GDPR: Obligations, Deadlines and Fine Risks for Companies – An Overview

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) has been directly applicable law throughout the European Union since 25 May 2018. It requires every organisation that processes personal data to implement specific organisational, technical and documentary measures — regardless of industry or company size. For German organisations, the Federal Data Protection Act (BDSG) supplements the Regulation in areas such as employee data protection and the obligation to appoint a Data Protection Officer.

This article provides management and compliance officers with a structured overview of the most important obligations: appointment thresholds, notification deadlines, documentation requirements and the fine framework. It also shows which operational structures strengthen an organisation's audit-readiness in the long term.

Art. 2 GDPR defines the material scope broadly: any wholly or partly automated processing of personal data, as well as non-automated processing of personal data that forms part of a filing system or is intended to do so, falls within its regulatory framework. Personal data is defined under Art. 4(1) GDPR as any information relating to an identified or identifiable natural person — including names, email addresses, IP addresses, customer numbers or salary information.

The territorial scope under Art. 3 GDPR covers not only controllers established in the EU, but also organisations outside the EU that offer goods or services to EU data subjects or monitor their behaviour (the marketplace principle). For German SMEs, this means: anyone who processes customer data, maintains employee data in HR systems or tracks website visitors is subject to GDPR.

Exceptions apply to purely personal or household activities (Art. 2(2)(c) GDPR) and certain activities in the area of public security. For virtually all business contexts, these exceptions do not apply. Those who have not yet systematically assessed their organisation's exposure should do so before the next supervisory inquiry — because the clock starts ticking from the moment of awareness.

A structured assessment of the scope of application is the first step in any GDPR compliance strategy. It forms the foundation for the records of processing activities under Art. 30 GDPR and for the data protection impact assessment under Art. 35 GDPR.

The prohibition subject to a permission requirement is the core principle of the GDPR: any processing of personal data is prohibited unless one of the lawful bases exhaustively listed in Art. 6 GDPR applies. For companies, four bases are of particular practical relevance:

• Art. 6(1)(a) GDPR: Consent of the data subject — freely given, specific, informed and unambiguous.
• Art. 6(1)(b) GDPR: Performance of a contract or pre-contractual measures at the request of the data subject.
• Art. 6(1)(c) GDPR: Compliance with a legal obligation to which the controller is subject (e.g. statutory retention obligations under § 147 AO).
• Art. 6(1)(f) GDPR: Legitimate interests of the controller or a third party, provided they are not overridden by the interests of the data subject.

For special categories of personal data (health data, genetic data, biometric data, data revealing ethnic origin, etc.), the stricter regime of Art. 9 GDPR applies. Processing of these categories requires one of the explicitly listed exceptions, such as explicit consent (Art. 9(2)(a)) or necessity for employment law purposes (Art. 9(2)(b)).

An incorrect legal basis not only gives rise to fine risks under Art. 83 GDPR, but also enables data subjects to claim erasure and damages under Art. 17 and Art. 82 GDPR. The choice of the correct legal basis must therefore be made and documented before processing begins.

Art. 30 GDPR requires controllers and processors to maintain records of all processing activities. The records must be in writing — including electronic form — and must be made available to the supervisory authority on request at any time. An exemption for organisations with fewer than 250 employees applies only where the processing is unlikely to result in a risk to data subjects' rights, is not carried out on a regular basis and does not involve special categories under Art. 9 GDPR. In practice, this exemption rarely applies to most businesses.

In terms of content, Art. 30(1) GDPR requires, among other things:

• Name and contact details of the controller and, where applicable, the Data Protection Officer
• Purposes of the processing
• Categories of data subjects and personal data
• Categories of recipients, including recipients in third countries
• Planned erasure deadlines
• Technical and organisational measures (TOMs) under Art. 32 GDPR

The records of processing activities are not a one-off project, but a living document. Every new processing activity — a new CRM system, a new HR tool, a new marketing pixel — must be recorded. In the task list of the Data Protection Officer, the ongoing maintenance of the records is one of the central routine duties. Without up-to-date records, a structured response to a supervisory inquiry is not possible.

Art. 33 GDPR requires every controller to notify a personal data breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. The deadline does not begin with the moment of the incident, but with the moment at which the controller has sufficient certainty about the breach — the clock starts ticking from the moment of awareness.

Notification is required for every breach that is likely to result in a risk to the rights and freedoms of natural persons. Examples include: unauthorised access to customer data, accidental disclosure of personnel data, loss of an unencrypted laptop containing customer records. The notification must contain at least:

• The nature of the breach, the categories of data affected and the approximate number of data subjects
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact details of the Data Protection Officer

Where the breach is likely to result in a high risk to data subjects, Art. 34 GDPR additionally requires direct notification to the data subjects without undue delay. The internal documentation of the assessment — even where no external notification is made — is mandatory under Art. 33(5) GDPR and must be made available to the supervisory authority on request. A well-rehearsed incident response process that structures detection, assessment, notification and documentation within 72 hours is therefore not a nice-to-have, but a legal obligation.

The GDPR grants data subjects a comprehensive portfolio of rights that organisations must operationally implement. The most important rights in day-to-day business are:

• Right of access (Art. 15 GDPR): Data subjects may at any time request information about which data relating to them are being processed, for what purpose and to whom they have been disclosed. Deadline: without undue delay, at the latest one month after receipt.
• Right to rectification (Art. 16 GDPR): Inaccurate data must be corrected without undue delay.
• Right to erasure (Art. 17 GDPR): Under certain conditions, data subjects may request the erasure of their data, e.g. where consent is withdrawn or the purpose ceases to apply.
• Right to object (Art. 21 GDPR): Data subjects may object to processing based on legitimate interests; the controller must then demonstrate that compelling legitimate grounds override the interests of the data subject.
• Right to data portability (Art. 20 GDPR): For automated processing based on consent or contract, data subjects may request their data in a machine-readable format.

Organisations without structured processes for handling data subject requests risk violations through deadline breaches alone. A clear internal responsibility — typically with the Data Protection Officer — and a documented handling process are mandatory. The rejection of a legitimate request must be reasoned and may be reviewed by the supervisory authority.

Any organisation that has personal data processed by a service provider — cloud provider, payroll processor, CRM host, email marketing platform — is commissioning data processing within the meaning of Art. 28 GDPR. The controller remains legally responsible for the processing; the processor processes exclusively on documented instructions.

Art. 28 GDPR requires a written data processing agreement (DPA) covering at least the following points:

• Subject matter, duration and nature of the processing
• Purpose of the processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Sub-processor arrangements
• Obligation to assist with data subject requests and data breach notifications
• Deletion or return of data after completion of the contract

Oversight of the processor does not end with the signing of the DPA. Art. 28(3)(h) GDPR requires the processor to make available all information necessary to demonstrate compliance with the GDPR and to allow for audits. In practice, certifications (ISO/IEC 27001:2022, SOC 2) are frequently accepted for this purpose — but they do not substitute the controller's own verification duty. Missing DPAs are among the most common findings in supervisory authority inspections.

Art. 32 GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The provision cites as examples pseudonymisation, encryption, confidentiality, integrity, availability and resilience of systems, as well as the ability to restore availability and access to data promptly following a physical or technical incident.

The risk-based approach is decisive: the TOMs must reflect the state of the art, take into account the costs of implementation, and be calibrated to the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risks. Specific measures regularly required in practice include:

• Access controls (identity and authorisation management, least-privilege principle)
• Encryption of data at rest and in transit (AES-256, TLS 1.3)
• Logging of access to sensitive data categories
• Backup and recovery processes
• Security training for employees
• Process for detecting and responding to security incidents

TOMs are not a one-off result; they must be reviewed and updated regularly. Alignment with the Information Security Officer and an ISMS based on ISO/IEC 27001:2022 creates the structural conditions to ensure that TOMs are not only introduced but embedded in the long term. Documented and audit-ready is not a bonus — it is a requirement.

Art. 83 GDPR provides for a two-tier fine framework. Violations of fundamental obligations such as the lawful bases for processing (Art. 6), data subject rights (Art. 12–22), data breach notification (Art. 33–34) or data transfers to third countries (Art. 44–49) may be sanctioned under Art. 83(5) GDPR with fines of up to €20 million or 4% of global annual turnover — whichever is higher. Administrative violations such as missing records or failure to cooperate with authorities fall under Art. 83(4) GDPR with a framework of up to €10 million or 2% of annual turnover.

In addition to fines, supervisory authorities may take further measures under Art. 58 GDPR: warnings, reprimands, temporary or permanent bans on processing, and orders to erase data. Data subjects may additionally claim civil damages under Art. 82 GDPR — both material and non-material harm.

German data protection supervisory authorities — the Federal Commissioner for Data Protection and Freedom of Information (BfDI) at federal level, and the state data protection authorities at federal state (Länder) level — have noticeably tightened their enforcement practice in recent years. The GDPR fine databases maintained by noyb and other organisations document multiple million-euro fines against SMEs across various sectors. The question is not whether a supervisory authority will take action, but when — and whether your documentation will hold up.

GDPR compliance is not a one-time project, but an ongoing organisational obligation. It encompasses the continuous maintenance of records of processing activities, the timely handling of data subject requests, the conduct of data protection impact assessments under Art. 35 GDPR, regular training sessions and responding to data breaches within 72 hours.

This requires that a Data Protection Officer is not only formally appointed, but equipped with the right tools. Others manage compliance like a filing cabinet. CIVAC manages it like software — with a platform that brings together tasks, training, projects, documentation, queries and templates in a single auditable workspace.

CIVAC offers two models: licence the workspace for your internal officers, or have our external Data Protection Officers appointed through CIVAC. Both models share the same platform, the same audit trail and the same reporting line to management. The appointment document is signed, filed and evidenced — within two working days, not six weeks.

If you would like to implement your organisation's GDPR requirements in a structured way, speak to CIVAC. Turn this article into action: info@civac.de.