GDPR: eight years old, still mandatory
The General Data Protection Regulation has been in force since 25.05.2018. Even so, many companies have no complete record of processing activities, no DPA with all service providers, no documented deletion periods. Audits by the supervisory authority get expensive fast.
What it's about
GDPR has been in force since 25 May 2018 and is the most comprehensive data-protection regulation in Europe. It applies to anyone processing personal data — even the smallest sole proprietor with a newsletter list or a contact form. 'Personal' is broader than people think: not just name and email, but also IP address, cookie IDs, device fingerprints, photos and audio recordings can fall under it.
GDPR defines three blocks: controller duties (records of processing Art. 30, processor agreements Art. 28, DPIAs Art. 35, technical and organisational measures Art. 32), data-subject rights (access Art. 15, rectification Art. 16, erasure Art. 17, portability Art. 20, objection Art. 21) and notification duties (data breach within 72h to supervisory authority Art. 33). On top of that the 'Privacy by Design / by Default' principle (Art. 25): data protection must be built into the architecture, not bolted on afterwards.
Since the Schrems II ruling (2020), data transfer to the US is its own compliance topic. Standard Contractual Clauses alone don't suffice — a Transfer Impact Assessment is needed. The 2023 'EU-US Data Privacy Framework' adequacy decision brought some relief for certified US providers but is again under legal attack (Schrems III is foreseeable). Fines reach EUR 20 million or 4% of global group turnover — whichever is higher. German LfDIs have been enforcing noticeably more strictly since 2024.
Who is affected
- Every company or sole proprietor with a newsletter, contact form or employee data — no thresholds.
- Online shops, SaaS providers, app operators — as soon as personal data is processed (effectively always).
- Employers towards employees (HR files, salary, sickness data, IT logs).
- Associations, foundations, NGOs with member lists or donor data.
- Self-employed consultants, doctors, lawyers, tax advisors (client/patient data = often special categories Art. 9).
- Public authorities, public bodies and education providers (additional duties from BDSG and state laws).
- Providers outside the EU as soon as they address or monitor EU citizens (Art. 3(2) — extraterritorial).
What is mandatory
- Record of processing activities (RoPA) maintained and current — for every kind of processing, with purpose, legal basis, recipients, retention periods.
- Data processing agreement (DPA) with every external service provider (hosting, email, AI, analytics, backup) — in writing, before any data flow.
- Privacy policy compliant with Art. 13/14: separated per service/sub-domain, with controller, purposes, recipients, third-country transfers, rights.
- Privacy by design / by default (Art. 25): data protection in the architecture from day one, privacy-friendly defaults.
- Technical and organisational measures (TOM, Art. 32): encryption, access control, backup, pseudonymisation, incident response.
- Deletion concept: retention periods per data category documented AND technically enforced (cron job, not 'we'll do it manually').
- Access and erasure procedure: respond within 1 month (Art. 15-17), verify identity, deliver data package in structured form.
- Data Protection Impact Assessment (DPIA, Art. 35) for high-risk: profiling, AI scoring, big-data analytics, biometric data, employee monitoring.
- Breach reporting paths: 72h to supervisory authority (Art. 33), at high risk also inform data subjects (Art. 34).
- Third-country transfer (Schrems II): SCCs 2021 + Transfer Impact Assessment OR adequacy decision (e.g. EU-US DPF) OR Art. 49 exception.
- Designate a Data Protection Officer if >20 people process data automatically OR data processing is the core activity.
What I take care of
- EU hosting by default: Scaleway Paris for backend, Supabase EU for database, IONOS Germany for frontend — minimises third-country risk from day one.
- Record-of-processing template in markdown inside the repo, automatically synced with the built-in services (no 'where was that Excel file').
- DPA audit for existing service providers: check which DPAs exist, which are missing, which are outdated (sub-processors, new SCCs 2021).
- DPA templates per service-provider type + central archive with annual review reminders.
- Privacy policy generator: one block per service, automatically synced with the codebase — when a new tool is added, the policy text comes with it.
- Automatic deletion of expired data via cron jobs + audit logs (e.g. cookie consent records after 24 months, contact requests after 12 months).
- GDPR request workflow: admin UI for access, erasure, rectification with timestamp, identity check and proof in the audit log.
- Logging concept that takes data minimisation seriously: no PII in plain-text logs, IP hash instead of IP, short retention periods.
- Data mapping as a diagram: which data is stored where, for how long, who has access — the basis for RoPA and DPIA.
Legal basis
Regulation (EU) 2016/679 (GDPR) · German Federal Data Protection Act (BDSG, 2018 revision) · DSK short papers and resolutions · ECJ ruling 'Schrems II' (C-311/18, 16.07.2020) · EU Commission Decision 2021/914 (new Standard Contractual Clauses) · EU-US Data Privacy Framework (adequacy decision 10.07.2023) · German TDDDG (formerly TTDSG) for cookies — see Cookie Consent page
Frequently asked
- As a sole proprietor, do I need a Data Protection Officer?
- Only from 20 people regularly processing personal data automatically. OR if data processing is your core business (e.g. marketing agency, tracking provider). As a solo developer without staff, typically no — but you still need RoPA and DPAs.
- Is a server in Germany enough to be GDPR-compliant?
- EU hosting is necessary but not sufficient. You still need DPAs, deletion concept, privacy policy, access procedures etc. And if your hoster has sub-processors in the US (CDN, logging service), you are back to the third-country transfer issue — check!
- How long can I keep logs with IP addresses?
- IP addresses are personal data. Keep them only as long as strictly necessary — typically 7 days for web logs, 30 days for security audits. Longer only with concrete legal basis (e.g. ongoing incident). Anonymised logs (truncated IP) may stay longer.
- Newsletter: is double-opt-in enough, or do I need more?
- Double opt-in (confirmation email with click link) is the minimum standard — without it, consent is invalid. On top you need: documented timestamp + IP of the sign-up + confirmation click (in the confirmation log), clear information about purpose (what you'll inform about) and provider (e.g. Mailjet, Brevo), unsubscribe link in EVERY email, and separation of sign-up from other buttons (no 'on ordering, you're automatically signed up to the newsletter').
- Someone files an access request (Art. 15) — what do I have to deliver?
- Within 1 month (Art. 12(3), extendable by 2 months for complexity): a structured copy of all data about the person, plus the purposes, categories, recipients, retention periods, source (if not collected directly), whether automated decisions take place. Verify identity first (email from the account usually suffices), deliver as JSON/CSV plus an explanatory cover note. Do not include third-party data (employees, other customers from conversations).
- A data breach happens — what must I do in the first 72 hours?
- Immediately, internally: stop the incident, determine scope (which data, how many people), preserve evidence (logs). Within 72h notify the competent supervisory authority (Art. 33) via their online form — even if not everything is known, supplementary notifications are allowed. If high risk to data subjects, also inform them (Art. 34), in plain language and with guidance on what they can do. Document everything — the supervisory authority requires the breach register.
Need support?
Let's talk for 30 minutes. I'll look at your situation and tell you what makes sense as a next step.
Book a slot