Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Compliance & Recht Glossary

DSGVO (Datenschutz-Grundverordnung)

The EU General Data Protection Regulation (GDPR), in effect since May 2018, requires all companies that process the personal data of EU citizens to comply with its provisions. Fines of up to 4% of global annual revenue or €20 million—whichever is higher.

The General Data Protection Regulation (GDPR) has been directly applicable throughout the EU since May 25, 2018. It applies to any company that processes personal data of EU citizens—regardless of where the company is based (principle of market location).

Core Principles of the GDPR (Art. 5)

The GDPR is based on 7 core principles enshrined in Art. 5 of the GDPR:

  1. Lawfulness, fairness, and transparency – Processing requires a legal basis
  2. Purpose limitation – Data may only be used for specified, legitimate purposes
  3. Data minimization – Only as much data as necessary
  4. Accuracy – Data must be accurate and up-to-date
  5. Storage limitation – Delete when no longer needed
  6. Integrity and confidentiality – Technical and organizational measures (TOMs)
  7. Accountability - Companies must be able to demonstrate compliance

Every processing of personal data requires a legal basis:

Legal basisWhen applicable
Consent (Art. 6(1)(a))Newsletters, marketing cookies, analytics
Performance of a contract (Art. 6(1)(b))Customer data for order processing
Legal obligation (Art. 6(1)(c))Tax-related retention obligations
Vital interests (Art. 6(1)(d))Emergencies, rarely relevant
Public interest (Art. 6(1)(e))Government agencies, research
Legitimate interest (Art. 6(1)(f))B2B marketing, security – balancing of interests required

Rights of Data Subjects (Art. 15-22)

Companies must enable these rights through technical and organizational measures:

  • Right of access (Art. 15): What information do we store about you?
  • Right to rectification (Art. 16): Correcting inaccurate data
  • Right to erasure (Art. 17): "Right to be forgotten"
  • Right to restriction (Art. 18): Pause processing
  • Right to data portability (Art. 20): Machine-readable export file
  • Right to object (Art. 21): Against direct marketing, profiling
  • Right not to be subject to automated decision-making (Art. 22): No automated decisions without human intervention

TOMs - Technical and Organizational Measures (Art. 32)

Art. 32 GDPR requires the implementation of "appropriate technical and organizational measures":

Technical:

  • Encryption of personal data (TLS in transit, AES-256 at rest)
  • Pseudonymization (separation of identifier and data)
  • Access controls (least privilege, MFA)
  • Backup and recoverability
  • Regular testing of security measures (penetration testing, vulnerability scanning)

Organizational:

  • Employee training on the GDPR
  • Data Protection Impact Assessment (DPIA) for high-risk processing operations
  • Record of processing activities (Art. 30 GDPR)
  • Data processing agreements (DPA) with service providers

Obligation to report data breaches (Art. 33-34)

Deadline: 72 hours after a data breach becomes known.

Notification to:

  • Supervisory authority (in Germany: the relevant state office): always
  • Data subjects (Art. 34): if there is a high risk to their rights

What must be reported?

  • Unauthorized access to customer data
  • Ransomware attack where data is encrypted/exfiltrated
  • Lost laptop containing unencrypted customer data
  • Accidental email sent to the wrong recipients (involving sensitive data)

What is not subject to mandatory reporting?

  • Attack was repelled, no data affected
  • Lost encrypted data (key not compromised)

Fines: Two Levels

LevelMax. FineExamples
Higher range€20 million or 4% of annual turnoverArt. 5, 6, 7 (processing principles), Art. 9 (sensitive data)
Lower threshold€10 million or 2% of annual turnoverArt. 8 (consent for children), Art. 11–22 (technical requirements)

High fines in practice:

  • Meta/Facebook: €1.2 billion (2023, data transfer to the U.S.)
  • Amazon: €746 million (2021, tracking without consent)
  • WhatsApp: €225 million (2021, transparency obligations)

Germany: Average fines in Germany are significantly lower, but rising. BayLDA/LDI focus on technical security.

GDPR and IT Security: Direct Connection

Art. 32 GDPR explicitly requires information security measures. ISO 27001 certification serves as proof of compliance with Art. 32:

ISO 27001 ControlGDPR Requirement
A.8.24 (Cryptography)Art. 32 (TOMs: Encryption)
A.8.15 (Logging)Art. 5 (Accountability)
A.6.8 (Incident Reporting)Art. 33 (72-hour notification requirement)
A.8.10 (Data Erasure)Art. 17 (Right to Erasure)

Data Protection Officer (DPO) - Art. 37

A DPO is mandatory if the organization:

  • Is a public authority
  • Engages in extensive processing of special categories of data (health data, etc.) as a core activity
  • Engages in extensive, regular, and systematic monitoring of individuals

Even if not mandatory, a voluntary DPO is recommended (liability protection, GDPR expertise).

Data Processing (DPO) - Art. 28

Any external entity that processes personal data on behalf of the organization requires a DPA:

  • Cloud providers (AWS, Azure, M365)
  • SaaS providers (CRM, HR software)
  • Newsletter services
  • IT service providers with access to data

The DPA governs: purpose, compliance with instructions, subprocessors, technical security, and deletion upon termination of the contract.

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation