How should companies deal with their data security

Data protection in the company: What do not public bodies have to consider?

The most important information about data protection in the company in brief

  • The BDSG regulates in a separate section how non-public bodies have to deal with personal data. Next Requirements for data protection declaration, data protection officer and the handling of employee data there is also information on the Disclosure obligations of the companies.
  • With the new EU General Data Protection Regulation From May 25, 2018, data protection violations can companies up to 20 million euros fine cost - or, if higher, up to 4% of global sales.
  • Compliance with data protection rules in the company not only means increased effort, it is at the same time also an opportunity to strengthen consumer confidence and to positively influence purchase decisions.

More about data protection in companies

Cloud ComputingPrivacy CertificationEmployee Confidentiality

Which data protection regulations do companies have to take into account?

The Federal Data Protection Act (BDSG) not only establishes regulations for public bodies, but also dedicates it in particular non-public institutions and public-law competing companies have their own section. This includes data protection regulations that companies and companies must adhere to.

As soon as they collect, use or process personal data, the provisions of the BDSG are binding for them. Data protection can be a nuisance for companies because it works with you high technical and personnel effort hand in hand. But it also offers opportunities. Companies that rely on high standards in terms of data protection, have a more trusting effect on the consumer. And this trust is influencing the purchase decision of many customers more and more frequently.

But which data protection requirements must be observed in companies and companies?

The regulations of the Federal Data Protection Act, which must be observed for data protection in the company, initially affect all of them personal data stored in automated files and / or obtained from automated processes for business purposes (§ 27 BDSG).

However, not all companies are allowed to obtain personal data at will. The regulations limit usage according to § 28 paragraph 1 BDSG

  • legal transactions or obligations similar to legal transactions for which such data are necessary.
  • an existing legitimate interest of the body, provided this does not conflict with the legitimate interest of the person concerned.
  • Data that is generally accessible.
In addition, there is always a for data protection in the company Earmarkedness absolutely necessary for data collection and / or data processing (Section 28 (1) sentence 2 BDSG). The Misappropriation of the data collected is not permitted. A special purpose limitation applies to data which, according to § 31 BDSG “are stored exclusively for purposes of data protection control, data security or to ensure the proper operation of a data processing system”.

Below is a short summary of the most important key pointsthat must be taken into account in data protection in the company:

  1. The stored data must against unauthorized access and possible data misuse be protected with all available means and with the latest technical standards.
  2. The collection, use and processing of data for the purposes of advertising, address trading or marketing strategies is only permitted if the Affected person agrees to this earmarking. If the person concerned also objects to the use of their data for market or opinion research or advertising purposes, the company is prohibited from using them.
  3. As a rule, the Consent of the person concerned when collecting and processing your personal data. With the application of the EU General Data Protection Regulation From May 25, 2018, tacit consent is no longer sufficient, but rather a qualified and explicit decision of the person concerned must be recognizable.
  4. All companies are required to have a Data protection officer to be appointed as soon as more than nine people are permanently entrusted with data collection, data processing and data use. The independent agent should inter alia. Control data protection in the company, evaluate it regularly and prepare risk analyzes.
  5. It is true Coupling ban, that is, companies may not make the successful conclusion of a contract dependent on the consent of the person concerned.
  6. Companies may transmit personal data to authorized bodies and in a permissible form, provided that the recipients adhere to a specially established purpose limitation when using it.
  7. Are personal Data anonymized, this must be stored separately from information that makes it possible or at least probable to identify the person.
  8. Personal data of their employees The companies may only collect or process them if they are necessary for the decision to establish a new employment relationship, to terminate an old one or if they are important in the context of the existing activity. Data to uncover a criminal offense may only be collected if there is an actual, i.e. justified, suspicion (this point prevents, for example, general video surveillance of employees).
  9. The companies also have Obligations towards those affectedwhose personal data they collect, process and use. Above all here are the Obligation to provide information. At the request of the person concerned, all non-public bodies must disclose what data they have collected for what purpose, where this data comes from and to whom it was transmitted for what purpose.
  10. False, statute-barred or outdated information must be provided by the private bodies delete, correct or save in a secure manner.
  11. All employees who handle personal data must access the Data secrecy according to § 5 BDSG be committed.
The Federal Data Protection Ordinance pays particular attention to the numerous Credit agencies such as Schufa and Creditreform. Once a year, those affected have the right to request a detailed and free overview including all relevant scoring values ​​(§§ 34,35 BDSG).

What do these regulations mean for data protection in the company?

But why is data protection so important in the company? Corporate data protection and data security play an important role in the company.

On the one hand, data protection is aimed at the Preservation of the fundamental rights to privacy and informational self-determination from every natural person - this includes in particular their own employees. Violations can cost the company dearly here.

With the implementation of the European General Data Protection Regulation (GDPR) Fines of 20 million or 4 percent of global company sales threaten.

On the other hand, thanks to demonstrably increased data security - not just personal data - the company can do that Strengthen customer and consumer trust. Data protection therefore not only costs money, but can also be used in the end Source of money become.

Within the framework of the requirements of the BDSG, a lot must be observed when it comes to data protection in the company. The following Checklist is intended to provide an essential overview of the possible data protection measures in the company.

Checklist for data protection in the company

The overview should initially only be one initial orientation serve to determine what you should consider when it comes to data protection in your company. Depending on the orientation of your company, individual points may be omitted or others may be added.

Checklist for data protection in the companyDone?
Appoint a data protection officerYesNo
Are more than nine people permanently involved in the processing of personal data in your company?


Are more than 9 people entrusted with conventional data collection or processing?
Do you process sensitive personal data that require prior checking (e.g. health data)?
Does the data processing in your company serve the purpose for transmission to third parties, anonymized disclosure or market and opinion research?
If you answered yes to any of these questions, a data protection officer must be installed in your company.
Have you appointed a data protection officer?
Is the data protection officer independent and reports directly to the management?
General data protection in the companyYesNo
Have you installed a data protection concept or an effective data protection guideline in your company?
Have all data processing employees been obliged to observe data secrecy according to § 5 BDSG before starting their work?
Are there regular training courses and instructions on data protection?
Do you also transfer data to non-EU countries?
Is there a "procedure directory for everyone"?
Does an internal procedure directory exist for the authorized persons?
Does a legally secure data protection declaration exist for your company?
Technical data protectionYesNo
Have firewalls and malware protection been installed, activated and updated on all related systems?
Do you work with user identification / authentication at the individual workstations?
Do you and your employees always use secure passwords?
Does your company have a concept for access authorizations?
Have you assigned different access rights and granted them depending on the employee's job profile?
Are violations and violations of data protection in the company logged?
Are data carriers / data sheets stored securely?
Are data carriers / data sheets safely disposed of?
Has an appropriate copy protection / editing protection been set up?
Is there a regular check of the deadlines for the deletion of personal data?
Will the data be deleted in good time?
Is the transmission of data protected from unauthorized access by encryption and other security measures?
Is there comprehensive written documentation about the technical and organizational measures (§ 9 BDSG)?
Are there appropriate guidelines on information security and the use of IT systems?
Does an emergency plan exist (in the event of data leaks, infiltration of malware, misuse, etc.)?
Data protection for your employeesYesNo
Do you collect, use and process employee data only in connection with taking up, terminating or carrying out an employment relationship?
Do you only collect additional data to uncover a criminal offense if there is justified suspicion?
Do you delete electronically transmitted personal data on applications after they have been rejected?
Collection of the dataYesNo
Do you obtain the data directly from the person concerned and only with consent?
Is the data subject always informed about the purpose, type and scope of the data collection, use and processing of his voluntarily provided data?
Is the person concerned informed about this in a comprehensible and recognizable way about the purpose, type and extent of use?
Does the person concerned have the option to withdraw their consent?
In the event of a revocation, is it guaranteed that the data collected will no longer be used?
Rights of the persons affectedYesNo
Does your company have a structure that processes the rights of those affected?
Does the responsible department in your company answer requests for information completely and at short notice?
Are deletion requests processed immediately and, if authorized, implemented as quickly as possible?

Checklist as .PDF

Incidentally: In order to strengthen consumer confidence in data protection in the respective company, non-public bodies can use a Data protection audit have it carried out. In this case, the above-mentioned points and the entire data protection concept of a company are examined in detail. The test result acts as a Data protection certification, with which the entrepreneurs can also advertise publicly.
(65 Ratings, average: 4,03 of 5)
Data protection in the company: What do not public bodies have to consider?
4.03565Loading ...

You might also be interested in: