Data protec­tion manage­ment / data pro­tection concept / regular auditing

Current audits by the Bavarian supervisory authorities and the questionnaires published with the audit announcements make it clear that data protection cannot be effectively implemented even in small and medium-sized companies without comprehensive documentation in the sense of cross-company data protection concepts.

Written concept

Regardless if data protection management systems, data protection systems, data protection concepts or data protection models are in question, we always deem the same thing. In order to fulfil the documentation obligations and to prove that all obligations from the GDPR are implemented in the company, a written concept that can be submitted in written form is recommended. It should be noted here that both the legal requirements for the companies and the means and processes with which the companies implement these obligations must be defined as comprehensively as possible.

This should be in there

Usually (minimum) contents of such a concept are:

  • General data protection requirements
  • Internal procedures and reporting processes in order to comply with the legal obligations also towards the af-fected parties
  • Binding guidelines for employees on data protection-compliant behaviour
  • Forms and working aids
  • Requirements for the documentation of processing ac-tivities and data protection impact assessment, binding requirements including contract templates for the commissioning of contract processors
  • Instructions and binding requirements for the fulfilment of information duties
  • Procedures for regular review and readjustment of da-ta protection measures

Consider individual charac­teristics

The above mentioned points are only standard components, which are to be extended depending on the individual company and industry.


The processes for regular auditing / review / evaluation under data protection law also play an important role here.

Since audit reports of the annual internal auditing must also be submitted upon data protection audits by clients or supervisory authorities, it is clear that the work is not done with the one-off preparation of the data protection documents. This, too, is a point which was already an obligation in the old data protection laws, but which now needs to be given much more attention due to the auditing practice of the authorities and the GDPR.



A data protection concept must therefore define the framework conditions for data protection, which must be filled with life in the daily routine and through annual audits.



Rechts­­anwältin Michaela Berger, LL.M.


Specialist lawyer for IT law

certified data protection officer (TÜV Süd)

certified data protection auditor (TÜV Süd)