Compliance & Standards
Was kostet ein Datenleck? DSGVO-Bußgelder, Schadensersatz und reale Kosten
Oskar Braun9 Min.
Coming Soon
Data Protection from a Security Perspective
Data Protection for Businesses
External Data Protection Officer, data processing agreement review and GDPR consulting - pragmatic, legally sound and from the perspective of security experts who know the day-to-day realities.
GDPR Compliance Status
Records of Processing (RoPA) up to date
Compliant DPA reviewed
14 / 14 Privacy notices
Under review DPIA
Not required External DPO appointed
AWARE7 Vertrauen unserer Kunden
Data Protection meets IT Security
Data protection and information security belong together. As a cybersecurity company, we think about both - not in isolation from each other.
Technically grounded
Our DPOs understand how IT systems, APIs and data flows actually work. No patchwork - but data protection that works in practice.
SME-focused
We understand the resources and challenges of small and medium-sized businesses. Our data protection is pragmatic and implementable - not just for large enterprises with dedicated compliance departments.
Everything from one source
Data protection consulting, penetration testing, ISO 27001, phishing simulation - coordinated by AWARE7. One contact for IT security and data protection.
Echte DSGVO-Bußgelder in Europa
Quelle: GDPR Enforcement Tracker (CMS Law) · enforcementtracker.com
3.000+ dokumentierte Fälle
1,2 Mrd. € 🇮🇪 Irland
Meta Platforms Ireland
Unzulässige Datentransfers in die USA ohne ausreichende Garantien
Datentransfer
Art. 46 · 22.05.2023
746 Mio. € 🇱🇺 Luxemburg
Amazon Europe Core
Personalisierte Werbung ohne ausreichende Rechtsgrundlage
Fehlende Rechtsgrundlage
Art. 6 · 16.07.2021
345 Mio. € 🇮🇪 Irland
TikTok Technology
Verarbeitung von Kinderdaten ohne gültige Einwilligung
Fehlende Rechtsgrundlage
Art. 5 · 01.09.2023
290 Mio. € 🇳🇱 Niederlande
Uber
Unzulässige Übermittlung von Fahrerdaten in die USA
Datentransfer
Art. 44 · 26.08.2024
225 Mio. € 🇮🇪 Irland
WhatsApp Ireland
Mangelnde Transparenz gegenüber Nutzern und Nicht-Nutzern
DSGVO-Verstoss
Art. 12–14 · 02.09.2021
150 Mio. € 🇫🇷 Frankreich
Google LLC
Cookie-Einwilligung: Ablehnung schwieriger als Zustimmung
Fehlende Rechtsgrundlage
Art. 7 · 06.01.2022
265 Mio. € 🇮🇪 Irland
Meta / Facebook
Datenpanne durch mangelnde Privacy by Design (Scraping 533 Mio. Nutzer)
Datenpanne
Art. 25 · 28.11.2022
35,3 Mio. € 🇩🇪 Deutschland
H&M Hennes & Mauritz
Systematische Überwachung und Profilerstellung von Mitarbeitenden
Mitarbeiterüberwachung
Art. 5 · 01.10.2020
20 Mio. € 🇮🇹 Italien
Clearview AI
Biometrisches Scraping ohne Rechtsgrundlage - Gesichtserkennung
Fehlende Rechtsgrundlage
Art. 5 · 10.03.2022
14,5 Mio. € 🇩🇪 Deutschland
Deutsche Wohnen SE
Mieterdaten ohne Löschkonzept und Speicherbegrenzung archiviert
DSGVO-Verstoss
Art. 5 (1) e) · 30.10.2019
12.000 € 🇮🇹 Italien
Istituto San Giuseppe La Salle
Überwachungsvideo eines Minderjährigen an Privatdetektiv weitergegeben
Kinderdaten
Art. 5 · 29.01.2026
10.000 € 🇮🇹 Italien
ITIS Cannizzaro Catania
Gesundheitsdaten von 51 Schüler:innen mit Behinderung ohne Rechtsgrundlage veröffentlicht
Fehlende Rechtsgrundlage
Art. 5 · 29.01.2026
2.000 € 🇷🇴 Rumänien
SC Hayat Dent SRL
Verweigerung der Kooperation mit der Datenschutzbehörde
Behördenverstoss
Art. 83 (5) · 20.02.2026
3.000 € 🇷🇴 Rumänien
Your Consulting SRL
Datenleck durch unzureichende technisch-organisatorische Maßnahmen
Datenpanne
Art. 25 · 19.02.2026
10.000 € 🇪🇸 Spanien
FREE TECHNOLOGIES EXCOM
Neue Passwörter unverschlüsselt per E-Mail versandt
DSGVO-Verstoss
Art. 32 · 03.02.2026
5.000 € 🇮🇹 Italien
Dr. Paolo Montemurro
Arzt veröffentlichte OP-Fotos ohne Einwilligung des Patienten
Fehlende Rechtsgrundlage
Art. 5 · 29.01.2026
1.800 € 🇪🇸 Spanien
Vermieter (anonym)
Videoüberwachung in Mietwohnungen ohne Rechtsgrundlage
Fehlende Rechtsgrundlage
Art. 6 · 06.02.2026
Our Reference Frameworks
We do not work on gut feeling - we orient ourselves on established international standards for privacy management.
ISO 27701
Privacy Information Management System (PIMS)
ISO 27701 is the international standard for privacy management systems - an extension of ISO 27001 with privacy-specific requirements. We follow this framework because it bridges technical information security and legal data protection requirements (GDPR, UK GDPR etc.).
Structured privacy management system with clear roles and processes
Compatible with existing ISO 27001 certifications - synergy instead of duplication
Documents accountability evidence for GDPR Article 5(2) requirements
Suitable as an orientation framework even for organisations without certification plans
Data Processing
Trusted Data Processing
Our structured approach to trusted data processing is oriented on established best practices for service providers who process personal data on behalf of others. We incorporate this approach in our consulting - so your data processors are not only contractually bound, but also technically and organisationally trustworthy.
Criteria for selecting and evaluating data processors beyond the standard DPA
Transparency about data flows and sub-processors along the entire chain
Evidence for clients: your organisation as a trustworthy data processor
Relevant for B2B service providers, SaaS vendors and all who act as data processors
ISO 27701 as an extension of your ISMS?
If you are already ISO 27001 certified or planning certification, ISO 27701 can be integrated as a privacy extension. We accompany both - information security and data protection - from a single source.
Planned Data Protection Services
These services are currently being developed. Register to be the first informed when they become available.
External DPO
Appointment as external Data Protection Officer under GDPR Article 37. Mandatory for many organisations - we assume responsibility and liability.
Learn more →
DPA Review
Review and drafting of Data Processing Agreements (GDPR Article 28). Every service provider with data access requires a legally sound DPA.
GDPR Consulting
Records of Processing Activities (RoPA), Data Protection Impact Assessment (DPIA), privacy notices and internal policies. Compliance that works.
Data Breach Management
Immediate support for reportable data breaches. 72-hour notification obligation to the supervisory authority reliably met. Including template documents.
Data Protection Training
Mandatory employee training under GDPR - hands-on, industry-specific and documentably recorded. Available as in-person or e-learning.
GDPR Compliance
Already available: our GDPR consulting in the context of IT security, audits and technical and organisational measures (TOMs).
View now →
Early Access
Be the first to know
Our data protection services are launching soon. Leave your contact details and we will be in touch as soon as we are ready - and discuss your requirements in advance.
