Frequently Asked Questions

heyData's customers receive a powerful combination of effective data protection software and personalized expert guidance. Our digital platform makes it simple and reliable to take control of your data protection, while our team of data protection lawyers are some of the most knowledgeable in their field.

Data protection is not a question of company size. The data protection regulations - and unfortunately also the fines - affect the self-employed as well as corporations. Investing in data protection measures early on can ensure that they scale with your company and avoid the need for any disruptive changes down the line.

You can get an approximate cost estimate by visiting our price overview.

You can find an overview of our packages and how they differ here. 

The heyData platform helps you gain control over key data protection processes that are critical for your business - from auditing, to retrieving important documents, to training employees.

Onboarding: Introduction of all relevant employees to heyData platform.

Digital 360° Audit: Screening your departments for data protection compliance.

Documentation: The heyData platform provides automated creation of all privacy-related documents, as well as expert guidance on how to enhance your privacy level.

Continuous Support: Proactive monitoring of all data protection topics via our platform with a personal contact person.

We work predominately in English and German, but other languages are available on request. 

17 German supervisory authorities monitor compliance with data protection regulations. Your data protection officer is obligated to ensure compliance with these data protection regulations in accordance with Art. 39 (1) DSGVO.

If you do not comply, your company can expect fines of up to 20 million euros or 4% of annual sales. In addition, such infringement will result in a loss of confidence and trust in your company, which is priceless.

Even if you do not need a data protection officer, your company must still comply with all data protection requirements. However, you definitely need a data protection officer if one or more of the following criteria apply to your company:
 

• You employ more than 20 people
• You extensively process special categories of personal data (such as data concerning a person's ethnic origin, political opinion, religious beliefs, or health)
• You use video surveillance or employ new techniques, e.g. algorithms or artificial intelligence
• In almost all companies that have a connection with personnel: where personal data is transmitted, collected, processed or used on a businesslike basis as a core activity for the company

In general, it is not only a question of the number of employees. Even if you are not obliged to appoint a data protection officer, your company must still comply with all data protection requirements. A data protection officer is required in any case if one or more of the following criteria apply to your company:

• You have more than 20 employees
• You process special categories of personal data on a large scale (e.g. data about a person's ethnic origin, political opinions, religious beliefs or health).
• You use video surveillance or employ new technologies, e.g. algorithms or artificial intelligence.
• In almost all businesses that have a connection to personnel: personal data are transmitted, collected, processed or used on a business basis and this constitutes a core activity of the business‍.

The data protection officer has the following tasks:

• Advising and training data controllers, processors and employees on compliance with data protection regulations.
• Monitoring compliance with data protection regulations and strategies for the protection of personal data, as well as conducting data protection impact assessments.
• Data protection audit of your company.
• Cooperation and contact with the data protection authority.
• Advising management and specialist departments.
• Preparation of mandatory documents.

A part-time internal data protection officer invests 20% of his or her working time in data protection tasks. This can cost the company between 5,000 and 15,000 euros per year, depending on the effort involved.

If one hires a full-time internal data protection officer, the costs are the same as for the part-time data protection officer, but without a pro-rata salary calculation. The costs for full-time data protection officers can range from 45,000 to 65,000 euros per year, depending on the company and the tasks. The average investment is 55,000 euros.

The costs for external data protection officers vary greatly and depend on many factors. Lawyers and law firms can charge hourly rates of 250 EUR and more, while external data protection officers with a certificate of professional competence often earn somewhat less.

It is important to mention that an external data protection officer pays for many cost items, e.g. further training, working materials, and is basically liable for mistakes in the advice.

Our data protection solution offers your company, among other things:

• Support as an external data protection officer
• Support in the creation & review of data protection declarations, order processing agreements (AVV), the director of processing activities (VVT), technical organisational measures (TOM) and the most important data protection documents
• A comprehensive digital audit to identify data protection risks
• Online staff training
• An expert team of lawyers and legal experts to help you comply with data protection regulations

Based on your needs, we will create a customised offer and communicate it to you in a transparent way (no hidden extra fees). For more information see our pricing page.

If you are looking for an external data protection officer (DPO), there are a few things you should look out for.  Here are the most important points to tick off your checklist:

• Legal knowledge: Does the external DPO have solid experience in data protection? Is he/she an expert on the GDPR and/or other local regulations?
• Industry knowledge: Does the external DPO have experience in your specific industry? This can be particularly helpful if your industry has specific data protection requirements.
• A person or team of experts: Is the DPO part of a team of experts? If so, this means not only additional expertise but also increased availability.
• Soft skills: In the best case, the DPO should also have interdisciplinary skills such as good communication and teamwork. This makes cooperation much easier.
• Training and certification for your employees: Can the external DPO train your employees sufficiently? And can he issue them with a certification on completion of the courses?
• Price and transparency: Are the costs clear and transparent? Are there different package options that fit your budget?
• Digitalisation and simplification: Does the external DPO use modern, digital tools such as software and integrations? This can speed up processes and increase efficiency.
• Updates and flexibility: Can the external DPO adapt to changing requirements? In the area of data protection, it is often crucial to stay up to date, as laws and regulations can change.

There are various contacts for questions about data protection.

• For private companies or organisations, the company data protection officer (DPO), as well as an external data protection officer, or in the case of smaller companies, an internal person who is familiar with data protection, can help in the first instance. 
• For public bodies, such as public authorities or schools, there is usually a data protection officer who acts as a contact person for questions on data protection.
• Other contact points for questions on data protection can also be consumer centres or data protection officers of the respective federal states. The Federal Office for Information Security (BSI) also offers advice on data protection issues.

We offer the use of a team of state-certified lawyers and attorneys who specialise in companies of different sizes and industries.

A data protection advisor, also called a data protection officer (DPO), is a person who assists companies and organisations in implementing data protection regulations. His or her role is to check compliance with data protection laws and regulations and to protect the personal data of customers, employees and others.

Specifically, a data protection advisor may undertake the following tasks:

• Advice: the data protection advisor advises companies and organisations on data protection requirements and makes recommendations for implementation.
• Training: The data protection advisor trains employees and managers in the handling of personal data.
• Monitoring: The data protection advisor monitors compliance with data protection regulations and checks the technical and organisational measures for securing personal data.
• Documentation: The data protection advisor often prepares and reviews documents relevant to data protection, but in some cases data protection coordinators also take on this activity.
  The data protection advisor is therefore an important interface between companies and data protection authorities and helps to ensure that personal data is processed securely and in compliance with the law.

We take care of all this and also offer software that simplifies the life of both the employee and the employer.

Violations of the General Data Protection Regulation (GDPR) can be punished by competent data protection authorities with significant fines. The amount of the fines depends on the severity of the violation and the economic damage caused.

In detail, the following sanctions can be imposed for violations of the GDPR:

• Warning: In the case of a first infringement or a minor infringement, the data protection authority may initially issue a warning.
• Fines: Fines may be imposed for serious violations of the GDPR. The amount of the fines depends on various factors, such as the turnover of the company or the type and severity of the violation. The maximum level of fines is up to 4% of the group's annual global turnover or €20 million (whichever is higher).
• Cease and desist or removal order: The data protection authority may issue an order requiring the company to remove the breach or to cease and desist in the future.
• Public notice: In the case of particularly serious violations, the data protection authority may make the violations public.
• Prohibition of data processing: In the case of particularly serious violations of the GDPR, the data protection authority may prohibit the company's data processing.

In addition, persons whose rights have been violated by breaches of the GDPR may also assert claims for damages against the company. It is also possible that competitors or consumer protection agencies send warning letters to a violating company, for which the company must pay.

It is therefore important that companies and organisations comply with the requirements of the GDPR and check their processes and systems for data protection compliance.

Data protection breaches can be reported to different places depending on where the breach occurred and what type of breach it is. Here are some possible places to go:

• With the organisation concerned: if you suspect that a company or organisation has breached data protection rules, you should first try to contact the organisation concerned directly to resolve the issue.
• With the competent data protection authority: In Germany, this is the data protection authority of the federal state in which the company or organisation that has violated data protection regulations is located. You can find the contact details of the respective authorities here.
• With the police: If it is a serious breach of data protection that can also have criminal consequences, you should inform the police.
• Consumer advice centres: Consumer centres can also help with data protection violations and provide legal assistance if necessary.

It is important to emphasise that there are different contact points in each federal state, so it makes sense to find out about the responsibilities in advance.

No, there is no official obligation stated in the General Data Protection Regulation (GDPR). However, there is an indirect obligation, because a company must ensure that personal data is processed in accordance with the requirements of the GDPR and should of course also train its employees in this sense.

Such training aims to make employees aware of the careful handling of personal data and to provide them with the necessary knowledge and skills to avoid data protection breaches. Data protection training should therefore take place regularly, especially for new employees and when data protection regulations change.

The exact requirements for data protection training can vary depending on the country and industry. However, in the European Union there are some requirements that apply to all companies that process personal data.

According to Article 39 of the General Data Protection Regulation (GDPR), one of the responsibilities of a data protection officer for companies is to ensure that employees receive regular training to ensure that they are able to fulfil their data protection obligations. Training should be adapted according to the specific tasks and needs of the employees.

Employees who process personal data should receive regular training. In addition, it may be necessary to provide even more frequent training in the event of changes to data protection regulations or the introduction of new technologies or procedures that have an impact on the processing of personal data.

The costs for data protection training can vary depending on the scope and content of the training.

For customers who opt for the Professional or Enterprise package, data protection training is of course already included in the price; in the Basic package, on the other hand, training can be booked individually at any time. The exact prices may vary, however, depending on individual needs.

It is important to note, however, that the price for data protection training is only part of the overall service offered by heyData. For companies that work with us, we also take on the role of external data protection officer and deliver support in the implementation of technical and organisational measures, a comprehensive digital audit and many other benefits.

Technical and organisational measures (TOMs) are an important part of data protection to ensure the security of personal data and to prevent data breaches.

Technical measures refer to technical procedures and tools used to protect personal data. These include, for example, the use of firewalls, encryption, access controls and data backup. Technical measures are designed to ensure that personal data is protected from unauthorised access, manipulation, loss or destruction.

Organisational measures, on the other hand, include procedures and processes designed to ensure that personal data are processed in accordance with data protection laws. These include, for example, policies and procedures for handling personal data, training employees and monitoring compliance with data protection regulations. Organisational measures are designed to ensure that personal data is processed in accordance with applicable laws and regulations and that compliance with data protection policies is ensured by all parties involved.

If you want to introduce technical and organisational measures in your company, there are some steps you should follow:

• Create a list of internal contacts: If you do not know all the technical processes in the company yourself, you should create a list of contacts who can help you with this.
• Summarise TOMs in a list: You can create your own list of appropriate measures to use, or you can rely on experts like those on our team to help you properly create this documentation.
• Reviewing the list: The list should be reviewed regularly to see which TOMs have already been implemented and whether they are appropriate. You should also analyse which measures are missing and which need to be added.
• Involve other contacts, internal or external: If you need help or are unsure, involve other controllers and discuss the adequacy of measures.
• Present the measures to the controller: If you are not taking responsibility under the GDPR yourself, you should present and discuss the measures developed with the controller.
• Regular review of the measures: It should be reviewed at least once a year whether the measures are still appropriate. Then they may need to be updated.

The creation of TOM can usually be carried out by internal teams, such as IT departments or data protection officers. Alternatively, data controllers and processors can also bring in external data protection officers such as heyData to assist in the creation and implementation of appropriate TOM.

On 12 May 2023, the Federal Council passed the Whistleblower Protection Act, which is the national implementation of the EU Whistleblower Directive. It is expected to come into force in mid-June 2023. This law was passed to better protect whistleblowers and provide them with a safe way to report wrongdoing at their employers.

First, companies with 250 or more employees must set up internal whistleblowing systems. These systems are designed to enable employees to report wrongdoing safely and confidentially. Companies with 50-249 employees have a transition period until 17 December 2023.

An anonymous whistleblower protection system offers whistleblowers the opportunity to report grievances safely and confidentially without fear that their identity will be revealed. This can help ensure that more employees are willing to report wrongdoing because they feel safe and do not have to fear negative consequences. Such a system can help companies respond to and remedy grievances more quickly, which can ultimately help build trust in the company among employees and the public.

Yes, our whistleblowing solution mattersOut can also be booked as a stand-alone product. Just get in touch with us.

Companies in the public sector as well as cities and municipalities with more than 10,000 inhabitants are covered by the law and must offer whistleblowing systems from mid-June 2023. These systems are designed to enable citizens to report wrongdoing securely and confidentially.

The procedure for submitting the notification must be possible orally or in writing and, if desired, also in person.

The internal reporting office must acknowledge receipt of the report to whistleblowers within seven days.

Within three months, MROS must inform the whistleblower what action has been taken as a result. E.g. the initiation of internal investigations or the forwarding of the report to the competent authority.

In the whistleblower system, reports are usually received by case managers, persons of trust, or ombudspersons.

Potential case managers should consider people who do not have conflicts with other activities. This means that, for example, positions of responsibility in data protection matters (DPO), anti-money laundering, or other similar areas are perfect for this role.

Ideally, the case manager should have expertise in the area of the Whistleblower Protection Act or be willing to undergo further training in this area. Individuals with experience in handling sensitive information and ensuring confidentiality may be particularly suitable.

To fill the position of case manager, it is a good idea to consider someone from the human resources department or the legal department, provided they are not in a senior position. People in these departments often have an understanding of compliance issues and legal aspects relevant to dealing with whistleblower reports.

Yes, it is important to train the case manager regularly. We recommend training at least once a year to ensure that the case manager has the necessary expertise and is familiar with the latest developments in the area of the Whistleblower Protection Act. Regular training keeps case managers up to date and enables them to deal effectively and competently with incoming reports.

Training employees on whistleblowing is a recommended measure to make the use of whistleblower software known and attractive. However, there is no legal obligation for employees to use the software, as they are legally allowed to go directly to government whistleblowers. However, companies usually prefer that internal grievances are dealt with internally.

Upon request, we provide training for employees to inform them about the whistleblowing process, the benefits of reporting whistleblowing internally and how to use the whistleblower software safely. Such training typically covers the importance of whistleblowing to corporate integrity, the confidentiality of reports, protection against reprisals, and the possible consequences of misuse or false reporting.

The training is designed to encourage employees to report potential wrongdoing or illegal behavior internally rather than going to external agencies. The training provides employees with the necessary knowledge and awareness to identify potential risks and grievances at an early stage and to act appropriately.

It is not recommended to simply copy a privacy policy from another website. Each website has its own requirements and practices for handling personal data. A generic privacy policy may not meet your specific needs and may have legal consequences. It is advisable to create a customised privacy policy for your website.

It is important to regularly review and update your privacy policy to ensure that it complies with current legal requirements and reflects your business practices. Changes in the way you collect or use personal data should be communicated transparently in your privacy policy.

If you want to use Google Analytics to collect data about your website visitors, there are some privacy issues you should be aware of. Here are some important points:

• Update your privacy policy: Make sure you are clear and transparent about the types of data you collect with Google Analytics, how you use it, and how visitors can exercise their privacy rights.
• Anonymise the IP address: Google Analytics collects the IP addresses of visitors by default. To ensure the anonymity of users, you must activate the IP anonymisation function in Google Analytics. This function removes part of the IP address before processing.
• Order processing contract: If you use Google Analytics, you as the website operator are responsible for the processing of the data. Make sure you have a data processing agreement with Google to ensure that your data is processed in accordance with applicable data protection laws.
• Limit data transfers: Avoid submitting personal data to Google Analytics. Ensure that no sensitive data is collected or sent to Google Analytics.
• Limit data storage: Check the settings of your Google Analytics account and make sure that you only store data for as long as it is necessary for your analysis purposes.

A data protection audit is necessary to ensure that organisations process personal data in a lawful and secure manner. The GDPR imposes significant obligations to protect personal data. By conducting a data protection audit, you can ensure compliance, identify risks, and implement necessary improvements.

A data protection audit can be conducted internally by an organisation's data protection officer or data protection team. Alternatively, the organisation can engage external auditors or data protection officers who specialise in data protection and GDPR compliance. The choice depends on the organisation's resources, expertise, and specific requirements.

A data protection audit usually includes the following essential components:

• Review of data protection policies and procedures.
• Assessment of the data processing activities and the legal basis for the processing.
• Review of data protection and security measures.
• Evaluation of procedures to safeguard data subjects' rights and to comply with the GDPR.
• Analysis of data breach management and notification process.
• Evaluation of contract processing agreements with service providers and third parties.
• Identification of gaps or non-compliances.

The frequency of data protection audits depends on various factors, such as the size of the organisation, the type of data processing activities, and the risk associated with data processing. Although the GDPR does not prescribe a specific frequency, it is recommended to conduct regular audits, at least annually as is the case with heyData, or when there are significant changes in data processing operations.

After our data protection audit, the organisation receives a detailed report on the findings, recommendations and identified non-conformities. Based on this report, the organisation can develop an action plan to address the issues identified during the audit. The necessary changes and improvements should then be implemented to strengthen data protection and ensure compliance with the GDPR.

Yes, failure to comply with the General Data Protection Regulation can result in significant fines. Depending on the type and severity of the breach, organisations can be fined up to €20 million or 4% of their annual global turnover - whichever is higher. It is critical for organisations to prioritise data protection and conduct regular audits to minimise the risk of data breaches.

Conducting regular data protection audits demonstrates an organisation's commitment to protecting personal data and complying with data protection regulations. This increases the trust of partners and customers by guaranteeing that their data is handled responsibly and securely. By conducting audits and demonstrating GDPR compliance, organisations can improve their reputation and build stronger relationships with their stakeholders.

Although the GDPR does not provide a specific framework for audits, there are guidelines and best practices to help organisations conduct data protection audits. For example, the International Organisation for Standardisation (ISO) has developed the ISO/IEC 27701 standard, which provides guidelines for auditing data protection management systems. In addition, national data protection authorities and data protection organisations may offer specific guidance adapted to local requirements.

Yes, organisations can bring in external experts such as data protection officers or auditors who specialise in GDPR policies and data protection issues. These experts can provide valuable insight and expertise and ensure a thorough and independent assessment of an organisation's data protection practices.

The frequency of carrying out a data protection impact assessment depends on several factors, including the type of data processing, the occurrence of changes or new risks, and the privacy relevance of the processing. In general, it is advisable to review and update the DPIA on a regular basis.

Article 35(2) of the GDPR states that the "controller" shall conduct the DPIA. As a rule, the data controller is responsible for carrying out the data protection impact assessment and for involving the advice of the data protection officer, internal or external.

Failure to conduct a required data protection impact assessment can result in significant penalties under the GDPR, including fines of up to €10 million or 2% of the global annual turnover of the previous fiscal year, whichever is greater.

The DPIA usually consists of three main parts:

• A systematic description of the planned data processing operations and the purposes of the processing.
• An assessment of the necessity and proportionality of the processing operations in relation to the purpose.
• An assessment of the risks to the rights and freedoms of data subjects and the mitigation measures, safeguards and mechanisms envisaged to mitigate those risks.

The data protection officer plays an essential role in the performance of the DPIA. He or she advises the controller or processor on how to conduct the DPIA, reviews the results, and ensures that the DPIA is conducted in compliance with the GDPR.

Not all companies are obliged to conduct a DPIA. The obligation to conduct a DPIA arises from Article 35 of the GDPR and only concerns processing operations that involve a high risk to the rights and freedoms of natural persons, in particular when using new technologies.

Although it is possible to perform a DPIA yourself, it is often advisable to consult a data protection law expert or a data protection officer due to the complexity of the requirements of the GDPR.

The GDPR provides a set of guidelines for conducting a DPIA. It is important that you familiarize yourself with these guidelines and incorporate them into your DPIA. In addition, consulting with an external data protection expert or data protection officer can help ensure compliance.

The General Data Protection Regulation (GDPR) is an EU legal framework that regulates the protection of personal data in companies and organizations. It entered into force on May 25, 2018 and contains rules for the processing, storage and transfer of personal data of EU residents.

The GDPR applies to all companies that process personal data of EU citizens, regardless of whether the company is based inside or outside the EU. It affects small and medium-sized enterprises as well as large corporations.

The GDPR grants individuals a number of rights, including the right to access their stored data, the right to rectify incorrect data, the right to have their data deleted ("right to be forgotten"), the right to data portability and the right to object to the processing of their data.

Companies must take various measures to comply with the GDPR. These include appointing a data protection officer (if required), conducting data protection impact assessments, implementing appropriate technical and organizational measures to protect personal data, obtaining data subjects' consent for data processing, and reporting data breaches.

Violations of the GDPR can result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is greater. The actual amount of the fine depends on the nature, severity, and duration of the breach.

A data processor is a person or organization that processes personal data on behalf of a data controller. The processor acts according to the instructions of the controller and is subject to certain legal obligations under the GDPR.

The length of time for which personal data may be stored depends on the purpose of the data processing. Companies must store personal data for as long as is necessary to fulfill the purpose of the processing. In some cases, specific retention periods may be imposed by other laws or regulations.

A data breach refers to a security incident in which personal data is inadvertently or unlawfully accessed, disclosed, altered, or destroyed. When a data breach occurs and high risks to data subjects are expected, there is an obligation to assess and report it to the relevant supervisory authority and, in some cases, to the data subjects.

Internally, it is an important task of an internal or external data protection officer pursuant to Art. 39 (1) GDPR to point out compliance with data protection provisions. 17 Supervisory authorities monitor compliance with data protection regulations on the government side.

Customers of heyData get the very best of combining helpful data protection software and highly personalized expert support. With the heyData platform, you get your data protection under control. At the same time, our specialist lawyers are true experts in their field and also know the ins and outs of your business.

Creating a record of processing activities as early as possible is recommended, ideally when you start your business. This way, you can ensure compliance with the GDPR from the start and significantly reduce the risk of data breaches.

A register of processing activities offers a number of key benefits. It helps minimise data breaches, which prevents potential financial penalties and reputational damage. It also fosters trust with your customers and partners, which promotes long-term relationships and a positive corporate reputation. It also provides clear internal documentation, which is beneficial for data protection audits and cooperation with data protection authorities.

The complexity depends on the size and scope of the company. For small and medium-sized companies it can be manageable, while larger companies have to put in more effort. For these reasons, our clients very often turn to us when they need fast and effective support so that they do not have to spend weeks creating these documents.

Yes, the register of processing activities should be updated regularly. As business processes can change and new data protection requirements emerge, it is important to keep the record up to date. Regular review and updating ensures that data protection risks continue to be appropriately assessed and managed.

According to Article 4 - number 12 - of the General Data Protection Regulation, a data breach is a breach of security that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.

Identifying a data breach can be complex. Signs may include unusual system activity, reports of stolen or lost devices, or unexplained data loss. According to Article 33 paragraph 1 of the GDPR, regular monitoring is required to identify such incidents.

According to Article 33 paragraph 1 of the General Data Protection Regulation, if you discover a data breach, you must notify the competent data protection authority without undue delay and, where possible, within 72 hours of becoming aware of the breach. This should include mitigation measures such as changing passwords or blocking access.

Failure to report a data breach can result in significant fines under Article 83 of the GDPR. These can be up to €20 million or up to 4% of annual global turnover, whichever is higher.

As an affected person, you have first and foremost the right to be informed of the data breach in accordance with Article 34 of the GDPR, as well as the right to lodge a complaint with the competent data protection authority in accordance with Article 77 of the GDPR. Finally, you may also be entitled to financial compensation.

The controller is the person or organisation that determines the purposes and means of data processing. The processor is the person or organisation that processes personal data on behalf of the controller.

A DPA is required whenever a controller transfers personal data to a processor. This applies to services such as cloud storage, IT support, payment processing, and other processing activities for personal data.

Yes, according to Article 28 paragraph 9 of the General Data Protection Regulation, DPAs may be concluded in writing or in electronic form.

The absence of a lawful DPA between controller and processor may constitute a breach of the GDPR and lead to legal consequences, including fines.

The GCU should be stored for as long as the data processing between the controller and processor continues and beyond that for a reasonable period of time to demonstrate compliance with the GDPR.

Yes, but this requires the explicit authorisation of the controller and clear rules on the responsibilities and data protection obligations of the sub-processor.