Achieve perfect data protection compliance in 5 steps

5 Schritte zur Datenschutzkonformität

Data Protection for Start-ups: The Key to Compliance and Growth

In order to be data protection compliant right from the start, it is worthwhile to acquire a basic knowledge of the General Data Protection Regulation (GDPR), as this must be observed from the very beginning.

1. Acquire foundational knowledge for data protection compliance

To ensure that you are data protection compliant right from the start, it is certainly worthwhile to establish a basic knowledge of the General Data Protection Regulation (GDPR) and observe it from the very beginning. This way, you can avoid having to spend both time and effort on adaptation processes later and potentially incurring high fines. 

We hope to fill this gap in basic knowledge with specialist articles available on our website. The main purpose is to get a general overview and to understand the principles of the GDPR. 

To establish a strong basis for effective data protection, it is beneficial to comprehend the business processes from the outset during planning and development phases. Documenting the collection, storage, usage, and deletion of personal data across different areas or departments within the process proves invaluable. This makes it easier to create documents such as the processing directory later on, as the data processing methods are already accounted for.

It is also important to note that high technical security standards in IT alone are not sufficient for data protection compliance.

2. Appointment of a data protection officer 

Many also wonder, especially when the company demonstrates growth, at what point you need a Data Protection Officer (DPO). Generally, it is only obligatory to appoint a data protection officer when your start-up has 20 employees or more who constantly deal with personal data. However, if your start-up deals with sensitive data, or even special personal data, a data protection officer must be appointed from the very beginning, especially when using data related to health or finances. Regardless, it is highly recommended to appoint a data protection officer as early as possible, as this ensures optimal implementation of the provisions of the GDPR right from the start.  

The question arises here as to whether an internal or external data protection officer is better, whereby an external one is usually the more cost-effective option.

3. Using cold calls, newsletters & co for growth in compliance with data protection laws

During the growth phase, start-ups must be especially mindful that it becomes mandatory to designate a data protection officer when 20+ employees are consistently handling personal data. 

During the initial stages of growth, cold calling and similar strategies are highly valuable and widely employed. In the context of advertising emails sent as newsletters, it is crucial to have documented evidence of the customer's consent to receive the newsletter, and it is essential to include information in each newsletter about the option to unsubscribe at any time.

if no prior email address or similar contact information is available for the initial outreach, such as in the case of cold calling, automated emails should never be sent. However, it is permissible to write to individual addresses if there is a "justified interest". In this case, it is best to include a link to the privacy policy. In the case of initial contact via social media, telephone or networking, consent for use (e.g. sending newsletters) must first be obtained before the contact’s data is entered and used. However, it is permissible to continue contacting people on an individual basis. 

4. Process and share personal data securely and correctly 

Data processing encompasses various actions involving data, such as collection, storage, disclosure through transmission, or deletion, unless the data is anonymous.

Data may be processed under specific circumstances outlined in Art.6 DSGVO):

  • Consent of the data subject
  • Contract fulfilment 
  • Legal obligations (e.g. archiving fiscally important documents)
  • Protection of vital interests of individuals 
  • Legitimate interests

Among these circumstances, processing based on legitimate interests and consent holds significant importance. Implementation of technical and organizational measures can facilitate processing, as the data subject's interest in data protection may decrease when other safeguards are in place.

As a startup experiences growth, it accumulates more employee and applicant data, in addition to customer data. Employees require special protection under §23 of the Federal Data Protection Act (BDSG), resulting in an inherent imbalance when processing employee data. Adequate safeguards must be in place, including protecting the data of departing employees, which should be appropriately deleted.

Special personal data warrants additional protection, necessitating explicit consent from the individuals involved.

When sharing data with third parties, the following factors should be considered:

  • Do the individuals involved consent to the transfer?
  • Is the transfer necessary for contract fulfilment?
  • Is there an agreement for data processing on behalf of the controller?
  • Is the data processed in a third country?

5. Ensuring data privacy compliance on the web 

In addition to the obligatory data privacy statement featured on a company's website, there are several other important aspects to address in order to maintain a data privacy-compliant web presence. Firstly, the privacy policy must also refer to order processors that are used on the website, and in general. These may include marketing and analytics tools such as Google Analytics, as well as payment service providers such as PayPal, among others. It is important to conclude an order processing agreement with these and to create an overview of the various order processors (data processing agreement). 

A cookie banner must be implemented, where the visitor must agree to the use of non-essential cookies. Consent for this must not be pre-selected or assumed. 

Furthermore, in accordance with § 5 of the Telemedia Act, the website must display a proper imprint that includes the full name, address, and contact details of the company. This ensures compliance and transparency for website visitors.

About the Author

More articles

Data Protection and Video Surveillance

Data Protection & Video Surveillance

Video surveillance systems are omnipresent in many aspects of daily life, serving to enhance security in buildings, public spaces, workplaces, and many other locations. However, the use of video surveillance systems also presents challenges to data privacy. In this article, we want to show how you can ensure privacy while increasing security through the use of video surveillance systems.

Learn more
Unlocking Data Privacy in E-Commerce: Overcoming Challenges and Adopting Best Practices

Data Privacy in E-Commerce: Challenges and Best Practices

Obtaining effective consent from individuals is a central principle of data privacy. However, in e-commerce, it is often challenging to obtain valid consent as customers are reluctant to read extensive privacy policies or engage in complex consent processes. Lack of consent or unclear consent can lead to misunderstandings and loss of trust among customers, potentially resulting in long-term damage to a company's reputation. Furthermore, insufficient consent may have legal consequences, such as fines or compensation claims.

Learn more

The biggest mistakes in contract and data protection management

Contract and data protection management platforms primarily help to save costs and time and simplify the day-to-day handling of data protection and contract law issues. Here you can find out which mistakes you should avoid.

Learn more

Get to know our team today, with no obligations!

Contact us