Lesson 8

Your business - this is how you correctly handle data internally

The implementation of the GDPR is above all about documentation. In addition to the data protection policy and data processing agreement, you also need to provide further documents.

Below you will find the most important documents:

  • Data protection policy (Lesson 3)
  •  Data processing agreement with all third-party providers (Lesson 4)
  • Declarations of consent from your customers (Lesson 5)
  • Data protection procedure index
  • Employee confidentiality statements

How do you create a GDPR compliant data processing directory?

This index provides transparency about how personal data is processed. However, it also serves as legal protection. In the index, you record how you save and collect data, as well as how and when you delete it.

According to the GDPR, the following elements listed are essential:

This is your company and its representatives. Should you have other controllers, a deputy, or even a data protection officer, these should also be listed here with their name and contact details.

According to GDPR, every data process is limited. If you have obtained consent in accordance with the law, you have communicated this purpose in advance (product newsletter, analysis of visitor data, etc.) and you need to specify it here.

For example, groups of “employees” or also “customers” - depending on for whom the corresponding procedure applies.

No matter whether internally or externally. External service providers with whom data processing is completed are also listed here

There are different deadlines for erasing data depending on the specific purpose. Enter this here. Further information regarding all deadlines can be found in our additional learning materials.

When transmitting data to non-member states, the name of these states should be mentioned. Non-member states are countries that are not members of the EU, that receive data from the EU.


Develop your record of data processing with your lawyer or data protection officer. Below you will find a template that can already be filled out in advance.

How can declarations of confidentiality be correctly implemented?

The confidentiality statements of your employees come under technical and organizational measures which is why they should sign a confidentiality statement. In addition you should also encourage your employees to follow privacy by design and privacy by default and train them in this.

Last but not least, you should sensitize your employees to document all relevant data processing procedures.

What do “privacy by design” and “privacy by default” mean?

Privacy by design means that state-of-the art technology should already be taken into account and implemented during the conception of a product or a data processing process. In particular, this is implemented through:

- Data minimization (only collecting the most necessary data)
- Erasing data when it is no longer absolutely necessary
- Measures for correctness and completeness of data
- Transparent and understandable information concerning the data subjects
- Proactive concepts for IT security and organizational measures.

Privacy by default means that even the default settings (factory settings) of devices or online platforms already have the highest level of data protection as standard.

In this way, users who are less tech-savvy should be protected.

Tip 1: Depending on the size of your team, it makes sense to hold a training session on this topic and ensure that employees sign to confirm their participation in the training. Then you will know exactly that all of your employees have been informed about data protection rules.

Tip 2: Since May 25, the declaration of confidentiality can be signed electronically. From this point on, no personal handwritten signatures have been required.

Technical and organizational measures

In Article 32, the GDPR requires processors of personal data “to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.” There is no further ascertainment, instead the GDPR lists some protection goals:

  • Personal data must be pseudonymised and encrypted.
  • The ongoing confidentiality, integrity, availability and resilience of processing systems and services must be permanently ensured.
  • It must be possible to quickly restore the availability and access to personal data in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

To do all this, you must on the one hand ensure that all data carriers and computers on which personal data is stored and processed are protected. On the other hand, you should change your business processes so that they meet the requirements of the GDPR.  

At Digistore24, for example, we only store our customer data in strictly guarded and secure service rooms. In addition, our employees’ laptops are encrypted and the passwords meet strict security standards. For further protection, each employee signs a comprehensive confidentiality agreement.

Note: The appearance of your TOMs individually depends a lot on what exactly happens in your business. As a rule, Digistore24 vendors and affiliates do not require personal data to be stored on terminal devices used by themselves or their employees. If you process or save such data, you should store it encrypted on a secure cloud service and not on your terminal device.

Downloads / Learning materials

Example processing directory


Example declaration of confidentiality


←To lesson 7

To lesson 9→

Overview Lectures

Switch quickly and easily to all lessons of the course.

Course Overview
Lesson 1 GDPR basics - definitions
Lesson 2 Data protection: Your business - your responsibility
Lesson 3 Data protection declaration
Lesson 4 Data processors
Lesson 5 Email marketing: what changes
Lesson 6 Lead magnets and the coupling prohibition
Lesson 7 GDPR compliant tracking
Lesson 9 Information request
Lesson 10 GDPR and Digistore24

We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness. 

www.digistore24.com | Impressum | Privacy policy

English | German

Made with Coachannel Badge