What you always wanted to know about data protection

Dr. Bernd Schmidt

What to consider when choosing and appointing your data protection officer

Data Protection Data Protection Officer

The data protection officer plays a key role in your data protection organization and usually works with you for a very long time. With a good decision, you can set the course for successful data protection management, but you can also go wrong. Learn more about what to look out for during the selection and appointment of a data protection officer.

Important criteria when selecting a data protection officer

Choosing the right data protection officer for your company can be crucial to the success of your data protection management. There are various criteria that you should know and consider.

Experience and expertise

A data protection officer should have in-depth experience and expertise in data protection law and technology. It is important that the person is familiar with the relevant data protection laws and regulations and is able to implement them effectively.

Industry-specific knowledge

Your data protection officer should know your business. Data protection requirements can vary greatly depending on the industry and customer.

Communication skills

A Data Protection Officer should have good communication skills to engage colleagues and raise awareness of data protection in your organisation. The person should be able to explain data protection topics in an understandable way and provide training so that employees can comply with and implement data protection requirements.

Independence and neutrality

It is important to ensure that the data protection officer acts independently and neutrally. The person should not come into conflict with other company interests and should be able to make unbiased decisions. People in management positions or with responsibility for data protection-critical areas are therefore not suitable candidates.

Continuous further training

Data protection is constantly evolving. This applies to technology as well as regulation. It is therefore important to ensure that your data protection officer is prepared to keep up to date with the latest developments in data protection. You must be prepared to support this with the appropriate resources.

Internal or external appointment?

It is possible to recruit a data protection officer from your own staff, find and hire a new candidate or outsource the appointment to a law firm or consultancy. All options have advantages and disadvantages.

Internal candidates know their company and generally have a better connection to the organisation. They are aware of what is happening and ideally know what needs to be done to improve data protection. However, they may face the challenge of the in-house advocate, who is not listened to, or not listened to in the same way as the external adviser. The external adviser usually has more experience and can use knowledge from other clients. The internal data protection officer usually only introduces a new HR system once. The external adviser has usually done this more often. However, they need a good connection to the company so that they can bring their expertise to bear.

Which option you decide on should ultimately depend on how you combine the greatest possible expertise with the connection to the organisation. You can make a good or a bad choice, but there are no one-size-fits-all solutions.

The appointment of a data protection officer

If you have made the right choice, the appointment is the minor obstacle. The data protection officer is then appointed by the appointment document, reported to the responsible data protection authority via their online form and announced to the team.


When selecting and appointing your data protection officer, you should proceed carefully to ensure that the person has the necessary qualifications and is suitable for the task. The right choice of data protection officer is a crucial building block for good data protection management.


Realisation of the duty to erasure

Realisation of the duty to erasure

For the lawful processing of personal data, a legal basis is necessary, and the processing can only last as long as it is necessary to fulfill the purpose for which the personal data was collected. Afterwards, the personal data needs to be erased. In this document you can read about the processes you should implement to fulfil this duty.

Permitted period for storing personal data

The legal basis for the processing of personal data is most of the time the GDPR or the german data protection law (BDSG). Also, company agreements or collective labour agreements can be the legal basis for processing personal data.

Before collecting personal data, it is therefore necessary to ensure that an applicable legal basis exists. A legal basis is for example applicable, if the data subject has given consent to the processing, or the processing is necessary for compliance with a legal obligation or for the performance of a contract. Up on to the fulfillment of the purpose, the processing of the personal data is lawful. Given the case of an order of goods, the purpose of the collection of address data is fulfilled, when the order is delivered.

When do you need to delete personal data?

After the purpose of the processing is fulfilled, personal data usually needs to be erased. Often there is a reason to store the data longer. One possible reason is that a new legal basis is applicable because a new or changed purpose for the processing exists. When the address data for the order process is collected and the recipient agrees to receive advertising of the company, the company can process the address data after the delivery of the order to send advertisements.

Even after every purpose is fulfilled, a check for possible legal storage obligation should be performed. Regularly, such obligations exist. In that case, the further storage is necessary. Typically, such obligations resolve from tax- and commercial-law statues.

In case of the order-process described above, the storage of personal data is possible until the limitation period has expired. Usually, this period is three years starting with the end of the year where the order was made. The reason for this is the possibility of legal disputes related to the order. If commercial or business letters were created because of the order, the letters must be stored for six years.

When no applicable legal basis exists and the period for legal storage obligations is over, the personal data must be erased.

Here you can find an overview of deletion periods for HR data.

Duty to provide a erasure concept 

Art. 5 sec. 2 GDPR provides a factual obligation to provide a concept for the erasure of personal data.

Art. 5 sec. 1 let. e GDPR provides the principle of storage limitation. Together with the principle of purpose limitation in Art. 5 sec. 1 let. B GDPR the duty of erasure is concluded. Also Art. 17 GDPR provides the data subject with the right to obtain erasure of personal data. Due to the obligation of accountability in Art. 5 sec. 2 GDPR for the fulfilment of these obligations the controller needs to be able to demonstrate compliance with these provisions. Therefore, the controller needs to document the personal data, which is included in the it systems, the purposes of the processing, the storage and erasure period as well as a proof for the erasure. In other words: an erasure concept.

How to create this concept

The basis for creating the concept for erasure of personal data is the creation of an overview of the it-systems and all processing of personal data. Afterwards, the specifically affected personal data and the categories of this data are added to the respective it-system and process. For each category of personal data, the respective duration for the existence of the purpose for the processing needs to be determined. Also, the period of storage after the realisation of the purpose needs to be defined.

Here you can download our sample.

What happens if the personal data is erased too late or not at all?

A violation of the principles of storage and purpose limitation can lead to a fine of up to 20 million euros or up to 4% of the worldwide turnover of the company. In 2019 the responsible data protection officer of Berlin fined the company “Deutsche Wohnen” with a fine of 14 million euros - the highest fine till now in Germany - for the violation of the duty to erasure. Till now, the legal process about the fine is ongoing and the fine is not legally binding.


Record of processing activities and a template

Record of processing activities, Art. 30 para. 1

The record of processing activities is the controller's documentation of processes under data protection law. It makes sense to take some time when creating the record  of processing activities and to create an intelligent system that maps the company processes in appropriate detail in order to create a sensible basis for further data protection organization and documentation beyond the fulfillment of documentation obligations. A good record of processing activities captures all company processes like a network and contains information that is compressed in such a way that the record of processing activities can be kept up to date with reasonable effort.

What is a processing activity? Examples included
The creation of the record of processing activities is a legal obligation resulting from Article 30 (1) GDPR. The record of processing activities consists of the documentation of individual processing activities. Processing activities are processes, i.e. a sequence of individual activities in which personal data are processed. How many individual activities are combined into one processing activity can be defined relatively freely. It is therefore possible to combine processes into one large processing activity or to map them separately. The classic example of a processing activity is personnel data processing - but more on that below.

Who needs a record of processing activities?
In principle, every controller must keep a record of processing activities, i.e. every company and every public authority. There are exceptions to the documentation requirement for small companies with fewer than 250 employees, but these should be treated with caution and rarely become relevant as a result. This is because there are fall-back exceptions, i.e. cases in which these small companies must also keep a record of processing activities, namely when small companies

  • carry out regular processing operations that pose a risk to the rights and freedoms of data subjects (this is more often the case than one might suspect);
  • carry out processing operations on special categories of data (e.g., health data) (this is also the case in most companies);
  • perform processing operations on criminal convictions and offenses (this is likely to be rare).

As a result, virtually all companies and public authorities are required to maintain a record of processing activities. Even if this should not be the case, they are obliged to comply with data protection law and must also document this because of the accountability in Art. 5 (2) GDPR. In any case, it makes sense to keep a record of processing activities for this purpose, because it is the usual documentation that a data protection authority knows and expects.

Who creates the record of processing activities?
The obligation to create the directory of processing activities lies with the controller, i.e. the natural or legal person who manages a company or with a public authority. According to the internal organization, the management or the authority management must ensure that a directory of processing activities is created. These persons may, of course, delegate the creation. This makes sense and is common practice. Management or authority leadership must then only check or be told that a record of processing activities has been created and is regularly maintained.

In practice, the creation of the record of processing activities is often delegated to data protection officers or a data protection department. They coordinate the creation by creating the corresponding document and triggering the collection of information by the departments by inviting them to interviews, providing information in questionnaires or entering it directly into the document. Software support makes sense for this process, of course, in order to gather and consolidate information efficiently.

What belongs in a directory of procedures?

The contents of the record of processing activities are derived from Article 30 (1) GDPR. They are:

  • Name and contact details of the controller;
  • The purposes of the processing;
  • A description of the categories of data subjects and the categories of personal data;
  • The categories of recipients, including recipients in third countries or international organizations;
  • Transfers of personal data to a third country or international organization;
  • Time limits for erasure;
  • A general description of the technical and organizational measures referred to in Article 32(1).

Depending on how one uses the record of processing activities for data protection organization and documentation, it is appropriate to collect further information there, such as

  • ​IT infrastructure used;
  • software used;
  • result of the check whether a data protection impact assessment has to be carried out;
  • etc.

Are there "standard procedures"?
There are "standard procedures" that play a role for all or most data controllers. These are, for example, procedures for processing customer data, for accounting or for operating a website. A classic processing activities is, of course, personnel data processing. It can be found in practically every company and in every public authority. In smaller companies with few staff and little activity and complexity, it may make sense to define a "personnel data processing" processing activity and map it in the record of processing activities. In larger companies with more complex personnel processes, on the other hand, it makes sense to split the topic and map it separately, for example in processing activities for "Recruiting", "Payroll", "Personnel Development", etc.

In many cases, meaningful documentation can be mapped with approximately 15 processing activities. Significantly more or significantly less processing activities can be an indication of documentation that is too complex or not detailed enough.

You can find useful standard procedures for your directory of processing activities in our free template.

What does a sample list of processing activities look like?
Templates for the creation of the inventory of processing activities contain the mandatory information according to Art. 30 (1) GDPR (see above). Good templates also contain additional information that is required for a meaningful data protection organization and documentation.

Click here to download our template.


Quickly explained: Technical and organizational measures - TOMs

The GDPR requires that certain measures are taken to protect personal data when it is processed - also known as technical and organizational measures (TOM). These measures are intended to ensure that, in particular, the integrity and confidentiality of personal data are maintained and processing is secure.

What is the importance of TOMs?

Companies that process personal data are required to implement technical and organizational measures to protect the data and comply with data protection law. These include measures such as:

  • Anonymization and encryption of data.
  • Ensuring the integrity and availability of data and related systems.
  • Continuous monitoring and evaluation of implemented measures.

Goals of the TOMs in data protection

The aim of the TOMs is to ensure appropriate data protection in line with current technological developments. A thorough risk assessmentshould therefore be carried out when implementing the TOMs so that measures appropriate to the risk can be taken. For example, if a server or network drive fails, it must be possible to restore the data from backups.

Explore PLANIT // PRIMA now.

How can data protection be improved through TOMs?

  • Physical access control: Prevent uncontrolled access to places where IT systems are located.
  • System access control: Ensures that it is possible to track who has had access to IT systems.
  • Access control: Restricted ensures that only authorized persons can access personal data.
  • Transport control: protection of data during transfer.
  • Input control: Ensures that every data input can be traced.
  • Job control: Ensures that contractors only handle personal data in a controlled manner.
  • Availability control: Ensures that personal data is available and not permanently lost in the event of IT failures.
  • Separation according to the purpose of processing: Ensures that personal data are processed separately for different purposes.

The specific measures required for your company should by all means be determined on the basis of an individual risk analysis.


Data Protection Impact Assessment (DPIA) under the EU General Data Protection Regulation

The Data Protection Impact Assessment (DPIA) is the central and mandatory instrument for risk assessment of data processing operations. The purpose of the DPIA is to identify data protection risks at an early stage and to take appropriate measures to reduce them.

What is a Data Protection Impact Assessment?

The DPIA is the central measure of the risk-based approach of the GDPR. Companies must check for each processing of personal data whether it has high risks for the rights and freedoms of the data subjects. For processes where this is the case, the actual DPIA is then carried out; a detailed description and assessment of the data protection risks. The main objective of the DPIA is to assess particular risks to the rights and freedoms of data subjects and to take appropriate protective measures.

When should a DPIA be performed?

The GDPR provides that a DIA must be carried out whenever data processing operations, in particular data processing operations using new technologies, pose a high risk to the rights and freedoms of individuals. Article 35 GDPR also contains regulatory examples that make the performance of a DPIA mandatory, such as the systematic and comprehensive assessment of personal aspects or the processing of special categories of data. In addition, supervisory authorities have published so-called positive lists containing processing operations for which a DPIA is mandatory.

How do you perform a DPIA?

To properly implement legal requirements to perform a DPIA, it is critical to identify and then thoroughly review data processing operations that pose potential risks. The GDPR sets out minimum requirements for the content of a DPIA. These include a systematic description of the processing operations, an assessment of their necessity and proportionality, and a risk assessment for the data subjects. In addition, companies must define measures to mitigate risks and ensure data protection and seek the advice of the data protection officer. If there is still a high risk after the DPIA, there must even be consultation with the data protection authority.


The DPIA is a legal obligation and an essential tool for assessing and mitigating data protection risks when introducing new processes or technologies in companies. On the one hand, this serves to protect the data subjects, but also to protect your company. Especially in times of digitalization and the introduction of new technologies, it is essential for companies to address the potential risks and the necessary protective measures.