77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
GDPR and personal data: definition, obligations, evidence
Data Protection & Privacy

GDPR and personal data: definition, obligations, evidence

19 June 202613 min readBy Lena Vogt
CIVAC

Personal data is not a legal special case, but your daily reality. Anyone who underestimates the definition risks fines according to Art. 83 GDPR. This guide organises the obligations and shows the way to verifiable documentation.

Since May 25, 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) has been directly applicable in all member states. Art. 4 No. 1 GDPR defines personal data as all information that relates to an identified or identifiable natural person. This definition is intentionally broad and includes IP addresses, cookie IDs, location data, employee ID cards and supplier contacts. Since 2023, supervisory authorities have been increasingly imposing fines in accordance with Art. 83 GDPR, which can reach up to 20 million euros or 4 percent of global group sales. In Germany, the publicly reported fines since 2018 alone have totaled a mid-three-digit million amount.

This article is aimed at management, data protection coordinators and IT managers who need clarity about the operational handling of personal data. You will find out which data categories are recorded, which seven processing principles apply in accordance with Art. 5 GDPR, how to keep a processing register in accordance with Art. 30 GDPR, when it is mandatory to appoint a data protection officer and what paths are taken in the event of data breaches, inquiries from those affected and sanction procedures. CIVAC accompanies these obligations as a compliance platform and officer-as-a-service so that the appointment certificate, reporting line and audit templates are available when the supervisory authority calls. The content is based on the guidelines of the European Data Protection Board, the data protection conference of the federal states and the previous rulings of German supervisory authorities.

Key Takeaways

  • Personal data is any data that directly or indirectly identifies a natural person, including IP address, cookie ID and employee number.
  • According to Section 38 BDSG, a data protection officer is mandatory for groups of 20 or more people who are constantly involved in automated processing.
  • According to Art. 33 GDPR, data breaches must be reported to the supervisory authority within 72 hours of becoming known, and if the risk is high, also to those affected.

Definition according to Art. 4 No. 1 GDPR: What counts as personal

Art. 4 No. 1 GDPR defines personal data as “all information relating to an identified or identifiable natural person”. The European Court of Justice made it clear in the Breyer decision (C-582/14, judgment of October 19, 2016) that dynamic IP addresses are also personal if the person responsible has legal means to identify the person. Identification does not have to be possible on your own; the combination with third-party information is sufficient. The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) confirms this interpretation in its Telemedia Guide.

In practice, the definition covers at least six categories: master data such as name, address and date of birth; Contact details such as email and telephone number; technical identifiers such as IP addresses, cookie IDs and device IDs; Employee data such as personnel number and payslip; Movement data such as GPS locations and access logs; biometric data such as fingerprints and facial scans.

The special categories mentioned in Art. 9 GDPR require special care: health data, trade union membership, religious beliefs, sexual orientation, ethnic origin and genetic data. Their processing is fundamentally prohibited and is only permitted with express consent or legal permission. Violations of Art. 9 GDPR are regularly punished with double the fine.

Pseudonymized data also remains personal according to recital 26 GDPR as long as the key for re-identification exists. Only completely anonymized data leaves the protection area. Anyone who sets up a clean data classification with the external data protection officer avoids the most common source of errors: underestimating indirect identifiers in log files, CRM systems and backups. A documented classification scheme with examples per category is the first line of defence against regulators and auditors. Anyone who keeps log files, backups or test databases without classification creates unrecognized processing activities and fails to comply with Article 5 Paragraph 2 of the GDPR.

The seven principles according to Art. 5 GDPR

Art. 5 Paragraph 1 GDPR codifies seven principles that all processing must comply with. Those responsible must be able to actively demonstrate their compliance with Article 5 Paragraph 2 of the GDPR, the so-called accountability requirement. This obligation is the operational leverage of the supervisory authorities.

First: legality, processing in good faith, transparency. Every processing requires one of the six legal bases from Art. 6 Para. 1 GDPR, such as consent, fulfilment of the contract or legitimate interest. Second: earmarking. Data may only be collected for specified, explicit and legitimate purposes. A change of purpose is only permitted under the conditions of Art. 6 Para. 4 GDPR. Third: data minimization. The survey must be limited to what is necessary, which is regularly missed, especially with web forms, CRM fields and application processes.

Fourth: accuracy. Incorrect data must be deleted or corrected immediately. Fifth: memory limitation. Data may only be retained for as long as necessary for the purpose, after which it must be deleted or anonymized. Sixth: integrity and confidentiality. Appropriate technical and organisational measures in accordance with Art. 32 GDPR must ensure protection against unauthorized processing, loss and destruction. Seventh: Accountability as a cross-cutting principle.

Anyone who does not provide evidence has already lost the argument. In practical terms, this means: processing directory maintained in accordance with Art. 30 GDPR, data protection impact assessments documented, training certificates versioned, deletion concepts stored, TOM description up-to-date, order processing contracts signed. The CIVAC workspace bundles these artifacts into a file structure with versioning so that the auditor calls and the evidence is ready. The appointment certificate, signed, filed, verifiable – the same principle applies to each of the seven principles. Anyone who shows gaps here will fail the first audit step, regardless of the size and industry of the company.

Processing list according to Art. 30 GDPR: Mandatory content

The list of processing activities in accordance with Art. 30 GDPR is the central documentation for every person responsible. Companies with fewer than 250 employees are generally exempt under Art. 30 Para. 5 GDPR, but the obligation falls back as soon as regular processing, risk processing or special categories according to Art. 9 are affected. In practice, this applies to almost every company with human resources management, customer relationships or an online presence, which is why the exemption hardly applies.

Eight pieces of information are required for each processing activity: Name and contact of the person responsible, if necessary the data protection officer; purposes of processing; Description of the categories of data subjects and data categories; Categories of recipients to whom data was disclosed; Transfers to third countries with guarantees in accordance with Chapter. V GDPR; deletion periods per category; General description of the technical and organisational measures in accordance with Art. 32 GDPR. The supervisory authorities do not accept collective information; each activity must be carried out individually.

Typical processing operations that must be carried out separately: applicant management, personnel management, payroll, customer master data, newsletter dispatch, video surveillance, access control, web analysis, CRM, ticket system, contract management, telephone system evaluation, whistleblower system. Experience from medium-sized clients shows 35 to 80 procedures per location, while corporations quickly reach 200 or more.

Processors keep their own directory in accordance with Art. 30 Para. 2 GDPR. Anyone who uses cloud services, payroll offices or shipping service providers also requires order processing contracts in accordance with Art. 28 GDPR. These must be versioned, signed, filed, documented and checked at least annually to ensure they are up to date. The CIVAC role overview shows how the DSB function compares the directory with the departments on a quarterly basis and documents changes in an audit-proof manner. Third country transfers according to Art. 44 ff. GDPR require standard contractual clauses in version 2021/914 plus transfer impact assessment, especially for providers from the USA despite the EU-US Data Privacy Framework. These guarantees must be deposited in the directory for each transmission.

Legal basis: When are you allowed to process

Art. 6 Paragraph 1 GDPR finally lists six legal bases for the processing of personal data. Without one of these bases, the processing is unlawful, regardless of the business logic or practice. The choice of legal basis must be determined for each processing activity and documented in the list in accordance with Art. 30.

Lit. a: Consent of the data subject. It must be granted voluntarily, informed, specific and through a clear affirmative action (Art. 4 No. 11 GDPR). Consent must be revocable; the revocation has effect for the future. Pre-filled boxes are not permitted; linking them to contractual services must be examined critically in accordance with Art. 7 Para. 4 GDPR. Lit. b: Contract fulfilment. Data that is necessary to carry out a contract with the data subject may be processed without separate consent, such as delivery address for online orders or account details for the SEPA mandate.

Lit. c: Legal obligation. Tax retention obligations according to Section 147 AO, the income tax certificate or reporting obligations according to SGB IV are classic examples. Lit. d: Vital interests, such as emergency access to health data. Lit. e: Carrying out a task in the public interest, primarily relevant for public bodies. Lit. f: Legitimate interest of the person responsible, provided that the interests or fundamental rights of the person concerned do not outweigh them.

The balancing in lit. f is the most common source of error. The supervisory authorities require a documented balancing of interests with three steps: justification of the interest, necessity of processing, balancing of fundamental rights. Advertising to existing customers, IT security measures and intra-group transfers are often based on lit. f, but must be documented for each procedure. The clock starts on awareness. 83 Para. 5 GDPR.

Obligation to appoint a data protection officer

Art. 37 Para. 1 GDPR requires the appointment of a data protection officer in three cases: for processing by authorities, for core activities that require extensive regular systematic monitoring, or for extensive processing of special categories according to Art. 9 GDPR. Section 38 (1) BDSG supplements the German threshold: Companies with at least 20 people who are constantly involved in automated processing of personal data must appoint a DPO. This threshold is lower than in many other member states.

The order is made in writing with an appointment certificate. It defines function, reporting line and protection against dismissal (Section 38 Paragraph 2 BDSG refers to Section 6 Paragraph 4 BDSG). The DPO reports directly to the management and may not be removed or disadvantaged for fulfilling his or her duties. The order must be communicated to the responsible supervisory authority in accordance with Art. 37 Para. 7 GDPR, and the contact details must be published, for example in the legal notice or the data protection declaration.

Tasks in accordance with Art. 39 GDPR include informing and advising the person responsible, monitoring compliance with the GDPR and internal strategies, advice on data protection impact assessments, cooperation with the supervisory authority and contact point for those affected. The DPO is not personally responsible, but rather monitors and advises.

Violations of the ordering obligation are subject to a fine of up to 10 million euros or 2 percent of global group sales in accordance with Art. 83 Para. 4 lit. a GDPR. Practice shows two models: internal ordering with dual functions or external commissioning. External DPOs bring independence, cross-industry experience and avoid conflicts of interest. CIVAC delivers both: Licence the workspace for your internal representatives, or have our representatives order it. The appointment certificate, signed, filed, verifiable – as a compliance platform and officer-as-a-service.

Rights of those affected: information, correction, deletion

The GDPR gives data subjects eight enforceable rights. These must be answered within one month of receipt of the application (Art. 12 Para. 3 GDPR); an extension of another two months is possible in complex cases with justification. The response is generally free of charge; in the case of obviously unfounded or excessive requests, an appropriate fee or rejection is possible in accordance with Art. 12 Para. 5 GDPR.

Art. 15 GDPR regulates the right to information. Those affected can ask whether data concerning them is being processed, for what purposes, to which recipients, and for what storage period. The information includes a copy of the data. Art. 16 GDPR grants the right to correct incorrect data. Art. 17 GDPR establishes the right to deletion, provided there is no obligation to retain data. The Federal Court of Justice has interpreted the scope of the right to information broadly in several decisions.

Art. 18 GDPR determines the restriction of processing. Art. 20 GDPR provides for data portability, for example when changing providers. Art. 21 GDPR regulates the right to object, especially against direct advertising, as an absolute right. Art. 22 GDPR protects against exclusively automated decisions with legal effect, which increasingly affects scoring procedures, AI-supported personnel selection and algorithmic pricing.

Operationally, requests from those affected often fail due to three points: lack of identity verification of the applicant, incomplete research across system boundaries, failure to meet the monthly deadline. Supervisory authorities regularly impose five to six-figure fines for late or incomplete information. A documented process with an input channel, ticket system, escalation path and deadline calendar is mandatory. The CIVAC workspace provides 490 audit templates, including standardised information notices with client separation and EU data residency. The auditor calls, the evidence is ready.

Report data breaches: 72-hour deadline according to Art. 33 GDPR

Art. 33 Para. 1 GDPR obliges the person responsible to report a violation of the protection of personal data to the responsible supervisory authority within 72 hours of becoming aware of it. The deadline begins at the time when the person responsible knows about the violation, i.e. when there is certainty that a reportable violation has occurred. Pure suspicion does not trigger the deadline, but rapid internal clarification is necessary.

Injuries that are likely to pose a risk to the rights and freedoms of natural persons must be reported. If the risk is high, the affected persons must also be notified in accordance with Art. 34 GDPR. Typical cases: stolen laptops without hard drive encryption, incorrect sending of emails with mass distribution, ransomware with data leakage, misconfiguration of a cloud bucket, compromised access data, lost USB sticks with customer lists.

The report is made via the online portal of the responsible state authority. Content according to Art. 33 Para. 3 GDPR: Type of violation, categories affected and approximate number of those affected, contact of the DPO, likely consequences, measures taken or planned. If not all information is available within 72 hours, an initial report with subsequent submission is permitted (Art. 33 Para. 4 GDPR). The internal documentation of every violation is mandatory according to Art. 33 Para. 5 GDPR, regardless of the reporting obligation.

Operationally, the preparation is decisive. A data breach playbook with an escalation matrix, templates for reports, communication paths to IT, legal and management must work in the stress test. If you only research after you know, you will lose the deadline. The CIVAC platform mirrors the deadline with timers, reporting templates and reporting lines, parallel to the NIS-2 reporting paths with 24 hours early warning and 72 hours follow-up reporting. Audit-proof, documented, § 33-firm.

Sanctions according to Art. 83 GDPR: fine framework and practice

Art. 83 GDPR establishes a two-tier fine system. Violations of procedural obligations such as processing directory, DPO order or order processing contract can be punished according to paragraph 4 with up to 10 million euros or 2 percent of the global annual consolidated turnover, whichever is higher. Violations of material principles and the rights of those affected according to paragraph 5 double the limit to 20 million euros or 4 percent. These thresholds are maximum limits, not standard rates.

The measurement is carried out in accordance with Art. 83 Para. 2 GDPR based on eleven criteria, including the type and severity of the violation, intent or negligence, measures to reduce the damage, degree of responsibility, previous violations, cooperation with the supervisory authority, affected data categories. In 2023, the European Data Protection Board published guidelines for calculating fines (Guidelines 04/2022), which German authorities are adapting.

German practice since 2023 shows increasing penalties. Supervisory authorities have imposed fines in the six to seven-figure range on companies that kept the processing records incomplete, ignored requests from those affected or reported data breaches late. In the corporate context, individual violations can reach the eight-figure range if the group turnover is high enough.

In addition, there are liability risks under Article 82 GDPR (compensation for those affected with a tendency to pay significant amounts of compensation), Section 130 OWiG (breach of supervisory duty towards management), as well as criminal consequences in the event of intentional misuse of data under Section 42 BDSG. Insurance for cyber risks does not regularly cover fines. Anyone who can demonstrate documented compliance not only significantly reduces the risk, but also the assessment amount in individual cases, as cooperation and measures have a mitigating effect. In practice, supervisory authorities negotiate reductions of 30 to 60 percent if the company can demonstrate a complete processing record, documented training and a functioning DPO.

Operational implementation with CIVAC: Platform or Officer-as-a-Service

The operational chain of duties consisting of the directory, legal basis, DPO, rights of those affected, reporting and sanctions defence can be mapped in two ways: internally with tool support or externally as an outsourced function. CIVAC delivers both models from a single source as a compliance platform and officer-as-a-service.

The first model is aimed at companies with their own compliance function. Licence the workspace for your internal representatives. You get 490 audit templates, a pre-configured processing directory, data breach workflow with 72-hour timer, data subject request routing, training modules and audit-proof storage. EU data residency, client separation, reporting line and versioning are built in. The platform covers 25 officer roles, so that the DPO function is integrated into the overall context of ISB, compliance officer and money laundering officer.

The second model is aimed at companies without internal capacity or with a desire for independence. Let our representatives take the order. The external data protection officer takes on the function in accordance with Art. 37 GDPR including the appointment certificate, reporting line to management, training, annual reporting and information processing. The CIVAC SLA: 2 working days instead of the classic 2 to 6 weeks.

Others run compliance like a filing cabinet. We run it like software. Both models share the same platform, so a change or a mixed form is possible at any time. Data protection is not a project task, but rather a continuous operation with deadlines, audits and communication with authorities.

Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. The initial check of the order requirement and the mandatory artifacts takes 30 minutes; the result is a concrete list of measures with those responsible and deadlines. The appointment certificate is available within 5 working days, the processing directory is initially filled and the data breach workflow is activated.

FAQ

Are IP addresses personal data?

Yes. The European Court of Justice made it clear in the Breyer decision (C-582/14) that dynamic IP addresses are personal if the person responsible has legal means of identification. Static IP addresses can be assigned directly anyway. Therefore, server logs, web analysis data and firewall logs must be treated as personal and kept in the processing directory. Cookie IDs and device IDs are treated analogously.

When do we have to appoint a data protection officer?

According to Section 38 Paragraph 1 BDSG, 20 or more people are constantly involved in automated processing. Regardless of this, Art. 37 Para. 1 GDPR applies to core activities with extensive monitoring or when processing special categories in accordance with Art. 9 GDPR. The order is made in writing with an appointment certificate and must be reported to the supervisory authority. The DPO must not have a conflict of interest with his other tasks.

How quickly must a data breach be reported?

Within 72 hours of becoming aware of this to the responsible supervisory authority in accordance with Art. 33 Para. 1 GDPR. If the risk is high, the affected persons must also be notified immediately in accordance with Art. 34 GDPR. If not all information is available within 72 hours, an initial report with subsequent submission is permitted. The period begins at the time when knowledge is secured, not when the information has been fully clarified.

What happens if we don't keep the processing register?

Violations of Art. 30 GDPR are punishable by a fine of up to 10 million euros or 2 percent of global group sales in accordance with Art. 83 Para. 4 lit. a GDPR. In practice, the missing directory is also the most common finding in requests for information from the supervisory authorities and regularly leads to follow-up checks with an expanded scope of checks across multiple processing operations.

How long can personal data be stored?

For as long as necessary for the original purpose, combined with legal retention requirements. Tax-relevant documents according to Section 147 AO regularly 10 years, commercial correspondence 6 years, application documents typically 6 months after rejection, application data upon employment are transferred to the personnel file. A deletion concept with deadline-triggered implementation is mandatory according to Article 5 Paragraph 1 Letter e of the GDPR.

Can we staff the DSB function internally or outsource it externally?

Both are permitted according to Art. 37 Para. 6 GDPR. Internally, people without a conflict of interest are suitable, i.e. not IT management with processing responsibility and not management. There are no external conflicts of interest and the person brings cross-industry experience. CIVAC offers both models with an identical platform and an SLA of 2 working days, so a change is possible at any time.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles