Data pro­tection con­cept / data pro­tection ma­na­ge­ment sys­tem

In times of the GDPR, selective data protection is no longer effective in order to fulfil all obligations arising from the GDPR (Accountability).


The sole appointment of a data protection officer therefore only fulfils a part of the requirements of the GDPR.

The supervisory authorities can also demand the submission of company-wide data protection concepts as part of the audits, which is why the implementation of a data protection management system is unavoidable.

Imple­mentation of a data pro­tection mana­gement sys­tem

Au­diting of the en­tire com­pany with regard to:

Documentation and preparation of findings


  • Actual workflows
  • Existing work instructions, documentation, contracts
  • Existing data protection processes
  • List of processing activities
  • Fulfilment of information duties
  • Data protection agreements (DPA, Joint Controllership)
  • Security of data-processing
  • List of all located deviations with risk assessment
  • Conception of work packages prioritized according to risk and probability of occurrence

Once the work pa­ckages have been fina­lized, im­plementation will be driven forward in the indivi­dual spe­cialized de­partments:

  • Initial workshop with all specialized departments
  • Creation of processing directories
  • Determination of the required data protection agreements with service providers
  • Fulfilment of information obligations
  • Implementation of data protection processes (information, deletion, conduct in the event of a data breach)
  • Data protection impact assessment
  • Deletion concept


In addition, all employees are instructed in the data protection management system.

Your partner

Lawyer Michaela Berger, LL.M.


Specialist lawyer for IT law

certified data protection officer (TÜV Süd)

certified data protection auditor (TÜV Süd)