77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
General Data Protection Regulation: What Companies Must Concretely Implement in 2026
Data Protection & Privacy

General Data Protection Regulation: What Companies Must Concretely Implement in 2026

27 May 202612 min readBy Lena Vogt
CIVAC

The General Data Protection Regulation (GDPR) has been directly applicable EU law since May 2018. What obligations this concretely creates for mid-sized companies, what fines are at risk, and how a Data Protection Officer ensures implementation — explained concisely and practically.

The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) has applied directly in all EU Member States since 25 May 2018 — without any national implementing act. It creates a uniform data protection framework for approximately 450 million people and obliges every organisation that processes personal data of EU citizens to comply with its principles. Fines of up to EUR 20 million or 4 per cent of total worldwide annual turnover are possible (Art. 83(5) GDPR).

Despite this, inspections by data protection supervisory authorities show that many mid-sized companies have not fully or even partially fulfilled core obligations — the records of processing activities, data protection impact assessments, and data processing agreements. This article sets out the seven fundamental principles of the GDPR, identifies the operational obligations that are most commonly deficient, and explains when the appointment of a Data Protection Officer (DPO) becomes mandatory.

Key Takeaways

  • The GDPR establishes seven principles under Art. 5, compliance with which the controller must be able to demonstrate at any time — accountability is not a soft principle but a documentation obligation.
  • Fines under Art. 83 GDPR can amount to up to EUR 20 million or 4 per cent of annual turnover; German supervisory authorities have imposed several multi-million-euro penalties between 2023 and 2025.
  • Under § 38 BDSG, the obligation to appoint a DPO — internally or externally — arises from 20 persons regularly engaged in data processing.

The Seven Principles Under Art. 5 GDPR

Art. 5 GDPR sets out seven principles that apply to every processing of personal data. They form the normative foundation on which all further obligations are built.

Lawfulness, fairness, and transparency: Every processing activity requires a legal basis — either consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), compliance with a legal obligation (Art. 6(1)(c)), protection of vital interests (Art. 6(1)(d)), public interest (Art. 6(1)(e)), or legitimate interests (Art. 6(1)(f)). In the absence of a legal basis, the processing is unlawful.

Purpose limitation: Data may only be collected for specified, explicit, and legitimate purposes and may not be further processed in a manner incompatible with those purposes (Art. 5(1)(b)). A subsequent change of purpose is only permissible under strict conditions.

Data minimisation: Only the data necessary for the processing purpose may be collected. Many organisations violate this principle through excessive data collection in recruitment procedures or customer contact forms.

Accuracy, storage limitation, integrity, and confidentiality: Data must be factually accurate and kept up to date; outdated data must be erased or rectified. Retention periods must be established and adhered to. Technical and organisational measures (TOMs) safeguard integrity and confidentiality.

Accountability: The controller must be able to demonstrate compliance with all principles (Art. 5(2)). This is the foundation of the entire GDPR documentation regime. An external Data Protection Officer supports the systematic implementation of this accountability obligation.

Records of Processing Activities: Obligation and Minimum Content

Art. 30 GDPR obliges every controller — irrespective of the size of the organisation, provided that processing is not merely occasional — to maintain records of processing activities (RoPA). Organisations with fewer than 250 employees are only exempt if their processing is unlikely to result in a risk to the rights and freedoms of data subjects and does not involve special categories of data (Art. 9 GDPR) — an exception that rarely applies in practice.

Under Art. 30(1) GDPR, the RoPA must contain, for each processing activity: the name and contact details of the controller and, where applicable, the DPO; the purpose of processing; the categories of data subjects and data; recipients; third-country transfers including safeguards; retention periods; and a description of technical and organisational security measures.

Practical experience from inspections shows that the RoPA is frequently out of date (new software systems have not been entered), incomplete (processors are missing), or inconsistent with actual retention periods. Supervisory authorities regularly request the RoPA as the first document when handling complaints or announcing inspections. In the CIVAC workspace, the RoPA is maintained as an ongoing project with versioning, a change log, and annual review reminders.

Data Processing Under Art. 28 GDPR: Contractual Obligations with Service Providers

As soon as a company has personal data processed by an external service provider — payroll, cloud hosting, email marketing, IT support with system access — a data processing agreement (DPA) must be concluded under Art. 28 GDPR. The DPA is not a formality: it establishes the legal basis on which the processor is authorised to act and sets out its obligations towards the controller.

The minimum content of a DPA under Art. 28(3) GDPR includes: the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; the processor's obligation to act on documented instructions; a duty of confidentiality; technical and organisational measures (reference to Art. 32 GDPR); provisions on sub-processing; obligations to assist with data subject requests and breach notifications; return or deletion of data after contract termination; and audit rights of the controller.

Many mid-sized companies use cloud services from US providers (Microsoft 365, Google Workspace, Salesforce) without checking whether the DPA meets GDPR requirements and whether third-country transfers are safeguarded by standard contractual clauses (SCCs) under Art. 46 GDPR. Missing or substantively deficient DPAs are one of the most frequent triggers for regulatory fines in supervisory authority inspections.

Data Subject Rights: Access, Erasure, Objection — Deadlines and Processes

The GDPR grants data subjects extensive rights, the exercise of which the controller must respond to within strict time limits. Art. 12(3) GDPR prescribes a time limit of one month, which may be extended by a further two months in justified cases — however, the data subject must be informed of the extension within the first month.

The most relevant rights in day-to-day business are: the right of access (Art. 15 GDPR) — a complete copy of the processed data and information on the purpose, recipients, and storage duration; the right to rectification (Art. 16); the right to erasure/right to be forgotten (Art. 17) — to the extent no retention obligations under tax or commercial law apply; the right to restriction of processing (Art. 18); the right to data portability (Art. 20) — for machine-processed data based on consent or contract; and the right to object (Art. 21) — in particular against direct marketing, which takes immediate effect.

Without a clear internal process, requests can disappear in the inbox or be answered too late. This does not automatically trigger a fine, but it does lead to complaints by data subjects to the supervisory authority. In the CIVAC workspace, the task module registers incoming data subject requests and manages deadline monitoring automatically.

Data Protection Impact Assessment (DPIA) Under Art. 35 GDPR

A Data Protection Impact Assessment (DPIA) is required under Art. 35(1) GDPR where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Art. 35(3) provides illustrative examples: systematic, extensive evaluation of personal aspects (profiling), large-scale processing of special categories of data (Art. 9), and systematic monitoring of publicly accessible areas.

The German Data Protection Conference (DSK) has published lists of processing activities for which a DPIA is always required. These include: the use of biometric recognition systems, scoring procedures for creditworthiness assessments, extensive video surveillance, and the use of AI systems for decision-making about individuals. With the entry into force of the EU AI Act (obligations for high-risk AI from August 2026), the scenarios requiring a DPIA are set to expand considerably further.

A DPIA must contain, pursuant to Art. 35(7) GDPR: a systematic description of the envisaged processing operations; an assessment of the necessity and proportionality; an assessment of the risks to data subjects; and the envisaged measures to address the risks. In the CIVAC workspace, the DPIA is pre-configured as a project type with five core steps (scope, uploads, queries, risks, report) and documented in a tamper-proof manner.

Breach Notification Obligation: The 72-Hour Time Limit Under Art. 33 GDPR

Art. 33 GDPR obliges the controller to notify a personal data breach to the competent supervisory authority within 72 hours of becoming aware of it — provided the breach is likely to result in a risk to the rights and freedoms of natural persons. The time limit runs from the point of awareness, not from the time of the breach. Internal escalation pathways must be designed so that the responsible management body is informed without undue delay.

The content of the notification under Art. 33(3) GDPR: a description of the breach (nature, categories, and approximate number of data subjects and records affected), the name and contact details of the DPO, the likely consequences of the breach, and the measures taken or proposed to address it. If complete information is not yet available at the time of the initial notification, it may be provided in stages — the 72-hour limit applies to the initial notification.

Where there is a high risk to data subjects, notification of those individuals is additionally required under Art. 34 GDPR — without undue delay. The combination of authority notification and data subject notification within tight deadlines can scarcely be reliably managed without a clear incident response protocol. The Data Protection Officer plays the central coordinating role in this process.

When Is a Data Protection Officer Mandatory?

Art. 37 GDPR in conjunction with § 38 Federal Data Protection Act (BDSG) establishes the obligation to appoint a DPO in German organisations in three scenarios: first, where the core activities of the organisation consist of the regular and systematic monitoring of data subjects on a large scale; second, where the core activities consist of large-scale processing of special categories of data (Art. 9) or data relating to criminal convictions; and third — the threshold most relevant for mid-sized German companies — under § 38(1) BDSG, where at least 20 persons are permanently engaged in the automated processing of personal data.

The figure of 20 persons refers not to the total workforce but to those who regularly handle data processing — sales staff with CRM access, HR personnel managing employee records, IT administrators. In mid-sized companies with around 50 or more employees, this threshold is almost always exceeded.

The DPO may be appointed internally or engaged externally. An external DPO under Art. 37(6) GDPR acts on the basis of a service contract, must demonstrate the necessary professional expertise (Art. 37(5)), and is functionally independent (Art. 38(3)). An external DPO is often more cost-effective than an internal position — and brings cross-sector experience.

Technical and Organisational Measures (TOMs) Under Art. 32 GDPR

Art. 32 GDPR obliges controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The provision gives the following examples: pseudonymisation and encryption; ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability and access to personal data following a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of TOMs.

In practice, TOMs are frequently documented once and then never reviewed again. Changes to IT infrastructure (new cloud services, remote working arrangements, new devices) introduce new risks that may not be covered by the original TOMs. Supervisory authorities therefore expect a regular risk assessment and adjustment of TOMs, not merely a static piece of documentation.

Particularly relevant for mid-sized companies: access management (who has access to which systems), encryption of laptops and mobile devices, a backup concept including restoration testing, and training of employees in data protection and information security. The latter overlaps with the training obligations under § 38 BDSG and can be represented in the CIVAC workspace as a mandatory online training course with a final test and certificate.

Turn Reading into Action: Structure GDPR Compliance with CIVAC

The GDPR has been in force for eight years, yet structural gaps — missing RoPA, incomplete DPAs, no incident response process — are still the rule in many mid-sized companies. Supervisory authorities examine these issues systematically and impose fines not only following major data breaches but also where documented shortcomings are established.

CIVAC addresses precisely these gaps: the compliance platform and Officer-as-a-Service model offers a complete toolkit for the DPO function — from the guided RoPA through pre-configured DPIA projects to the incident response workflow with automatic deadline management. Licence the workspace for your internal DPO — or have our certified Data Protection Officers take on the function externally.

Audit-proof, documented, GDPR-compliant. The inspector calls — the evidence is ready. Write to us at info@civac.de or use the contact form at civac.de.

FAQ

Does the GDPR apply to small companies with fewer than 250 employees?

Yes. The GDPR applies to every organisation that processes personal data, regardless of size. Only the records of processing activities under Art. 30 GDPR provides a limited exception for organisations with fewer than 250 employees — but this applies only where no special categories of data are processed and the processing presents no risk, which is rarely the case in practice.

What is the maximum fine under the GDPR?

Art. 83(5) GDPR provides for fines of up to EUR 20 million or 4 per cent of total worldwide annual turnover for serious infringements — whichever is higher. For less serious infringements under Art. 83(4), the framework is up to EUR 10 million or 2 per cent of annual turnover.

When must a Data Protection Officer be appointed under the GDPR and the Federal Data Protection Act (BDSG)?

Under § 38(1) BDSG, the obligation arises when at least 20 persons are permanently engaged in automated data processing. Irrespective of this number, the obligation arises under Art. 37 GDPR where the core activities of the organisation consist of large-scale processing of special categories of data or involve the systematic monitoring of individuals.

What must be reported within 72 hours in the event of a data breach?

The following must be reported: the nature of the breach, the categories and approximate number of individuals and records affected, the contact details of the DPO, the likely consequences, and the measures taken to address the breach. If complete information is not yet available, an initial notification with the information available is permissible; missing details may be submitted subsequently.

What legal bases for data processing does the GDPR recognise?

Art. 6(1) GDPR provides six legal bases: consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), compliance with a legal obligation (Art. 6(1)(c)), protection of vital interests (Art. 6(1)(d)), public interest (Art. 6(1)(e)), and legitimate interests of the controller (Art. 6(1)(f)). In the employment context, § 26 BDSG supplements these bases for the processing of employee data.

Must a data processing agreement (DPA) be concluded for every cloud service?

Yes, provided that the cloud service processes personal data on behalf of the organisation — such as email services, CRM systems, payroll software, or collaboration platforms. Art. 28(3) GDPR requires written form (or electronic form). If the DPA is missing, the entire data processing by the service provider lacks a legal basis.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles