, and specific requirements.
A data protection audit usually includes the following essential components:
The frequency of data protection audits depends on various factors, such as the size of the organisation, the type of data processing activities, and the risk associated with data processing. Although the GDPR does not prescribe a specific frequency, it is recommended to conduct regular audits, at least annually as is the case with heyData, or when there are significant changes in data processing operations.
After our data protection audit, the organisation receives a detailed report on the findings, recommendations and identified non-conformities. Based on this report, the organisation can develop an action plan to address the issues identified during the audit. The necessary changes and improvements should then be implemented to strengthen data protection and ensure compliance with the GDPR.
Yes, failure to comply with the General Data Protection Regulation can result in significant fines. Depending on the type and severity of the breach, organisations can be fined up to €20 million or 4% of their annual global turnover - whichever is higher. It is critical for organisations to prioritise data protection and conduct regular audits to minimise the risk of data breaches.
Conducting regular data protection audits demonstrates an organisation's commitment to protecting personal data and complying with data protection regulations. This increases the trust of partners and customers by guaranteeing that their data is handled responsibly and securely. By conducting audits and demonstrating GDPR compliance, organisations can improve their reputation and build stronger relationships with their stakeholders.
Although the GDPR does not provide a specific framework for audits, there are guidelines and best practices to help organisations conduct data protection audits. For example, the International Organisation for Standardisation (ISO) has developed the ISO/IEC 27701 standard, which provides guidelines for auditing data protection management systems. In addition, national data protection authorities and data protection organisations may offer specific guidance adapted to local requirements.
Yes, organisations can bring in external experts such as data protection officers or auditors who specialise in GDPR policies and data protection issues. These experts can provide valuable insight and expertise and ensure a thorough and independent assessment of an organisation's data protection practices.
These are the most frequently asked questions
The frequency of carrying out a data protection impact assessment depends on several factors, including the type of data processing, the occurrence of changes or new risks, and the privacy relevance of the processing. In general, it is advisable to review and update the DPIA on a regular basis.
Article 35(2) of the GDPR states that the "controller" shall conduct the DPIA. As a rule, the data controller is responsible for carrying out the data protection impact assessment and for involving the advice of the data protection officer, internal or external.
Failure to conduct a required data protection impact assessment can result in significant penalties under the GDPR, including fines of up to €10 million or 2% of the global annual turnover of the previous fiscal year, whichever is greater.
The DPIA usually consists of three main parts:
The data protection officer plays an essential role in the performance of the DPIA. He or she advises the controller or processor on how to conduct the DPIA, reviews the results, and ensures that the DPIA is conducted in compliance with the GDPR.
Not all companies are obliged to conduct a DPIA. The obligation to conduct a DPIA arises from Article 35 of the GDPR and only concerns processing operations that involve a high risk to the rights and freedoms of natural persons, in particular when using new technologies.
Although it is possible to perform a DPIA yourself, it is often advisable to consult a data protection law expert or a data protection officer due to the complexity of the requirements of the GDPR.
The GDPR provides a set of guidelines for conducting a DPIA. It is important that you familiarize yourself with these guidelines and incorporate them into your DPIA. In addition, consulting with an external data protection expert or data protection officer can help ensure compliance.
These are the most frequently asked questions
The General Data Protection Regulation (GDPR) is an EU legal framework that regulates the protection of personal data in companies and organizations. It entered into force on May 25, 2018 and contains rules for the processing, storage and transfer of personal data of EU residents.
The GDPR applies to all companies that process personal data of EU citizens, regardless of whether the company is based inside or outside the EU. It affects small and medium-sized enterprises as well as large corporations.
The GDPR grants individuals a number of rights, including the right to access their stored data, the right to rectify incorrect data, the right to have their data deleted ("right to be forgotten"), the right to data portability and the right to object to the processing of their data.
Companies must take various measures to comply with the GDPR. These include appointing a data protection officer (if required), conducting data protection impact assessments, implementing appropriate technical and organizational measures to protect personal data, obtaining data subjects' consent for data processing, and reporting data breaches.
Violations of the GDPR can result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is greater. The actual amount of the fine depends on the nature, severity, and duration of the breach.
A data processor is a person or organization that processes personal data on behalf of a data controller. The processor acts according to the instructions of the controller and is subject to certain legal obligations under the GDPR.
The length of time for which personal data may be stored depends on the purpose of the data processing. Companies must store personal data for as long as is necessary to fulfill the purpose of the processing. In some cases, specific retention periods may be imposed by other laws or regulations.
A data breach refers to a security incident in which personal data is inadvertently or unlawfully accessed, disclosed, altered, or destroyed. When a data breach occurs and high risks to data subjects are expected, there is an obligation to assess and report it to the relevant supervisory authority and, in some cases, to the data subjects.
Internally, it is an important task of an internal or external data protection officer pursuant to Art. 39 (1) GDPR to point out compliance with data protection provisions. 17 Supervisory authorities monitor compliance with data protection regulations on the government side.
Customers of heyData get the very best of combining helpful data protection software and highly personalized expert support. With the heyData platform, you get your data protection under control. At the same time, our specialist lawyers are true experts in their field and also know the ins and outs of your business.
These are the most frequently asked questions
Creating a record of processing activities as early as possible is recommended, ideally when you start your business. This way, you can ensure compliance with the GDPR from the start and significantly reduce the risk of data breaches.
A register of processing activities offers a number of key benefits. It helps minimise data breaches, which prevents potential financial penalties and reputational damage. It also fosters trust with your customers and partners, which promotes long-term relationships and a positive corporate reputation. It also provides clear internal documentation, which is beneficial for data protection audits and cooperation with data protection authorities.
The complexity depends on the size and scope of the company. For small and medium-sized companies it can be manageable, while larger companies have to put in more effort. For these reasons, our clients very often turn to us when they need fast and effective support so that they do not have to spend weeks creating these documents.
Yes, the register of processing activities should be updated regularly. As business processes can change and new data protection requirements emerge, it is important to keep the record up to date. Regular review and updating ensures that data protection risks continue to be appropriately assessed and managed.
These are the most frequently asked questions
According to Article 4 - number 12 - of the General Data Protection Regulation, a data breach is a breach of security that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
Identifying a data breach can be complex. Signs may include unusual system activity, reports of stolen or lost devices, or unexplained data loss. According to Article 33 paragraph 1 of the GDPR, regular monitoring is required to identify such incidents.
According to Article 33 paragraph 1 of the General Data Protection Regulation, if you discover a data breach, you must notify the competent data protection authority without undue delay and, where possible, within 72 hours of becoming aware of the breach. This should include mitigation measures such as changing passwords or blocking access.
Failure to report a data breach can result in significant fines under Article 83 of the GDPR. These can be up to €20 million or up to 4% of annual global turnover, whichever is higher.
As an affected person, you have first and foremost the right to be informed of the data breach in accordance with Article 34 of the GDPR, as well as the right to lodge a complaint with the competent data protection authority in accordance with Article 77 of the GDPR. Finally, you may also be entitled to financial compensation.
These are the most frequently asked questions
The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.
A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.
Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.
The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.
The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.
Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.