External DPO Cost
External DPO Cost

What obligations do companies have under the GDPR?

Responsibilities and obligations of companies:

The General Data Protection Regulation (GDPR) sets out a number of obligations for companies to ensure the protection of personal data. These obligations concern organizational and technical measures to ensure the security of data processing and to protect the rights of the data subjects. The main obligations are described in detail here:

  1. Maintain a record of processing activities (Article 30 GDPR):
    • Companies must maintain a register of all processing activities under their responsibility. This register must contain specific information, including:
      • the name and contact details of the controller and, where applicable, of the joint controller, the controller’s representative and the data protection officer;
      • the purposes of the processing;
      • a description of the categories of data subjects and the categories of personal data;
      • the categories of recipients to whom the personal data have been or will be disclosed;
      • where applicable, transfers of personal data to a third country or to an international organisation, including the identification of the third country or international organisation concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards;
      • where possible, the time limits envisaged for erasure of the different categories of data;
      • where possible, a general description of the technical and organisational measures referred to in Article 32(1).
  2. Data protection through technology design and through data protection-friendly default settings (Article 25 GDPR):
    • Companies must take appropriate technical and organizational measures to ensure that data protection principles, such as data minimization and purpose limitation, are taken into account when developing and operating processing systems and procedures.
    • These measures are intended to ensure that, by default, only such personal data are processed that are necessary for the respective processing purpose. This applies to the scope of the data collected, the extent of its processing, the storage period and its accessibility.
  3. Security measures (Article 32 GDPR):
    • Companies are obliged to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing as well as the different likelihood and severity of the risks to the rights and freedoms of natural persons. These measures include, among others:
      • the pseudonymisation and encryption of personal data;
      • the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on an ongoing basis;
      • the ability to restore availability and access to personal data promptly in the event of a physical or technical incident;
      • a procedure for regularly reviewing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing.
  4. Reporting of data breaches (Articles 33 and 34 GDPR):
    • In the event of a data breach that is likely to result in a risk to the rights and freedoms of natural persons, the controller shall notify the breach to the supervisory authority without undue delay and, where possible, within 72 hours after having become aware of it, unless the breach is not likely to result in a risk to the rights and freedoms of natural persons. The notification to the supervisory authority shall contain at least the following information:
      • the nature of the data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
      • the name and contact details of the data protection officer or other contact point for further information;
      • the likely consequences of the data breach;
      • the measures taken or proposed to address the data breach and, where appropriate, measures to mitigate its possible adverse effects.
    • Where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also inform the data subject of the data breach without undue delay.
  5. Data protection impact assessment (Article 35 GDPR):
    • Companies must carry out a data protection impact assessment when a form of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. A data protection impact assessment is a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of the necessity and proportionality of the processing operations in relation to the purpose, an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation.
  6. Appointment of a data protection officer (Articles 37-39 GDPR):
    • Certain companies must appoint a Data Protection Officer (DPO) if:
      • the processing is carried out by a public authority or body (except courts acting in their judicial capacity);
      • the core activities of the controller or processor consist of carrying out processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale;
      • the core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and offences pursuant to Article 10.
    • The data protection officer shall, inter alia, be responsible for informing and advising the controller or processor and the employees carrying out processing operations on their obligations under this Regulation, monitoring compliance with this Regulation, providing advice in connection with the data protection impact assessment and cooperating with the supervisory authority.

Summary:

The GDPR sets out clear requirements for companies to ensure the protection of personal data. These obligations include maintaining a record of processing activities, implementing data protection measures by design and by default, implementing appropriate security measures, reporting data breaches, conducting data protection impact assessments and, where appropriate, appointing a data protection officer. Compliance with these obligations is essential to meet the requirements of the GDPR and to protect the rights and freedoms of data subjects.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
+4939155721388
info@globeriadatenschutz.de
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.