KBM 11 Datenschutz im Büro — DSGVO praktisch (EN)

KBM 11 Data Protection in the Office — GDPR in Practice

In this module, you will learn the practical implementation of the General Data Protection Regulation (GDPR) in the office environment. You will learn how to maintain a record of processing activities, properly document processing by third parties, and effectively implement data subject rights. Additionally, you will be trained to detect data breaches early and report them correctly.

Concepts and Background

Record of Processing Activities

A mandatory document that records all activities in which personal data is processed. It serves to ensure transparency and traceability.

Processing by Third Parties

The processing of personal data by a third party on behalf of the data controller. Requires a special contract with strict data protection requirements.

Data Subject Rights

The right to access, rectification, erasure, restriction of processing, data portability, and objection. These rights must be processed within legal deadlines.

Reporting a Data Breach

The obligation to report a breach of security of processing to the supervisory authority if it is likely to result in a risk to the rights and freedoms of natural persons.

Architecture Diagram

flowchart TD
    A[Customer and Employee Data] --> B[Database Server]
    A --> C[CRM System]
    B --> D[Access Control]
    C --> D
    D --> E[User Rights Management]
    E --> F[GDPR-Compliant Logging]
    F --> G[Auditing]

Practical Steps

1. Create a record of all processing activities with purpose, legal basis, categories of data subjects, and data recipients.
2. Review all contracts with external service providers for necessary clauses on processing by third parties pursuant to Art. 28 GDPR.
3. Implement a system for handling data subject requests with clear deadlines and escalation paths.
4. Set up logging for all access to personal data to monitor security.
5. Define internal procedures for reporting data breaches to the competent supervisory authority within 72 hours.
6. Regularly train employees on data protection topics and document the training.
7. Implement technical and organizational measures (TOMs) such as encryption and access controls.
8. Conduct a Data Protection Impact Assessment for particularly sensitive processing operations.

Common Pitfalls

Further Resources

• Federal Commissioner for Data Protection and Freedom of Information (BfDI) - GDPR
• GDPR Practice Guide of the Association of Data Protection Officers
• Regulation (EU) 2016/679 (GDPR) - EUR-Lex
• GDPR Implementation Checklist from Datenschutz Praxis

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

What is the main purpose of a record of processing activities according to the GDPR?

• A) The documentation of all internal training measures
• B) Ensuring transparency and traceability in data processing
• C) The recording of all hardware components in the company
• D) The logging of software updates and patches

Correct Answer: B. The record serves to ensure transparency and traceability in the processing of personal data, not for hardware documentation or training logging.

What is the deadline for reporting a data breach to the competent supervisory authority?

• A) Within 24 hours of discovery
• B) Within 72 hours of discovery
• C) Within 7 working days of discovery
• D) Within 30 days of discovery

Correct Answer: B. The GDPR requires the reporting of a data breach within 72 hours of discovery if it is likely to result in a risk to the rights and freedoms of natural persons.

What is an essential element of a contract for processing by third parties pursuant to Art. 28 GDPR?

• A) The determination of the salary structures of the involved employees
• B) The obligation of the third party to act only upon written instructions of the data controller
• C) The definition of Service Level Agreements for system availability
• D) The determination of the notice period for termination of the contract

Correct Answer: B. The third party is obliged to act only upon written instructions of the data controller, which is a central data protection principle.

Which data subject right must be processed within one month of receipt of the request?

• A) The right to be forgotten
• B) The right to data portability
• C) The right to access
• D) The right to object

Correct Answer: C. The right to access must be processed within one month of receipt of the request pursuant to Art. 12 GDPR, which may be extended by two months for complex requests.