Corporate Data Protection: Obligations, Structures and Documentation

Corporate data protection has been legally binding in structure since 25 May 2018 through the GDPR (Regulation (EU) 2016/679) and the BDSG 2018. The accountability principle under Art. 5(2) GDPR shifts the burden of proof entirely onto the controller: it is not the supervisory authority that must prove violations — the organisation must demonstrate compliance. Those who maintain no documentation are structurally at a disadvantage in any audit.

This article describes which operational data protection obligations apply to organisations of what size, what documentation constitutes the minimum standard, how employee training can be organised in a legally compliant manner, and when an external Data Protection Officer is the more effective solution compared to an internal appointment.

Regardless of size and industry, every controller under the GDPR has six minimum operational obligations. First: maintaining records of processing activities (RoPA) under Art. 30 GDPR. Second: implementing technical and organisational measures (TOMs) under Art. 32 GDPR. Third: concluding data processing agreements (DPAs) under Art. 28 GDPR with all service providers that process personal data on behalf of the organisation. Fourth: informing data subjects under Art. 13 and 14 GDPR. Fifth: responding to data subject requests within one month under Art. 12(3) GDPR. Sixth: notifying data breaches within 72 hours under Art. 33 GDPR.

Additional sector-specific requirements apply: healthcare organisations process special categories of data under Art. 9 GDPR and require a separate lawful basis under Art. 9(2) GDPR. Financial service providers are additionally subject to the BDSG and banking secrecy under § 2(1) BDSG. Employers must observe § 26 BDSG for data processing in employment relationships.

The most common gap in SMEs is the absence of documented compliance structures — not the absence of good intentions, but the absence of verifiable evidence.

The GDPR does not prescribe a specific training frequency, but under Art. 32(4) requires that employees who have access to personal data act only on instructions from the controller and are appropriately trained. Additionally, Art. 39(1)(b) GDPR requires the DPO to train and raise awareness among employees on data protection matters.

In practice, annual data protection training has become the minimum standard recognised by supervisory authorities and certification bodies. It must be documented: completion date, participants, content and the qualification of the trainer. Online training with automatic certificate generation and storage in the CIVAC workspace meets this standard and can be presented to the supervisory authority on request.

Training content should cover at minimum: GDPR principles, lawful bases, handling data subject requests, data breach recognition and internal reporting chains. For high-risk roles (IT, HR, sales), additional module-level deepening is recommended.

The privacy policy on the website is the primary fulfilment of the transparency obligation under Art. 13 GDPR towards website visitors. Mandatory content includes: identity and contact details of the controller; contact details of the DPO; purposes and legal bases of each processing activity; where applicable, legitimate interests under Art. 6(1)(f); recipients or categories of recipients; transfers to third countries; retention periods; data subject rights; right of withdrawal for consent-based processing; right to lodge a complaint with a supervisory authority; and whether the provision of personal data is a statutory or contractual requirement.

A privacy policy that was correct at the time of publication may become non-compliant within months — for example, when new cookies are added, a US service provider is integrated or a new legitimate-interest basis is applied without being documented in the policy.

Every external service provider that processes personal data on behalf of the organisation requires a DPA under Art. 28 GDPR. This applies equally to cloud storage, email providers, HR software, payroll services, web hosting and analytics tools. The DPA is non-negotiable — if it is missing, a violation exists regardless of whether the underlying processing is itself lawful.

For transfers to countries outside the EEA for which the EU Commission has not issued an adequacy decision, additional safeguards are required under Art. 46 GDPR — in particular standard contractual clauses (SCCs) or binding corporate rules. Since the EU-US Data Privacy Framework (July 2023), US providers certified under the framework may be used without additional SCCs under Art. 45 GDPR, provided the certification is current and documented.

Art. 35 GDPR requires the controller to carry out a data protection impact assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Supervisory authorities have published must-do lists (under Art. 35(4) GDPR) specifying which types of processing always require a DPIA. In Germany, these include: systematic and large-scale processing of health data; video surveillance of public spaces; systematic monitoring of employees; and the use of new technologies in high-risk contexts.

A DPIA must document the processing activities, assess necessity and proportionality, identify risks and describe risk mitigation measures. Where residual risk remains high despite mitigating measures, the supervisory authority must be consulted prior to processing under Art. 36 GDPR.

A structured data breach process consists of three phases: detection, internal escalation and external notification. Detection requires that employees know what a data breach is — not just hacking attacks, but also emails accidentally sent to the wrong recipient, lost unencrypted USB drives or the loss of an unprotected laptop. Each of these events may be notifiable.

Internal escalation must be swift: the DPO or the data protection coordinator must be informed within hours so that the 72-hour deadline under Art. 33 GDPR can be met. External notification to the supervisory authority must be made without undue delay. Where there is a high risk to data subjects, they must additionally be notified directly under Art. 34 GDPR. Every decision — whether to notify or not — must be documented.

§ 26 BDSG governs data processing in employment relationships. Accordingly, employee data may be processed where this is necessary for the performance of the employment relationship. Consent in an employment relationship is possible, but must be examined carefully for voluntariness given the power imbalance — supervisory authorities apply a strict standard here.

Works council and co-determination: where an employer introduces technical facilities capable of monitoring employee behaviour or performance, the works council has a co-determination right under § 87(1)(6) BetrVG. Data protection and labour co-determination must be coordinated before introducing monitoring systems, time-recording tools or productivity software.

Organisations have two structural options for data protection management: an internal DPO as an employee alongside another function, or an external DPO engaged on a service contract basis under Art. 37(6) GDPR. Both models have specific strengths and risks.

The internal DPO knows the organisation well, is less accessible for external enquiries and requires no separate remuneration. Risks include: role conflicts when taking on operational IT or HR responsibilities; lack of up-to-date expertise in rapidly developing regulatory areas; and the difficulty of providing independent advice to management when there is a hierarchical relationship. The external DPO brings structural independence: no employment relationship dependency, no role conflicts with operational functions, and specialised compliance expertise across multiple client organisations.

Effective data protection management begins with a stocktake: what processing activities exist? Which third-party service providers are in use? Is a DPO appointment mandatory? Are current DPAs in place? Is there a data breach process? These five questions identify the most significant gaps and prioritise the measures needed.

Others manage compliance like a filing cabinet. CIVAC manages it like software: all documentation obligations, deadlines, training records and audit evidence are maintained in a single platform workspace — not in scattered folders. The next supervisory inquiry finds a structured response ready, not a search for documents.

CIVAC offers the DPO workspace for internal officers and the external DPO service for organisations that need a ready-to-go appointment within two working days. Both models use the same platform and the same audit trail. info@civac.de.