The Data Protection Regulation in the Company: From Statutory Text to Demonstrable Evidence

The General Data Protection Regulation (Regulation (EU) 2016/679) has applied directly in all member states since 25 May 2018 and is supplemented in Germany by the BDSG. Anyone who processes personal data owes not only legal compliance but proof of that compliance: Art. 5(2) GDPR explicitly requires accountability. Supervisory authorities have been carrying out noticeably more checks since 2024, and fines reach up to EUR 20 million or 4 percent of global annual turnover (Art. 83(5) GDPR).

This guide translates the central obligations of the data protection regulation into an operational officer setup. You will learn which articles shape day-to-day work, how the record of processing activities, the notification path and processing on behalf interact, and how to run the GDPR as a demonstrable process rather than a folder of obligations. CIVAC is a compliance platform and Officer-as-a-Service for German companies and supplies the templates that shorten this path.

The GDPR governs the processing of personal data of natural persons and bases every processing operation on a legal ground under Art. 6(1) GDPR. Six principles shape everyday work: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation and integrity. The seventh, accountability, is the decisive one. It shifts the burden of proof: it is not the authority that must prove an infringement, the company must demonstrate compliance.

From this follow four core operational obligations. First, the record of processing activities under Art. 30 GDPR with purpose, categories, recipients, erasure periods and technical and organisational measures. Second, the data processing agreements under Art. 28 GDPR for every service provider that processes data on behalf of others. Third, technical and organisational measures under Art. 32 GDPR, from the authorisation concept to encryption. Fourth, the notification obligations under Art. 33 and 34 GDPR in the event of data breaches.

To these are added data subject rights (Art. 15-22 GDPR), data protection impact assessments where there is a high risk (Art. 35 GDPR) and the appointment of a data protection officer where the conditions of Art. 37 GDPR and Section 38 BDSG are met. Anyone who appoints an external data protection officer outsources expertise and gains an independent reporting line. The deadline runs from awareness. Anyone who improvises here loses exactly the 72 hours that the law allows.

The obligation to appoint arises from Art. 37 GDPR and Section 38 BDSG. Three groups of cases: first, public authorities and bodies; second, companies whose core activity consists of large-scale regular monitoring of data subjects; third, companies whose core activity consists of processing special categories under Art. 9 or criminal-conviction data under Art. 10. Section 38 BDSG adds the German threshold: an obligation to appoint as soon as, as a rule, at least 20 people are constantly engaged in the automated processing of personal data.

For most SMEs, Section 38 BDSG therefore applies. The appointment is made in writing, the officer reports directly to the highest management level and enjoys protection against disadvantage under Art. 38(3) GDPR. External appointment is permissible and customary, because it rules out conflicts of interest: anyone in the company with IT or HR responsibility would be checking their own processes, which Art. 38(6) GDPR prohibits.

In the event of enquiries, supervisory authorities regularly require three pieces of evidence: the deed of appointment with date and signature, the notification to the authority under Art. 37(7) GDPR and the reporting line to management. The deed of appointment, signed, filed, demonstrable. If one of these three pieces of evidence is missing, the appointment is deemed incomplete, the fine risk under Art. 83(4) GDPR applies, and Section 130 OWiG activates management's supervisory duty.

Art. 30 GDPR requires a record of all processing activities. Exempt are only companies with fewer than 250 employees, provided the processing is neither regular nor risky and does not concern special categories. In practice, almost every company meets the obligation, because payroll and CRM alone are already regular processing operations.

The record documents per processing operation: controller, purpose, categories of data subjects and data, recipients including third-country transfers, erasure periods and TOMs under Art. 32. It is not a marketing document but a working basis for every supervisory enquiry, every data breach and every impact assessment. Anyone who keeps the record up to date can respond to a data breach within hours, because the data subjects and the data flow are already documented.

Typical weak points are outdated entries after tool changes, missing third-country information for cloud services and unmaintained erasure periods. Since 2024 supervisory authorities have routinely required the record in electronic form. Others run compliance like a filing cabinet. We run it like software. Anyone who maintains the record in the workspace, with clear responsibilities and automatic review cycles, keeps the obligation alive rather than once a year.

Art. 28 GDPR governs processing on behalf. Every service provider that processes personal data on instructions needs a written contract with ten minimum contents: subject matter, duration, nature and purpose, type of data, categories of data subjects, the processor's obligations, sub-processor arrangements, support obligations, return or erasure, audit rights. If the data processing agreement is missing, the processing is unlawful and subject to fines.

Typical processing-on-behalf constellations: cloud providers, payroll bureaus, IT service providers, marketing tools, dispatch service providers. Intra-group data flows between sister companies are also subject to a data processing agreement. As soon as the service provider is based outside the EEA, Chapter V GDPR applies: adequacy decision, standard contractual clauses (SCCs) in the 2021 version, or binding corporate rules. Following the Schrems II ruling (ECJ C-311/18), a transfer impact assessment that examines the legal situation in the third country is additionally mandatory.

For US transfers, since 10 July 2023 the EU-US Data Privacy Framework has served as an adequacy decision, provided the recipient is certified. Uncertified US providers still need SCCs plus a TIA. The data protection officer checks data processing agreements, documents transfers and keeps the third-country register. In the DPO mandate these checks are part of the monthly report.

Art. 33 GDPR requires the notification of every breach of the protection of personal data to the competent supervisory authority within 72 hours of becoming aware of it, where there is a risk to data subjects. Where there is a high risk, the obligation to inform the data subjects is added under Art. 34. The clock starts as soon as a responsible person becomes aware, not only after internal escalation.

A data breach is more than a hacker attack. Lost laptops, misaddressed emails, misdirected letters, phishing with data outflow, unauthorised employee access, faulty authorisations, backup loss: all fall under Art. 4(12) GDPR. The notification obligation lapses only where the breach is unlikely to result in a risk. This risk assessment is to be documented, even where there is no notification.

Operationally, three building blocks are needed: a reporting address for internal tip-offs, an escalation path with roles and deadlines, and a set of templates for the supervisory notification, data subject information and internal lessons learned. CIVAC provides a pre-configured data breach path in the workspace that follows the 72-hour cadence and prepares the supervisory notification in the formats of the state authorities. The auditor calls, the evidence is ready. Anyone who rehearses the path once a year loses no time on responsibilities during a crisis.

Art. 32 GDPR requires appropriate TOMs taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the likelihood and severity of the risk. Specifically, the provision names pseudonymisation, encryption, confidentiality, integrity, availability, resilience and a procedure for regular review.

In practice, TOMs mean a documented authorisation concept with roles, encryption of data at rest and in transit, patch and vulnerability management, backups with tested restoration, multi-factor authentication for privileged access and logging that detects suspicious access. Anyone running an ISO/IEC 27001:2022 ISMS largely fulfils Art. 32 automatically, because the 93 controls of Annex A cover the GDPR requirements.

Supervisory authorities assess TOMs not in the abstract but against incidents. After a data breach, the questions are: was the risk foreseeable? Were the measures appropriate? Was the concept reviewed? Anyone who documents TOMs only once at the audit and does not maintain them afterwards loses the defence. The CIVAC platform links the record, TOM documentation and audit run, so that changes automatically become visible in the evidence.

Art. 35 GDPR requires a data protection impact assessment (DPIA) where a processing operation is likely to result in a high risk to the rights and freedoms of data subjects. The supervisory authorities publish blacklists and whitelists. Typical triggers for a DPIA: systematic monitoring, large-scale processing of special categories, automated decisions with legal effect, processing of employee data with profiling, the use of new technologies such as AI-supported selection procedures.

The DPIA documents the processing purpose, necessity, risk analysis, mitigation measures and residual risk. It is conducted by the controller, the DPO advises and reviews (Art. 35(2) GDPR). Where a high residual risk remains, the authority must be consulted in advance (Art. 36 GDPR). This consultation usually takes eight weeks, extendable by six, and noticeably delays project starts.

With the EU AI Act, additional obligations come into force from August 2026 that must be interlocked with the DPIA, particularly for high-risk AI systems in the HR context or in credit scoring. The DPIA is therefore not a one-off document but a living piece of evidence that is updated with every system or process change. CIVAC templates guide you through the DPIA structure and link it to the record of processing activities.

The GDPR has two fine tiers. Art. 83(4) sanctions infringements of the obligations of controllers and processors, such as a missing record or inadequate TOMs, with up to EUR 10 million or 2 percent of global annual turnover. Art. 83(5) targets infringements of principles, data subject rights and transfers with up to EUR 20 million or 4 percent. The higher value is the benchmark.

Alongside this, Section 130 OWiG applies. Managing directors and board members are personally liable if they breach supervisory duties and thereby enable infringements. A missing deed of appointment, an unmaintained record or an unrehearsed notification path is enough for the accusation of a breach of supervisory duty. Personal fines reach up to EUR 1 million. To these are added civil compensation claims under Art. 82 GDPR, which courts have awarded noticeably since 2024, even for purely non-material damage (ECJ C-300/21).

Insurers respond with clear exclusions for intentional or grossly negligent GDPR infringements. Anyone operating without a deed of appointment, without a record or without documented TOMs risks not only the fine but also their insurance cover. The answer is not a filing cabinet but a platform: obligations as a workflow, evidence as data points.

The GDPR does not become simpler as it ages. Supervisory authorities are professionalising their checks, ECJ rulings are tightening points of detail, and the AI Act adds a second compliance layer. Anyone who continues to run the data protection regulation as an annual ritual falls further behind on evidence with each passing year.

CIVAC is a compliance platform and Officer-as-a-Service. In the workspace you will find the record of processing activities, the data processing agreement register, TOM documentation, the data breach path, DPIA templates and a reporting line to management. 37 ready-to-use audit templates, 25 officer roles live, EU data residency, deed of appointment and reporting line as standard. License the workspace for your internal officers, or have our officers appointed. Both paths lead to the same result: data protection that withstands an audit.

Turn reading into a mandate. Write to info@civac.de or use the contact form at civac.de. In a structured initial conversation we clarify whether a license or a mandate suits your risk, your sector and your size, and we deliver the draft appointment within two working days, instead of the two to six weeks customary in the sector.