data protection
19 Mar 2025

Data protection in the company: What measures employers need to take

Companies must comply with a large number of data protection regulations. The management is responsible for ensuring that these regulations are implemented and that appropriate measures are taken. If necessary, the management deploys employees or external service providers to ensure compliance with data protection regulations.

The most important legal bases for operational data protection are the Federal Data Protection Act (BDSG) and general data protection regulation (GDPR)which regulate data protection.

Table of contents

Estimated reading time: 6 minutes

Processing of personal data

The topic of data protection plays an important role when it comes to the processing of personal data.

According to Art. 4 GDPR, "personal data" means any information relating to an identified or identifiable natural person, such as name, date of birth, address, telephone number, bank account number, etc.

Operations involving personal data, such as the collection, storage, retrieval, use, transmission, synchronisation and deletion of data, are considered "processing".

Overview of basic rights and obligations

1. Prevent data misuse

Companies must store data using technical and organizational measures to protect it from access by unauthorised persons.

2. Obtain the consent of the persons concerned

The collection and processing of personal data usually requires consent of the person concerned. Companies must obtain consent if they collect or use customer data for advertising or marketing purposes.

3. Special regulations for the handling of employee data

Companies may process the data of their own employees - without the consent of the person concerned - if this is necessary to establish, implement or terminate the employment relationship.

4. Observe the duty to provide information

Individuals from whom a company collects, processes and uses personal data can request information about what data the company has collected and for what purpose, where the data originates from and where it has transmitted the data and for what purpose.

Principles for the processing of personal data

In Art. 5 GDPR the following principles are laid down, which must be observed when processing personal data:

  • Legality: Companies must process personal data in a lawful manner.
  • Processing in good faith: Personal data must be processed in accordance with the principle of good faith.
  • Transparency: Companies must inform data subjects when they process their data.
  • Earmarking: Companies may only collect and store personal data if it serves a defined, clear and legitimate purpose.
  • Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Correctness: Companies must ensure that the content of the processed data is correct or factually accurate.
  • Memory limitation: Companies must store personal data in a form that allows the identification of data subjects only for as long as is necessary for the purposes for which they are processed. 
  • Integrity and confidentiality: Personal data must be processed in such a way that it is protected against unauthorised access and loss. 

Employers must ensure that the aforementioned principles are adhered to. They must also be able to prove that they comply with the principles.

data protection measures

What measures employers must take

In accordance with Art. 32 GDPR, companies must take appropriate technical and organisational measures to ensure data protection in their operations. These measures include, among other things:

  • the pseudonymisation and encryption of personal data
  • the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to data processing in the long term
  • the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident
  • a procedure for regularly reviewing, assessing and evaluating the effectiveness of the technical and organisational data protection measures

In addition, Section 64 BDSG sets out specific measures that employers must take:

  • Access control: Unauthorised persons must not have access to data processing devices.
  • Data carrier control: Unauthorised reading, copying, modification or deletion of data carriers must be prevented. 
  • Memory control: Unauthorised persons must not be able to change or delete data that has already been saved.
  • User control: The use of automated processing systems by unauthorised persons must be prevented. 
  • Access control: Only the respective authorised persons should have access to the personal data.
  • Transmission control: Companies must be able to check and determine to which bodies they can transfer personal data.
  • Input control: Companies must ensure that they can subsequently check and determine which personal data was entered or changed in automated processing systems, when and by whom.
  • Transport control: Companies must ensure that they protect the confidentiality and integrity of data when transferring personal data and when transporting data carriers.
  • Recoverability: It must be ensured that the data processing systems can be restored in the event of a fault.
  • Reliability: The data processing systems must be reliable and malfunctions must be reported.
  • Data integrity: Stored personal data must not be damaged by system malfunctions.
  • Order control: It must be ensured that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.
  • Availability control: Personal data must be protected against destruction or loss.
  • Separability: It must be possible to process personal data that is collected for different purposes separately.

Important: The respective management team bears overall responsibility for the implementation of these measures. If necessary, it can call in external service providers, experts and consultants. The company data protection officer is also available as a contact person.

Data protection impact assessment

Art. 35 GDPR obliges companies to carry out a so-called data protection impact assessment if they are planning a data processing procedure that is likely to pose a high risk to the rights and freedoms of data subjects. This may be the case, for example, when using new technologies or due to the nature, scope, circumstances and purposes of the data processing.

The company's data protection officer must be integrated into the data protection impact assessment.

Documentation and information obligations

Data controllers must comply with the documentation and information obligations under data protection law. They must document the technical and organisational measures taken in order to be able to prove their implementation in case of doubt.

The person whose data is being processed must be informed of the following in particular: 

  • the contact details of the company data protection officer
  • the purpose of the data processing 
  • the legal basis for the processing 
  • the name and contact details of the data controller and 
  • the contact details of the company data protection officer

Do you have any further questions about data protection in your company? Get in touch with us today. We will be happy to help you!

Contact us

Related topics:

Blog
Request staff +49 174 1979330
Email info@personal-aus-osteuropa.de
AddressZeitarbeit International s.r.o. SK, 831 06 Bratislava – mestská cast‘ Raca, Karpatské námestie 10A