Achieve perfect data protection compliance in 5 steps

1. Acquire foundational knowledge for data protection compliance

To ensure that you are data protection compliant right from the start, it is certainly worthwhile to establish a basic knowledge of the General Data Protection Regulation (GDPR) and observe it from the very beginning. This way, you can avoid having to spend both time and effort on adaptation processes later and potentially incurring high fines. 

We hope to fill this gap in basic knowledge with specialist articles available on our website. The main purpose is to get a general overview and to understand the principles of the GDPR. 

To establish a strong basis for effective data protection, it is beneficial to comprehend the business processes from the outset during planning and development phases. Documenting the collection, storage, usage, and deletion of personal data across different areas or departments within the process proves invaluable. This makes it easier to create documents such as the processing directory later on, as the data processing methods are already accounted for.

It is also important to note that high technical security standards in IT alone are not sufficient for data protection compliance.

2. Appointment of a data protection officer 

Many also wonder, especially when the company demonstrates growth, at what point you need a Data Protection Officer (DPO). Generally, it is only obligatory to appoint a data protection officer when your start-up has 20 employees or more who constantly deal with personal data. However, if your start-up deals with sensitive data, or even special personal data, a data protection officer must be appointed from the very beginning, especially when using data related to health or finances. Regardless, it is highly recommended to appoint a data protection officer as early as possible, as this ensures optimal implementation of the provisions of the GDPR right from the start.  

The question arises here as to whether an internal or external data protection officer is better, whereby an external one is usually the more cost-effective option.

3. Using cold calls, newsletters & co for growth in compliance with data protection laws

During the growth phase, start-ups must be especially mindful that it becomes mandatory to designate a data protection officer when 20+ employees are consistently handling personal data. 

During the initial stages of growth, cold calling and similar strategies are highly valuable and widely employed. In the context of advertising emails sent as newsletters, it is crucial to have documented evidence of the customer's consent to receive the newsletter, and it is essential to include information in each newsletter about the option to unsubscribe at any time.

if no prior email address or similar contact information is available for the initial outreach, such as in the case of cold calling, automated emails should never be sent. However, it is permissible to write to individual addresses if there is a "justified interest". In this case, it is best to include a link to the privacy policy. In the case of initial contact via social media, telephone or networking, consent for use (e.g. sending newsletters) must first be obtained before the contact’s data is entered and used. However, it is permissible to continue contacting people on an individual basis. 

4. Process and share personal data securely and correctly 

Data processing encompasses various actions involving data, such as collection, storage, disclosure through transmission, or deletion, unless the data is anonymous.

Data may be processed under specific circumstances outlined in Art.6 DSGVO):

• Consent of the data subject
• Contract fulfilment 
• Legal obligations (e.g. archiving fiscally important documents)
• Protection of vital interests of individuals 
• Legitimate interests

Among these circumstances, processing based on legitimate interests and consent holds significant importance. Implementation of technical and organizational measures can facilitate processing, as the data subject's interest in data protection may decrease when other safeguards are in place.

As a startup experiences growth, it accumulates more employee and applicant data, in addition to customer data. Employees require special protection under §23 of the Federal Data Protection Act (BDSG), resulting in an inherent imbalance when processing employee data. Adequate safeguards must be in place, including protecting the data of departing employees, which should be appropriately deleted.

Special personal data warrants additional protection, necessitating explicit consent from the individuals involved.

When sharing data with third parties, the following factors should be considered:

• Do the individuals involved consent to the transfer?
• Is the transfer necessary for contract fulfilment?
• Is there an agreement for data processing on behalf of the controller?
• Is the data processed in a third country?

5. Ensuring data privacy compliance on the web 

In addition to the obligatory data privacy statement featured on a company's website, there are several other important aspects to address in order to maintain a data privacy-compliant web presence. Firstly, the privacy policy must also refer to order processors that are used on the website, and in general. These may include marketing and analytics tools such as Google Analytics, as well as payment service providers such as PayPal, among others. It is important to conclude an order processing agreement with these and to create an overview of the various order processors (data processing agreement). 

A cookie banner must be implemented, where the visitor must agree to the use of non-essential cookies. Consent for this must not be pre-selected or assumed. 

Furthermore, in accordance with § 5 of the Telemedia Act, the website must display a proper imprint that includes the full name, address, and contact details of the company. This ensures compliance and transparency for website visitors.