heyData's customers receive a powerful combination of effective data protection software and personalized expert guidance. Our digital platform makes it simple and reliable to take control of your data protection, while our team of data protection lawyers are some of the most knowledgeable in their field.

Data protection is not a question of company size. The data protection regulations - and unfortunately also the fines - affect the self-employed as well as corporations. Investing in data protection measures early on can ensure that they scale with your company and avoid the need for any disruptive changes down the line.

You can get an approximate cost estimate by visiting our price overview.

You can find an overview of our packages and how they differ here. 

The heyData platform helps you gain control over key data protection processes that are critical for your business - from auditing, to retrieving important documents, to training employees.

Onboarding: Introduction of all relevant employees to heyData platform.

Digital 360° Audit: Screening your departments for data protection compliance.

Documentation: The heyData platform provides automated creation of all privacy-related documents, as well as expert guidance on how to enhance your privacy level.

Continuous Support: Proactive monitoring of all data protection topics via our platform with a personal contact person.

We work predominately in English and German, but other languages are available on request. 

17 German supervisory authorities monitor compliance with data protection regulations. Your data protection officer is obligated to ensure compliance with these data protection regulations in accordance with Art. 39 (1) DSGVO.

If you do not comply, your company can expect fines of up to 20 million euros or 4% of annual sales. In addition, such infringement will result in a loss of confidence and trust in your company, which is priceless.

Even if you do not need a data protection officer, your company must still comply with all data protection requirements. However, you definitely need a data protection officer if one or more of the following criteria apply to your company:
 

• You employ more than 20 people
• You extensively process special categories of personal data (such as data concerning a person's ethnic origin, political opinion, religious beliefs, or health)
• You use video surveillance or employ new techniques, e.g. algorithms or artificial intelligence
• In almost all companies that have a connection with personnel: where personal data is transmitted, collected, processed or used on a businesslike basis as a core activity for the company

In general, it is not only a question of the number of employees. Even if you are not obliged to appoint a data protection officer, your company must still comply with all data protection requirements. A data protection officer is required in any case if one or more of the following criteria apply to your company:

• You have more than 20 employees
• You process special categories of personal data on a large scale (e.g. data about a person's ethnic origin, political opinions, religious beliefs or health).
• You use video surveillance or employ new technologies, e.g. algorithms or artificial intelligence.
• In almost all businesses that have a connection to personnel: personal data are transmitted, collected, processed or used on a business basis and this constitutes a core activity of the business‍.

The data protection officer has the following tasks:

• Advising and training data controllers, processors and employees on compliance with data protection regulations.
• Monitoring compliance with data protection regulations and strategies for the protection of personal data, as well as conducting data protection impact assessments.
• Data protection audit of your company.
• Cooperation and contact with the data protection authority.
• Advising management and specialist departments.
• Preparation of mandatory documents.

A part-time internal data protection officer invests 20% of his or her working time in data protection tasks. This can cost the company between 5,000 and 15,000 euros per year, depending on the effort involved.

If one hires a full-time internal data protection officer, the costs are the same as for the part-time data protection officer, but without a pro-rata salary calculation. The costs for full-time data protection officers can range from 45,000 to 65,000 euros per year, depending on the company and the tasks. The average investment is 55,000 euros.

The costs for external data protection officers vary greatly and depend on many factors. Lawyers and law firms can charge hourly rates of 250 EUR and more, while external data protection officers with a certificate of professional competence often earn somewhat less.

It is important to mention that an external data protection officer pays for many cost items, e.g. further training, working materials, and is basically liable for mistakes in the advice.

Our data protection solution offers your company, among other things:

• Support as an external data protection officer
• Support in the creation & review of data protection declarations, order processing agreements (AVV), the director of processing activities (VVT), technical organisational measures (TOM) and the most important data protection documents
• A comprehensive digital audit to identify data protection risks
• Online staff training
• An expert team of lawyers and legal experts to help you comply with data protection regulations

Based on your needs, we will create a customised offer and communicate it to you in a transparent way (no hidden extra fees). For more information see our pricing page.

If you are looking for an external data protection officer (DPO), there are a few things you should look out for.  Here are the most important points to tick off your checklist:

• Legal knowledge: Does the external DPO have solid experience in data protection? Is he/she an expert on the GDPR and/or other local regulations?
• Industry knowledge: Does the external DPO have experience in your specific industry? This can be particularly helpful if your industry has specific data protection requirements.
• A person or team of experts: Is the DPO part of a team of experts? If so, this means not only additional expertise but also increased availability.
• Soft skills: In the best case, the DPO should also have interdisciplinary skills such as good communication and teamwork. This makes cooperation much easier.
• Training and certification for your employees: Can the external DPO train your employees sufficiently? And can he issue them with a certification on completion of the courses?
• Price and transparency: Are the costs clear and transparent? Are there different package options that fit your budget?
• Digitalisation and simplification: Does the external DPO use modern, digital tools such as software and integrations? This can speed up processes and increase efficiency.
• Updates and flexibility: Can the external DPO adapt to changing requirements? In the area of data protection, it is often crucial to stay up to date, as laws and regulations can change.

There are various contacts for questions about data protection.

• For private companies or organisations, the company data protection officer (DPO), as well as an external data protection officer, or in the case of smaller companies, an internal person who is familiar with data protection, can help in the first instance. 
• For public bodies, such as public authorities or schools, there is usually a data protection officer who acts as a contact person for questions on data protection.
• Other contact points for questions on data protection can also be consumer centres or data protection officers of the respective federal states. The Federal Office for Information Security (BSI) also offers advice on data protection issues.

We offer the use of a team of state-certified lawyers and attorneys who specialise in companies of different sizes and industries.

A data protection advisor, also called a data protection officer (DPO), is a person who assists companies and organisations in implementing data protection regulations. His or her role is to check compliance with data protection laws and regulations and to protect the personal data of customers, employees and others.

Specifically, a data protection advisor may undertake the following tasks:

• Advice: the data protection advisor advises companies and organisations on data protection requirements and makes recommendations for implementation.
• Training: The data protection advisor trains employees and managers in the handling of personal data.
• Monitoring: The data protection advisor monitors compliance with data protection regulations and checks the technical and organisational measures for securing personal data.
• Documentation: The data protection advisor often prepares and reviews documents relevant to data protection, but in some cases data protection coordinators also take on this activity.
  The data protection advisor is therefore an important interface between companies and data protection authorities and helps to ensure that personal data is processed securely and in compliance with the law.

We take care of all this and also offer software that simplifies the life of both the employee and the employer.

Violations of the General Data Protection Regulation (GDPR) can be punished by competent data protection authorities with significant fines. The amount of the fines depends on the severity of the violation and the economic damage caused.

In detail, the following sanctions can be imposed for violations of the GDPR:

• Warning: In the case of a first infringement or a minor infringement, the data protection authority may initially issue a warning.
• Fines: Fines may be imposed for serious violations of the GDPR. The amount of the fines depends on various factors, such as the turnover of the company or the type and severity of the violation. The maximum level of fines is up to 4% of the group's annual global turnover or €20 million (whichever is higher).
• Cease and desist or removal order: The data protection authority may issue an order requiring the company to remove the breach or to cease and desist in the future.
• Public notice: In the case of particularly serious violations, the data protection authority may make the violations public.
• Prohibition of data processing: In the case of particularly serious violations of the GDPR, the data protection authority may prohibit the company's data processing.

In addition, persons whose rights have been violated by breaches of the GDPR may also assert claims for damages against the company. It is also possible that competitors or consumer protection agencies send warning letters to a violating company, for which the company must pay.

It is therefore important that companies and organisations comply with the requirements of the GDPR and check their processes and systems for data protection compliance.

Data protection breaches can be reported to different places depending on where the breach occurred and what type of breach it is. Here are some possible places to go:

• With the organisation concerned: if you suspect that a company or organisation has breached data protection rules, you should first try to contact the organisation concerned directly to resolve the issue.
• With the competent data protection authority: In Germany, this is the data protection authority of the federal state in which the company or organisation that has violated data protection regulations is located. You can find the contact details of the respective authorities here.
• With the police: If it is a serious breach of data protection that can also have criminal consequences, you should inform the police.
• Consumer advice centres: Consumer centres can also help with data protection violations and provide legal assistance if necessary.

It is important to emphasise that there are different contact points in each federal state, so it makes sense to find out about the responsibilities in advance.

No, there is no official obligation stated in the General Data Protection Regulation (GDPR). However, there is an indirect obligation, because a company must ensure that personal data is processed in accordance with the requirements of the GDPR and should of course also train its employees in this sense.

Such training aims to make employees aware of the careful handling of personal data and to provide them with the necessary knowledge and skills to avoid data protection breaches. Data protection training should therefore take place regularly, especially for new employees and when data protection regulations change.

The exact requirements for data protection training can vary depending on the country and industry. However, in the European Union there are some requirements that apply to all companies that process personal data.

According to Article 39 of the General Data Protection Regulation (GDPR), one of the responsibilities of a data protection officer for companies is to ensure that employees receive regular training to ensure that they are able to fulfil their data protection obligations. Training should be adapted according to the specific tasks and needs of the employees.

Employees who process personal data should receive regular training. In addition, it may be necessary to provide even more frequent training in the event of changes to data protection regulations or the introduction of new technologies or procedures that have an impact on the processing of personal data.

The costs for data protection training can vary depending on the scope and content of the training.

For customers who opt for the Professional or Enterprise package, data protection training is of course already included in the price; in the Basic package, on the other hand, training can be booked individually at any time. The exact prices may vary, however, depending on individual needs.

It is important to note, however, that the price for data protection training is only part of the overall service offered by heyData. For companies that work with us, we also take on the role of external data protection officer and deliver support in the implementation of technical and organisational measures, a comprehensive digital audit and many other benefits.

Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.

Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.

Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.

If you want to introduce technical and organisational measures in your company, there are some steps you should follow:

• Create a list of internal contacts: If you do not know all the technical processes in the company yourself, you should create a list of contacts who can help you with this.
• Summarise TOMs in a list: You can create your own list of appropriate measures to use, or you can rely on experts like those on our team to help you properly create this documentation.
• Reviewing the list: The list should be reviewed regularly to see which TOMs have already been implemented and whether they are appropriate. You should also analyse which measures are missing and which need to be added.
• Involve other contacts, internal or external: If you need help or are unsure, involve other controllers and discuss the adequacy of measures.
• Present the measures to the controller: If you are not taking responsibility under the GDPR yourself, you should present and discuss the measures developed with the controller.
• Regular review of the measures: It should be reviewed at least once a year whether the measures are still appropriate. Then they may need to be updated.

The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.

On 12 May 2023, the Federal Council passed the Whistleblower Protection Act, which is the national implementation of the EU Whistleblower Directive. It is expected to come into force in mid-June 2023. This law was passed to better protect whistleblowers and provide them with a safe way to report wrongdoing at their employers.

First, companies with 250 or more employees must set up internal whistleblowing systems. These systems are designed to enable employees to report wrongdoing safely and confidentially. Companies with 50-249 employees have a transition period until 17 December 2023.

An anonymous whistleblower protection system offers whistleblowers the opportunity to report grievances safely and confidentially without fear that their identity will be revealed. This can help ensure that more employees are willing to report wrongdoing because they feel safe and do not have to fear negative consequences. Such a system can help companies respond to and remedy grievances more quickly, which can ultimately help build trust in the company among employees and the public.

Yes, our whistleblowing solution mattersOut can also be booked as a stand-alone product. Just get in touch with us.

Companies in the public sector as well as cities and municipalities with more than 10,000 inhabitants are covered by the law and must offer whistleblowing systems from mid-June 2023. These systems are designed to enable citizens to report wrongdoing securely and confidentially.

The procedure for submitting the notification must be possible orally or in writing and, if desired, also in person.

The internal reporting office must acknowledge receipt of the report to whistleblowers within seven days.

Within three months, MROS must inform the whistleblower what action has been taken as a result. E.g. the initiation of internal investigations or the forwarding of the report to the competent authority.

In the whistleblower system, reports are usually received by case managers, persons of trust, or ombudspersons.

Potential case managers should consider people who do not have conflicts with other activities. This means that, for example, positions of responsibility in data protection matters (DPO), anti-money laundering, or other similar areas are perfect for this role.

Ideally, the case manager should have expertise in the area of the Whistleblower Protection Act or be willing to undergo further training in this area. Individuals with experience in handling sensitive information and ensuring confidentiality may be particularly suitable.

To fill the position of case manager, it is a good idea to consider someone from the human resources department or the legal department, provided they are not in a senior position. People in these departments often have an understanding of compliance issues and legal aspects relevant to dealing with whistleblower reports.

Yes, it is important to train the case manager regularly. We recommend training at least once a year to ensure that the case manager has the necessary expertise and is familiar with the latest developments in the area of the Whistleblower Protection Act. Regular training keeps case managers up to date and enables them to deal effectively and competently with incoming reports.

Training employees on whistleblowing is a recommended measure to make the use of whistleblower software known and attractive. However, there is no legal obligation for employees to use the software, as they are legally allowed to go directly to government whistleblowers. However, companies usually prefer that internal grievances are dealt with internally.

Upon request, we provide training for employees to inform them about the whistleblowing process, the benefits of reporting whistleblowing internally and how to use the whistleblower software safely. Such training typically covers the importance of whistleblowing to corporate integrity, the confidentiality of reports, protection against reprisals, and the possible consequences of misuse or false reporting.

The training is designed to encourage employees to report potential wrongdoing or illegal behavior internally rather than going to external agencies. The training provides employees with the necessary knowledge and awareness to identify potential risks and grievances at an early stage and to act appropriately.

It is not recommended to simply copy a privacy policy from another website. Each website has its own requirements and practices for handling personal data. A generic privacy policy may not meet your specific needs and may have legal consequences. It is advisable to create a customised privacy policy for your website.

It is important to regularly review and update your privacy policy to ensure that it complies with current legal requirements and reflects your business practices. Changes in the way you collect or use personal data should be communicated transparently in your privacy policy.

If you want to use Google Analytics to collect data about your website visitors, there are some privacy issues you should be aware of. Here are some important points:

• Update your privacy policy: Make sure you are clear and transparent about the types of data you collect with Google Analytics, how you use it, and how visitors can exercise their privacy rights.
• Anonymise the IP address: Google Analytics collects the IP addresses of visitors by default. To ensure the anonymity of users, you must activate the IP anonymisation function in Google Analytics. This function removes part of the IP address before processing.
• Order processing contract: If you use Google Analytics, you as the website operator are responsible for the processing of the data. Make sure you have a data processing agreement with Google to ensure that your data is processed in accordance with applicable data protection laws.
• Limit data transfers: Avoid submitting personal data to Google Analytics. Ensure that no sensitive data is collected or sent to Google Analytics.
• Limit data storage: Check the settings of your Google Analytics account and make sure that you only store data for as long as it is necessary for your analysis purposes.

A data protection audit is necessary to ensure that organisations process personal data in a lawful and secure manner. The GDPR imposes significant obligations to protect personal data. By conducting a data protection audit, you can ensure compliance, identify risks, and implement necessary improvements.

A data protection audit can be conducted internally by an organisation's data protection officer or data protection team. Alternatively, the organisation can engage external auditors or data protection officers who specialise in data protection and GDPR compliance. The choice depends on the organisation's resources, expertise, and specific requirements.

A data protection audit usually includes the following essential components:

• Review of data protection policies and procedures.
• Assessment of the data processing activities and the legal basis for the processing.
• Review of data protection and security measures.
• Evaluation of procedures to safeguard data subjects' rights and to comply with the GDPR.
• Analysis of data breach management and notification process.
• Evaluation of contract processing agreements with service providers and third parties.
• Identification of gaps or non-compliances.

The frequency of data protection audits depends on various factors, such as the size of the organisation, the type of data processing activities, and the risk associated with data processing. Although the GDPR does not prescribe a specific frequency, it is recommended to conduct regular audits, at least annually as is the case with heyData, or when there are significant changes in data processing operations.

After our data protection audit, the organisation receives a detailed report on the findings, recommendations and identified non-conformities. Based on this report, the organisation can develop an action plan to address the issues identified during the audit. The necessary changes and improvements should then be implemented to strengthen data protection and ensure compliance with the GDPR.

Yes, failure to comply with the General Data Protection Regulation can result in significant fines. Depending on the type and severity of the breach, organisations can be fined up to €20 million or 4% of their annual global turnover - whichever is higher. It is critical for organisations to prioritise data protection and conduct regular audits to minimise the risk of data breaches.

Conducting regular data protection audits demonstrates an organisation's commitment to protecting personal data and complying with data protection regulations. This increases the trust of partners and customers by guaranteeing that their data is handled responsibly and securely. By conducting audits and demonstrating GDPR compliance, organisations can improve their reputation and build stronger relationships with their stakeholders.

Although the GDPR does not provide a specific framework for audits, there are guidelines and best practices to help organisations conduct data protection audits. For example, the International Organisation for Standardisation (ISO) has developed the ISO/IEC 27701 standard, which provides guidelines for auditing data protection management systems. In addition, national data protection authorities and data protection organisations may offer specific guidance adapted to local requirements.

Yes, organisations can bring in external experts such as data protection officers or auditors who specialise in GDPR policies and data protection issues. These experts can provide valuable insight and expertise and ensure a thorough and independent assessment of an organisation's data protection practices.

The frequency of carrying out a data protection impact assessment depends on several factors, including the type of data processing, the occurrence of changes or new risks, and the privacy relevance of the processing. In general, it is advisable to review and update the DPIA on a regular basis.

Article 35(2) of the GDPR states that the "controller" shall conduct the DPIA. As a rule, the data controller is responsible for carrying out the data protection impact assessment and for involving the advice of the data protection officer, internal or external.

Failure to conduct a required data protection impact assessment can result in significant penalties under the GDPR, including fines of up to €10 million or 2% of the global annual turnover of the previous fiscal year, whichever is greater.

The DPIA usually consists of three main parts:

• A systematic description of the planned data processing operations and the purposes of the processing.
• An assessment of the necessity and proportionality of the processing operations in relation to the purpose.
• An assessment of the risks to the rights and freedoms of data subjects and the mitigation measures, safeguards and mechanisms envisaged to mitigate those risks.

A DPIA is necessary when data processing involves a high risk to the rights and freedoms of data subjects, such as sensitive data. The processing of sensitive data requires a careful assessment of the associated risks and potential impact on privacy to ensure compliance with data protection requirements, such as:

• Comprehensive processing of biometric data to uniquely identify natural persons
• Comprehensive processing of genetic data
• Comprehensive processing of data on the location of data subjects.

The data protection officer plays an essential role in the performance of the DPIA. He or she advises the controller or processor on how to conduct the DPIA, reviews the results, and ensures that the DPIA is conducted in compliance with the GDPR.

Not all companies are obliged to conduct a DPIA. The obligation to conduct a DPIA arises from Article 35 of the GDPR and only concerns processing operations that involve a high risk to the rights and freedoms of natural persons, in particular when using new technologies.

Although it is possible to perform a DPIA yourself, it is often advisable to consult a data protection law expert or a data protection officer due to the complexity of the requirements of the GDPR.

The GDPR provides a set of guidelines for conducting a DPIA. It is important that you familiarize yourself with these guidelines and incorporate them into your DPIA. In addition, consulting with an external data protection expert or data protection officer can help ensure compliance.

The General Data Protection Regulation (GDPR) is an EU legal framework that regulates the protection of personal data in companies and organizations. It entered into force on May 25, 2018 and contains rules for the processing, storage and transfer of personal data of EU residents.

The GDPR applies to all companies that process personal data of EU citizens, regardless of whether the company is based inside or outside the EU. It affects small and medium-sized enterprises as well as large corporations.

The GDPR grants individuals a number of rights, including the right to access their stored data, the right to rectify incorrect data, the right to have their data deleted ("right to be forgotten"), the right to data portability and the right to object to the processing of their data.

Companies must take various measures to comply with the GDPR. These include appointing a data protection officer (if required), conducting data protection impact assessments, implementing appropriate technical and organizational measures to protect personal data, obtaining data subjects' consent for data processing, and reporting data breaches.

Violations of the GDPR can result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is greater. The actual amount of the fine depends on the nature, severity, and duration of the breach.

A data processor is a person or organization that processes personal data on behalf of a data controller. The processor acts according to the instructions of the controller and is subject to certain legal obligations under the GDPR.

The length of time for which personal data may be stored depends on the purpose of the data processing. Companies must store personal data for as long as is necessary to fulfill the purpose of the processing. In some cases, specific retention periods may be imposed by other laws or regulations.

A data breach refers to a security incident in which personal data is inadvertently or unlawfully accessed, disclosed, altered, or destroyed. When a data breach occurs and high risks to data subjects are expected, there is an obligation to assess and report it to the relevant supervisory authority and, in some cases, to the data subjects.

Internally, it is an important task of an internal or external data protection officer pursuant to Art. 39 (1) GDPR to point out compliance with data protection provisions. 17 Supervisory authorities monitor compliance with data protection regulations on the government side.

Customers of heyData get the very best of combining helpful data protection software and highly personalized expert support. With the heyData platform, you get your data protection under control. At the same time, our specialist lawyers are true experts in their field and also know the ins and outs of your business.

Creating a record of processing activities as early as possible is recommended, ideally when you start your business. This way, you can ensure compliance with the GDPR from the start and significantly reduce the risk of data breaches.

A register of processing activities offers a number of key benefits. It helps minimise data breaches, which prevents potential financial penalties and reputational damage. It also fosters trust with your customers and partners, which promotes long-term relationships and a positive corporate reputation. It also provides clear internal documentation, which is beneficial for data protection audits and cooperation with data protection authorities.

The complexity depends on the size and scope of the company. For small and medium-sized companies it can be manageable, while larger companies have to put in more effort. For these reasons, our clients very often turn to us when they need fast and effective support so that they do not have to spend weeks creating these documents.

Yes, the register of processing activities should be updated regularly. As business processes can change and new data protection requirements emerge, it is important to keep the record up to date. Regular review and updating ensures that data protection risks continue to be appropriately assessed and managed.

According to Article 4 - number 12 - of the General Data Protection Regulation, a data breach is a breach of security that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.

Identifying a data breach can be complex. Signs may include unusual system activity, reports of stolen or lost devices, or unexplained data loss. According to Article 33 paragraph 1 of the GDPR, regular monitoring is required to identify such incidents.

According to Article 33 paragraph 1 of the General Data Protection Regulation, if you discover a data breach, you must notify the competent data protection authority without undue delay and, where possible, within 72 hours of becoming aware of the breach. This should include mitigation measures such as changing passwords or blocking access.

Failure to report a data breach can result in significant fines under Article 83 of the GDPR. These can be up to €20 million or up to 4% of annual global turnover, whichever is higher.

As an affected person, you have first and foremost the right to be informed of the data breach in accordance with Article 34 of the GDPR, as well as the right to lodge a complaint with the competent data protection authority in accordance with Article 77 of the GDPR. Finally, you may also be entitled to financial compensation.

The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.

A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.

Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.

The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.

The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.

Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.

heyData stands out with its tailor-made, actionable recommendations crafted to meet your specific needs. Our platform, complemented by expert legal advice, ensures a hassle-free overview and management of your privacy obligations.
In addition, you are provided with a vast selection of compliance trainings, assistance for all necessary data protection documentation, a powerful vendor risk management tool, a secure data protection vault, and much more.

heyData is equipped to handle compliance with EU GDPR. The EU GDPR doesn’t only apply to companies that are based in the EU, but rather to all companies that offer goods or services in the EU or track the behavior of persons based in the EU, regardless of where they are based. As the most important privacy law in the world, the GDPR inspired many of the privacy legislations that were adopted over the last years in the USA, and is generally considered to be the main benchmark in terms of data protection law. This means that applying GDPR standards can be beneficial even for companies that don’t need to comply directly with the GDPR, as these will cover obligations arising from local laws in almost all cases.

Our platform is continually updated by our team of legal experts to reflect the latest GDPR regulations and compliance standards, ensuring your business is always ahead in compliance matters.

First of all, you will have a call with one of our representatives, who will assess your situation and requirements. After that we will create a customized offer based on your needs and from there, if you decide to sign up with us, we will start our onboarding process and make sure that in a few weeks, you will be up and running with your GDPR compliance.

• State data protection officer: This person is an authority appointed by the state parliament that is responsible for monitoring and enforcing data protection laws in a specific federal state in Germany. They provide advice, carry out inspections and are the first point of contact for complaints from citizens. They are not directly linked to a specific association or company.
• Data protection officer in the association: This is a person appointed by an association to ensure that the organization complies with data protection laws. This person is responsible for training employees, monitoring data processing and communicating with the supervisory authority.

The answer to this is complicated, as it depends on various factors. Article 5, paragraph 1 of the GDPR speaks of an "appropriate" duration, which depends on the purpose of the data processing. Irrespective of this, statutory retention periods must be observed.

Yes, you may, but not without restrictions. According to the Competition Act, consent is often required, which should be obtained and the association's privacy policy should provide transparent information about this.

Associations are obliged to provide comprehensive information to all persons whose data they process. This includes what data is collected, why it is collected and how long it is stored.

In specific cases, if no other basis of record is relevant, the association must obtain the explicit, informed, and unambiguous consent of the data subjects if it wishes to use personal data for certain purposes.

In cases where data processing could pose a high risk to the rights and freedoms of data subjects, a data protection impact assessment is required. This assesses the risks and defines measures to mitigate them.

As a rule, the tax advisor is responsible for compliance with the GDPR. This also applies if the tax advisor processes the personal data on behalf of a third party, e.g. a company or a private individual. However, the tax advisor can be supported by an external data protection officer, such as the experts offered by heyData.

Tax consultants may only process personal data that is required to fulfill their professional duties. In particular, this includes data required to prepare tax returns, to audit annual financial statements and to advise clients.

Tax advisors must provide clients with comprehensive information about the processing of their personal data. To this end, they must provide clients with the following information in particular:

• the purposes of the data processing
• the categories of personal data that will be processed
• the recipients of the personal data
• the duration for which the personal data will be stored
• the rights of the clients

Tax advisors must guarantee clients the rights provided for in the GDPR. In particular, this includes the right to information, rectification, erasure, restriction of processing, objection and data portability.

When transferring personal data to third countries, tax advisors must ensure that there is an adequate level of protection for the data. This can be achieved by means of a contractual agreement with the recipient of the data or by applying a legal system in the third country that is comparable to the EU level of data protection.

In the event of breaches of the GDPR, tax advisors must inform the competent supervisory authorities. In some cases, they must also inform the data subjects.

Severe sanctions can be imposed for violations of the GDPR. For example, a fine of up to 20 million euros or 4% of the company's global annual turnover can be imposed.

No, heyAcademy is not a standalone product, but an add-on to our all-in-one compliance solution. It is specifically designed to be integrated into the existing compliance learning environment and provide a seamless, centralized learning experience for both administrators and users. As an extension of our compliance solution, heyAcademy enables data protection training to be more efficient and targeted.

Yes, heyAcademy is available as an add-on, regardless of the existing package you have with heyData. Existing heyData admins can activate or deactivate heyAcademy for their employees directly in the platform, allowing for a flexible and seamless extension of your data protection management.

If you have any further questions or are interested in a demo of heyAcademy, don't hesitate to contact us. We will be happy to help you take your company's data protection expertise to the next level.

With heyAcademy, you can easily and intuitively create courses, select content, and assign them directly to specific individuals or teams. The platform offers a central administration interface that simplifies the organization of training courses.

Our pricing structure is flexible and based on the size of your team. We offer annual and monthly payment options to give you more flexibility. Prices range from €399 per year (there are also monthly payment options with corresponding prices).

Access is via the course management page in the heyData platform. As soon as heyAcademy is activated for your company, a "Create course" button will appear.

After completing a course, participants receive a unique certificate that you can create in heyAcademy, which confirms their acquired knowledge and can be shared on platforms such as LinkedIn.

In the privacy policy, the information about cookies should contain the following points briefly and clearly:

• What are cookies? Brief explanation of their function (storing user preferences, improving the user experience).
• Cookie types: Distinction between necessary, performance, functional and advertising cookies.
• User choices: Instructions on how users can accept or reject cookies or adjust their settings.
• Consent: Description of how user consent is obtained.
• Communicate changes: Notice of possible updates to the cookie policy.
• Contact: Contact information for queries.

These points should help users to quickly understand your cookie practices and effectively manage their privacy settings.

The audit report informs about necessary information in the cookie banner, implementation suggestions and contains a sample text for the cookie banner.

In case of inquiries, heyData helps customers to categorize cookies and points out associated risks.

No, heyData does not take over the categorization of unnecessary cookies or the complete technical setup of the cookie banner.

Cookies for language settings, shopping cart, search terms, log-in data, and payment processing (without analysis of user behavior) as well as Flash cookies for media content may be set without consent. These are cookies that are essential for the operation of a website and its basic functions.

A deletion concept under the GDPR is a systematic plan that defines how personal data that is no longer required or whose retention period has expired is deleted securely and in compliance with data protection regulations. It ensures that data is only stored for as long as necessary and supports compliance with the data protection principles of the GDPR.

An erasure period is simply the period of time set for the final deletion of certain types of data or personal information. This period is determined by the start of data processing and the specified retention period. Legal obligations for certain types of data can also contribute to the definition of deletion periods.

In order to fulfill documentation and accountability obligations, it is crucial to regularly review and update the deletion concept. Regular reviews ensure that the deadlines for deleting personal data are not only met, but also remain up to date.

Inadequate data processing in your company in accordance with GDPR standards can have serious consequences. Initial non-compliance may result in a warning, but if the inadequate practices continue, it can lead to more serious consequences, including possible reprimands, temporary or permanent bans on data processing and significant financial penalties of up to €20 million or 4% of the company's annual global turnover.

An effective deletion concept includes identifying all personal data that your company processes, defining retention periods based on legal requirements and the purpose of the processing, and implementing secure deletion procedures. Regular training for employees and the establishment of procedures for reviewing and updating the concept are also important.

Yes, the GDPR stipulates that personal data must be securely erased in both digital and physical form. Digital data should be deleted in such a way that it cannot be recovered, and physical documents should be destroyed in such a way that the information is no longer readable.

Carefully review the request, identify all locations where the data in question is stored, and delete the data according to your deletion policy. Document the process and inform the requester that the deletion has been carried out.

A data protection seal is like a certificate that is awarded to companies that demonstrably comply with high data protection standards and are GDPR-compliant. It serves as a visible sign of your commitment to protecting the personal data of your customers and partners.

The duration of the process can vary and depends on the current status of your data protection measures and the size of your company. heyData strives to make the process as efficient and smooth as possible and will work with you to create a realistic timeline.

Yes, the seal is tied to ongoing compliance with GDPR standards. heyData provides ongoing monitoring and support to ensure that your company remains compliant after receiving the seal.

The privacy seal strengthens the trust of your customers as it shows that you take their personal data seriously. This can improve customer loyalty and encourage potential customers to choose your services or products.

No, heyData provides the tools to obtain the Privacy Seal and offers them to you for free when you purchase one of our Professional or Enterprise packages, in which we already offer a comprehensive package to make your business privacy compliant.

• Always available: No more codes in emails or documents. Your seal code is now available directly on the heyData platform.
• Reminder function: You forgot the seal? We'll remind you to add it so you don't miss anything.
• Multilingual options: Choose between English and German. Need another language? Just let us know.
• Support for multiple branches: Have more than one business unit? No problem, we have a separate sealing solution for each of them.

• Data transfers of the services
• Risks associated with data processing
• Possible sub-processors
• Data processing contracts, as well as data protection and security information

With our vendor risk management, you can ensure that your service providers and processors meet the requirements of the GDPR and guarantee an appropriate level of data protection at all times. We keep a regular eye on your service providers so that you don't have to worry about unforeseen changes.

Our Vendor Risk Management is seamlessly integrated with our platform and other features, so it cannot be purchased separately at this time.

Yes, but the use of the tool is limited in the Basic and Professional packages.

The EU AI Act is a new regulation governing the development, deployment, and use of Artificial Intelligence (AI) systems across the European Union. It aims to strike a balance between promoting the benefits of AI and mitigating potential risks to safety, fundamental rights, and fairness.

Non-compliance with the Act can result in significant fines (up to €35 million or 7% of your global turnover) and potential bans on specific AI systems. This could significantly disrupt your business operations and damage your reputation.

Yes, the EU AI Act can still impact your business if:

• You sell your AI model in the EU.
• You provide a B2B product where your customers use the system in the EU.

The EU AI Act organizes AI systems into four categories, depending on their impact on safety and fundamental rights:

• Unacceptable Risk: Banned due to severe threats, like social scoring by governments.
• High-Risk: Requires strict regulations, including facial recognition and law enforcement tools.
• Limited Risk: Poses some risks but is generally safe, like spam filters and chatbots.
• Minimal or No Risk: Largely risk-free, like non-critical games and filters.

AI Comply helps with risk classification and navigating the requirements for each category.

While a low-risk assessment is a positive sign, demonstrating it through AI Comply can be valuable. It showcases your commitment to responsible AI development and helps build trust with regulators and customers.

Yes, the Act applies to deployers of AI systems as well.  AI Comply can guide you on your obligations as a deployer.

Yes, the fines for non-compliance are severe, reaching up to €35 million or 7% of your global turnover. Here are some potential consequences of non-compliance:

Fines: Regulatory bodies can impose significant financial penalties.
Market Bans: Your AI model may be banned from the EU market.
Reputational Damage: Non-compliance can erode customer trust.
Lost Business Opportunities: Non-compliant businesses may miss out on EU opportunities.

AI Comply streamlines your business's journey to EU AI Act compliance, catering to various roles such as Providers, Importers, Distributors, and Deployers:

• Providers (Developers): Classifies risk, assists with assessments, documentation, and registration.
• Importers: Ensures systems comply before entering the EU market.
• Distributors: Understand distributor obligations for compliant distribution.
• Deployers: Guides on deployer obligations and compliant AI system usage.

AI Comply simplifies AI compliance by offering customized roadmaps tailored to your system's risk category, automated documentation for generating specific compliance reports, expert training for responsible AI practice implementation, and ongoing non-legal support from AI compliance experts for continuous assistance.

*Please note that not all features may be available as we are still developing this solution.

Absolutely! AI Comply offers a tailored solution for businesses of all sizes. For startups and small and medium-sized businesses (SMBs) that often face constraints in compliance resources, AI Comply provides an accessible and budget-friendly approach, simplifying the compliance journey. Larger organizations also benefit from AI Comply's services, as it streamlines the compliance process, ensuring all AI models adhere to the required standards efficiently.

• Customers: Customers are increasingly concerned about the ethical use of AI. The AI Trust seal demonstrates your commitment to responsible AI development and use, potentially leading to a competitive advantage in attracting customers.
• Partners and Investors: Partners and investors are also looking for companies that prioritize responsible AI practices. The AI Trust seal can help you stand out and secure valuable partnerships and investments.
• Regulatory Bodies: The AI Trust seal may provide a positive signal to regulatory bodies, potentially streamlining future interactions.

heyData supports integration with a wide range of HR systems, enhancing compatibility and ensuring seamless data management. Key platforms include:

• Mainstream HR Solutions: ADP iHCM, RUN Powered by ADP, ADP Workforce Now
• Specialized HR Tools: AlexisHR, CharlieHR, Deel
• Enterprise Systems: Microsoft Dynamics 365, SAP SuccessFactors, Workday
• Emerging Platforms: Lucca, Paylocity, Rippling

For a full list and more details, visit our integration coverage page.

Connecting your HR systems directly to heyData automates the process of adding or removing employees, eliminating the need for manual data entry. Not only does this save time, but it also reduces the possibility of errors, enhancing overall efficiency.

In addition to current capabilities, future enhancements will include training and document management functionalities. These features are designed to further streamline HR processes and improve organizational capabilities.

The HR integration feature is available to all Professional and Enterprise customers.

Yes, our integrations are designed with security and compliance as top priorities. heyData ensures that all HR data handling through our platform is secure and fully compliant with GDPR regulations, helping safeguard your data and meet legal standards.

The synchronization process with heyData is automatic. Once your HR system is connected, changes such as employee additions or removals are reflected on our platform in real time, ensuring your data is always current without any manual intervention.

Absolutely! You can book a demo to see how our HR integration works and explore its features firsthand. This will help you understand the benefits and usability of our platform in managing employee data efficiently.

heyData provides full support for setting up and using the HR integration feature. Our team is available to assist with integration setup, troubleshooting, and any questions you may have about using the feature effectively.

Health data includes any information that relates to a person's physical or mental health. Here is a list of health data that is frequently collected and analyzed:

Medical history

• Previous diagnoses
• Previous treatments and surgeries
• Allergies
• Family history (hereditary diseases)

Current health data

• Current diagnoses
• Medications
• Symptoms
• Vital signs (e.g. blood pressure, heart rate)

Laboratory and test results

• Blood tests
• Urine tests
• Imaging procedures (e.g. X-ray, MRI)
• Genetic tests

Treatment information

• Type of treatment
• Course of treatment
• Therapeutic measures
• Rehabilitation data

Lifestyle and behavioral data

• Diet and nutrition
• Physical activity
• Smoking
• Alcohol consumption
• Mental health data

Psychological diagnoses

• Course of therapy
• Psychotropic drugs

Emergency contacts

• Information about existing illnesses that are important in an emergency (e.g. diabetes, asthma)
• Patient decree

Insurance data

• Health insurance information
• Billing data
• Data on benefit claims

Only data that is necessary for treatment and billing may be stored. Other data may only be collected with the express consent of the patient.

By implementing a comprehensive data protection concept, regular training, and working with experienced Data Protection Officers such as heyData.

A lot of personal data is collected from children in kindergarten, such as names, dates of birth, or health information. This data is particularly worthy of protection, as children are considered particularly vulnerable individuals. The GDPR ensures that this data is handled securely and responsibly.

Kindergartens may only collect data that is necessary for the care and education of the children. This includes contact information of parents, health information for emergencies or information about allergies. All data must be collected with parental consent and may only be used for specified purposes.

Yes, parents must be fully informed about what data is collected, for what purpose and how long it will be stored. This information must be provided in a clear and understandable form, often in a data protection form that parents sign.

Data may only be stored for as long as it is necessary for the purpose for which it was collected. This means that data that is necessary for the care of a child during their time at the kindergarten should generally be deleted when the child leaves the kindergarten.

Breaches of data protection rules can have serious consequences, including fines imposed by the data protection authorities. It is important that kindergartens regularly review their data protection practices and ensure that they comply with the requirements of the GDPR.

Kindergartens must comply with the following main requirements of the GDPR:

• Record of Processing Activities (ROPA): Record all data processing operations, including type of data collected, purpose of processing, storage location, and retention periods.
• Privacy notices: Parents must be informed clearly and comprehensibly about the processing of their children's data.
• Consent: Explicit parental consent must be obtained for certain data processing, such as photos or videos.
• Data Protection Impact Assessments (DPIA): If there are high risks to the rights and freedoms of children, a DPIA must be carried out.
• Technical and Organizational Measures (TOM): Security measures such as encrypted storage and access controls are necessary.

heyData provides support with customized compliance solutions, the provision of documentation, and advice on obtaining and managing consent.

The NIS2 Directive is the EU's updated legislation aimed at improving cybersecurity in member states. It replaces the original NIS Directive in 2024 and introduces stricter security measures, broader industry coverage and stricter compliance requirements to address increasing cyber threats.

The most important requirements include risk management measures and business continuity management (Art. 21).
This includes, for example, the use of technical measures such as 

• Cryptography
• Encryption
• Multi-factor authentication
• Reporting obligations (Art. 23)
• Obligation to register (Art. 3 para. 4, Art. 27)
• Duty to inform (Art. 23)
• Approval, monitoring and training obligation for managers (Art. 20 para. 2)

The NIS2 directive emphasizes the importance of securing interconnected networks and requires companies to assess and mitigate cybersecurity risks within their processes and supply chains. This includes assessing the security practices of suppliers and service providers.

Large and medium-sized companies from the following sectors are affected:

Sectors with high criticality:

• Energy
• Transportation
• Banking
• Financial market infrastructures
• Healthcare
• Drinking Water
• Waste Water
• Digital infrastructure
• Management of ICT services B2B
• Public administration
• Space

Other critical areas:

• Postal and courier services
• Waste management
• Chemicals
• Food
• Processing/manufacturing industry
• Digital service providers
• Research

Companies must report significant cyber security incidents to the relevant authorities within 24 hours of their discovery. This includes an initial notification, followed by detailed updates as more information becomes available. The directive also requires interim and final incident reports to ensure thorough documentation and response.

It may be advisable to have an expert like heyData by your side to respond quickly and competently if the worst comes to the worst.

The NIS2 Directive was adopted on January 16, 2023, and member states have until October 17, 2024, to transpose the measures into national law. Organizations are expected to comply with the requirements from this date.

To prepare for compliance with NIS2, organizations should:

1. Determine whether they fall within the scope of the directive.
2. Conduct a comprehensive risk analysis.
3. Implement mandatory cybersecurity measures.
4. Develop an incident response plan.
5. Ensure that top management is involved and takes responsibility.
6. Strengthen security practices in the supply chain.

The high requirements for IT and network security are intended to ensure unrestricted availability and a high level of protection for important services. Companies and residents in the EU should be able to rely on the IT infrastructure having a high level of confidentiality and integrity. The standardization of requirements will make it easy for companies to meet them and coordinate their cooperation. This will promote innovation, stability and competitiveness in the EU and prevent economic damage. 

The NIS-2 directive is an EU cybersecurity directive that took effect on January 16, 2023. It follows the NIS directive, which was introduced in 2016. Network and Information Security, also known as NIS, is the abbreviation for these terms. The NIS 2 Directive, like its predecessor, aims to oblige large and medium-sized entities in many sectors in EU member states to protect themselves from cyber-attacks and to establish a uniform level of protection across Europe.

The NIS 2 Directive introduces new requirements and obligations for organizations in four overarching areas: risk management, corporate responsibility, reporting requirements, and business continuity. This is to strengthen Europe's resilience against current and future cyber threats.

Large and medium-sized companies in the following sectors are affected:

High-criticality sectors:

Energy
Transport
Banking
Financial market infrastructures
Healthcare
Drinking water
Waste water
Digital infrastructure
Management of ICT services B2B
Public administration
Space

Other critical areas:

Postal and courier services
Waste management
Chemicals
Food
Manufacturing
Digital service providers
Research

Companies must report significant cybersecurity incidents to the relevant authorities within 24 hours of their discovery. This includes an initial announcement, followed by detailed updates as more information becomes available. To ensure comprehensive documentation and response, the directive also specifies interim and final incident reports.

It may be advisable to have an expert like heyData at your side to be able to react quickly and competently in the event of an incident.

How can my organization prepare for compliance with the NIS-2 directive?

To prepare for compliance with the NIS-2 directive and its national implementation, organizations should:

1. Determine whether they fall within the scope of the directive.
2. Conduct a comprehensive risk analysis.
3. Implement mandatory cybersecurity measures.
4. Develop an incident response plan.
5. Ensure that senior management is involved and takes responsibility.
6. Strengthen security practices in the supply chain.

The high requirements for network and IT security should ensure unrestricted availability and a high level of protection for important services. Residents and companies in the EU should be guaranteed that the IT infrastructure offers a high level of confidentiality and integrity. The standardization of requirements makes it easier for companies to comply with them and to decide to cooperate. In this way, it supports the promotion of innovation, stability, and competitiveness in the EU and prevents economic damage.

The second version of the NIS 2 Directive (Directive on Security of Network and Information Systems) came into force throughout the EU at the beginning of 2023. The directive must be transposed into national law by the EU member states by October 17, 2024. The German Federal Ministry of the Interior has already presented a draft bill for the NIS 2 Implementation Act (NIS2UmsuCG).