Data Protection & GDPR

Systematically meeting DSGVO (GDPR) obligations: records of processing, TOMs, DPAs and data subject rights

12 articles on this topic

Data protection as an integral part of your information security

Data protection and information security are treated as separate disciplines in many organizations, yet they are closely intertwined. The GDPR requires technical and organizational measures to protect personal data, and these very measures are also a core component of every ISMS. When you build your information security management system, you automatically cover a large portion of GDPR requirements. This topic page helps you systematically fulfill data protection-specific obligations and make optimal use of the synergies between GDPR and ISMS.

The records of processing activities: your data protection map

The records of processing activities (RoPA) is mandatory under Art. 30 GDPR for nearly every organization. It documents which personal data you process for which purpose, who has access, to whom the data is disclosed, and how long it is retained. This sounds like a lot of effort, but in practice it is an enormously useful tool — because the RoPA gives you, for the first time, a complete overview of all data flows in your organization.

A good RoPA is not created at the desk of the legal department, but in dialogue with the business units. Who processes which data in daily operations? Which software is used? Where does the data flow? These questions can only be answered by talking to the people who work with the data every day. Our article on the RoPA shows you a pragmatic approach that gets you to the goal without external consultants.

TOMs: technical and organizational measures

Art. 32 GDPR requires you to implement "appropriate technical and organizational measures" to protect personal data. These TOMs are the link between data protection and information security. Encryption, access controls, pseudonymization, regular security testing — all of these are TOMs within the meaning of the GDPR and simultaneously core components of your ISMS.

The challenge lies less in implementation than in documentation. Supervisory authorities expect you to demonstrate which measures you have implemented and why they are appropriate. "Appropriate" is the key term here: the GDPR does not demand absolute security, but measures that are appropriate given the state of the art, the cost of implementation and the risk to data subjects. Our article on TOM documentation helps you maintain this evidence in a structured and audit-ready manner.

Data processing agreements and vendor assessment

Hardly any company processes personal data entirely on its own. Cloud services, external payroll processing, newsletter tools, hosting providers — wherever an external service provider processes personal data on your behalf, you need a data processing agreement (DPA) under Art. 28 GDPR. But a signed contract alone is not enough. You also need to verify that the service provider actually complies with the agreed protective measures.

Things become particularly sensitive with international data transfers. Since the Schrems II ruling and the EU-US Data Privacy Framework, companies must carefully assess whether the legal basis for data transfers to third countries is sound. Our article on international data transfers explains the current legal situation and which instruments are available for lawful transfers.

Data subject rights and deletion concept

The GDPR grants data subjects extensive rights: access, rectification, erasure, restriction of processing, data portability and objection. Your organization must be able to fulfill these rights within the statutory deadlines. This requires clear processes and the technical capability to identify and, where necessary, delete personal data across all systems.

The deletion concept deserves special attention because it affects virtually every system in your organization. You need defined retention periods for each data category, automated or at least regularly executed deletion routines, and documentation proving that data is actually deleted on schedule. Our articles guide you step by step through setting up a practical deletion concept that accounts for both GDPR requirements and commercial and tax law retention obligations.

All articles on this topic

Datenschutz
Datenschutz

Creating a Record of Processing Activities (ROPA) per Art. 30 DSGVO (GDPR)

A record of processing activities per Art. 30 DSGVO (GDPR) is mandatory for almost every organization. This article shows you which details are req...

2026-03-02 14 min read
Datenschutz
Datenschutz

Documenting Technical and Organizational Measures (TOMs)

TOMs per Art. 32 DSGVO (GDPR) are the backbone of any data protection documentation. This article explains the 8 classic TOM categories, provides c...

2026-03-03 15 min read
Datenschutz
Datenschutz

Data Processing Agreements: How to Review DPAs and Assess Service Providers

A DPA (Data Processing Agreement) is quickly signed but rarely thoroughly reviewed. This article shows you when data processing on behalf of a cont...

2026-03-04 14 min read
Datenschutz
Datenschutz

Reporting a GDPR Data Breach: When, How, and to Whom

72 hours. That is how much time you have to report a notifiable data breach to the supervisory authority. This article explains when a data breach ...

2026-02-20 13 min read
Datenschutz
Datenschutz

Data Deletion Policy Under DSGVO (GDPR): Retention Periods, Deletion Rules and Implementation

A data deletion policy is not optional — it is a direct obligation under the DSGVO (GDPR). This article explains which retention periods apply, how...

2026-04-22 15 min read
Datenschutz
Datenschutz

DPIA (Data Protection Impact Assessment): When Required and How to Conduct One

The Data Protection Impact Assessment under Art. 35 GDPR is one of the most frequently misunderstood obligations. When you must conduct a DPIA, how...

2026-06-26 18 min read
Datenschutz
Datenschutz

Implementing Data Subject Rights: Access, Erasure, and Data Portability

The GDPR grants data subjects extensive rights vis-a-vis organizations that process their data. This article explains all Data Subject Rights in de...

2026-06-27 19 min read
Datenschutz
Datenschutz

Consent Under GDPR: Requirements for Valid Consent Mechanisms

Consent is one of the six legal bases under the GDPR and at the same time the most error-prone. This article explains the seven requirements for va...

2026-06-28 18 min read
Datenschutz
Datenschutz

Joint Controllership Under Art. 26: When It Applies and What to Regulate

Joint controllership under Art. 26 GDPR is one of the most frequently overlooked topics in data protection. As soon as two entities jointly determi...

2026-06-29 17 min read
Datenschutz
Datenschutz

International Data Transfers: Standard Contractual Clauses and Adequacy Decisions

As soon as personal data leaves the EU, stricter rules apply. This article explains the mechanisms for lawful third-country transfers: adequacy dec...

2026-06-30 19 min read
Datenschutz
Datenschutz

Data Protection Officer (DPO): When Mandatory, Duties, Internal vs. External

From 20 employees involved in data processing, a Data Protection Officer (DPO) is mandatory. But who qualifies, what are their duties, and when doe...

2026-07-01 17 min read
Datenschutz
Datenschutz

Cookie Banners and Consent Management: Legally Compliant Implementation

Cookie banners are everywhere, but very few are legally sound. This article explains the legal foundations, the technical requirements, and the mos...

2026-07-02 18 min read