GDPR for start-ups

September 04, 2018

Laptop and stethoscope

Germany is suffering under the GDPR. Are you too?

In connection with the entry into force of the GDPR, there is an increase in complaints such as malaise. Irritability and, in particularly severe cases, even panic attacks occur. This is often accompanied by procrastination. This manifests itself when your inner bastard tells you that you can still take care of the GDPR tomorrow. Or the day after tomorrow or the day after tomorrow...



The symptoms are usually caused by concerns about a data protection breach. Or, to put it more precisely, that it will come to light that you are in breach of the GDPR. In the absence of GDPR compliance, the following risks occur with varying degrees of frequency:

Very common: Investors have no interest in seeing their money burn through fines. If a start-up aligns its processes with the GDPR, the following will become apparent Investors impressed.

Frequent: The dreaded wave of warning letters has not (yet) arrived. Nevertheless, warnings have become known in the meantime. This will certainly not remain an isolated case.

Occasionally: Occasionally, you have to expect to receive enquiries or even complaints from data subjects who are concerned about the protection of their personal data.

Rare: The authorities are still exercising restraint. However, it can be assumed that over time the authorities will be organised in such a way that they could even carry out checks on start-ups and investigate complaints.



The best treatment for GDPR-related symptoms is to familiarise yourself with the GDPR. To do this, it is crucial to know the most important provisions of the GDPR and to take appropriate measures.



Art. 5 para. 1 lit.a - good faith, legality and transparency: The processing must be legitimate and comprehensible to the data subject.
Art. 5 para. 1 lit. b - Earmarking: Personal data must be processed for a specific purpose.
Art. 5 para. 1 lit. c - Data minimisation: Only as little personal data as possible may be processed.
Art. 5 para. d - Correctness: The personal data must be correct.
Art. 5 para. 1 lit. e - Storage limitation: Data may not be processed forever, but must be deleted after a certain period of time.
Art. 5 para. 1 lit. f - Integrity and confidentiality: Personal data must be protected against unlawful processing and also against damage.
Art. 5 para. 2 - Accountability: The controller must be able to prove that it processes data in compliance with data protection regulations.



In principle, the processing of personal data is prohibited unless the processing can be based on a permission standardised in Art. 6 GDPR. The most important of these are

Art. 6 para. 1
lit a) Consent -
The data subject has previously consented to the processing.
lit b) fulfilment of a contract - Processing is carried out, for example, for the delivery of goods or to issue an invoice.
lit c) Legal obligation - For example, retention obligations under tax law apply.
lit. f) Legitimate interest - The controller has a legitimate interest in processing data, e.g. for advertising purposes. Caution! Newsletters may only be sent with prior consent and after a double opt-in procedure has been carried out.



The person responsible has numerous obligations. The most important ones in brief:

Demonstrable compliance with the principles: The controller is obliged to comply with the principles standardised in Art. 5 GDPR and must be able to demonstrate compliance with them.

Addressee of the rights of the data subjects: The controller is the addressee of the rights of data subjects in accordance with Art. 12 et seq. of the GDPR and must therefore ensure that data subjects can properly exercise their rights.

Realisation of TOM: According to Art. 32 GDPR, the controller must implement appropriate and suitable technical and organisational measures (TOM) when processing personal data to protect it. In this context, the terms "privacy by design" (data protection by technical design) and "privacy by default" (data protection-friendly default settings) are important, see Art. 25 GDPR.

Maintaining a processing directory: Art. 30 GDPR requires the controller to keep a record of all processing activities for which the controller is responsible.

Reporting obligation and notification: In the event of a personal data breach, the controller must report this to the competent supervisory authority in accordance with Art. 33 GDPR and, under the conditions of Art. 34 GDPR, notify the data subject.

Carrying out a data protection impact assessment: If processing activities pose a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment within the meaning of Art. 35 GDPR in advance.

Appointment of a data protection officer: Pursuant to Art. 37 GDPR in conjunction with. § Section 38 BDSG, a company must appoint a data protection officer if it...
...has at least 10 employees who process personal data automatically.
...processes personal data for business purposes.
...processes particularly sensitive data (e.g. creditworthiness or health data); this is then independent of the number of employees.



The following plan can be used to fulfil the obligations of the GDPR and counter the risks outlined above:

Appearing data protection compliant to the outside world
In order to be compliant with data protection regulations, your own website must first be provided with a privacy policy. There are online generators that promise a quick and inexpensive privacy policy. In many cases, these data protection declarations are little more than window dressing. It is therefore a question of budget and willingness to take risks whether to use a generator or seek legal advice.

Ensuring data protection for data subjects
If data subjects assert data protection rights, you should respond immediately and fulfil the requests. Anyone who, as the controller, is supported in data processing, e.g. by cloud computing, IT service providers, payroll tax offices, Google Analytics, newsletter mailing service providers, must conclude an order processing contract with the providers. This is intended to ensure that the processor only processes the data on behalf of and on the instructions of the controller in order to ensure the protection of personal data. Incidentally, if you do not use a service provider for sending newsletters, you should create a concept yourself that ensures that in the event of a withdrawal of consent, the email address concerned is placed on a blacklist and is therefore blocked from sending newsletters.

Measures to convince authorities of data protection compliance
Authorities primarily use the processing directory to check whether a company is acting in compliance with data protection regulations. It must therefore be possible to submit a processing directory at the request of the authorities. Incidentally, you should not come up with the idea of asking for an extension of the deadline, as you are admitting that you still have to draw up the processing directory...

If you find it difficult to keep track of the processing operations, you can create a "processing map" on which various stations or recipients are marked so that the paths and purposes of the processing are visualised. This makes it easier to transfer the individual processing operations to the directory. However, such a map should only serve as an aid. Authorities will not accept it if you only present them with pictures.

Although the processing directory is work, it is also helpful in responding to requests from data subjects. For example, the processing directory can be used to quickly provide information and take action if a data subject requests the correction or deletion of their data. It should also be possible to submit all evidence to the processing directory which shows that you are endeavouring to protect data. This includes, for example, documents such as declarations of commitment to data protection for employees, the written appointment of a data protection officer or data protection impact assessments. Anyone who has not already included the TOM in the processing directory must submit a separate overview of the TOM.

Duration of use
Start-ups have the advantage that they do not yet have established structures, but can grow in a data protection-compliant manner right from the start. To this end, it is important to deal with the GDPR at regular intervals, update the processing directory, check whether the necessary order processing contracts have been concluded and check whether further measures need to be taken. The only way to prevent procrastination is to set yourself GDPR audit deadlines.

If symptoms and side effects persist, consult a lawyer specialising in data protection.


Guest contribution from

Alexandra Milena Stojek, LL.M. - Attorney at Law

ARFMANN Rechtsanwaltsgesellschaft mbH[/vc_column_text][/vc_column][/vc_row]