Lesson 8

Your business - this is how you correctly handle data internally

Your progress: 70%

The implementation of the GDPR is above all about documentation. In addition to the data protection policy and data processing agreement, you also need to provide further documents. Below you will find the most important documents:

  • Data protection policy (Lesson 3)
  • Data processing agreement with all third-party providers (Lesson 4)
  • check-square
    Declarations of consent from your customers (Lesson 5)
  • Data protection procedure index
  • check-square
    Employee confidentiality statements

How do you create a GDPR compliant data processing directory?

This index provides transparency about how personal data is processed. However, it also serves as legal protection. In the index, you record how you save and collect data, as well as how and when you delete it.

According to the GDPR, the following elements listed are essential:

Naming the controllers

Naming the purpose of the processing

The affected groups of persons and categories of personal data

Consumers who systematically receive data

Data erasure periods

Non-member states who receive data


Develop your record of data processing with your lawyer or data protection officer. Below you will find a template that can already be filled out in advance.

How can declarations of confidentiality be correctly implemented?

The confidentiality statements of your employees come under technical and organizational measures which is why they should sign a confidentiality statement. In addition you should also encourage your employees to follow privacy by design and privacy by default and train them in this. Last but not least, you should sensitize your employees to document all relevant data processing procedures.

What do “privacy by design” and “privacy by default” mean?

Privacy by design means that state-of-the art technology should already be taken into account and implemented during the conception of a product or a data processing process. In particular, this is implemented through:

  • Data minimization (only collecting the most necessary data)
  • Erasing data when it is no longer absolutely necessary
  • Measures for correctness and completeness of data
  • Transparent and understandable information concerning the data subjects
  • Proactive concepts for IT security and organizational measures.

Privacy by default means that even the default settings (factory settings) of devices or online platforms already have the highest level of data protection as standard. In this way, users who are less tech-savvy should be protected.

Tip 1: Depending on the size of your team, it makes sense to hold a training session on this topic and ensure that employees sign to confirm their participation in the training. Then you will know exactly that all of your employees have been informed about data protection rules.

Tip 2: Since May 25, the declaration of confidentiality can be signed electronically. From this point on, no personal handwritten signatures have been required.

Technical and organizational measures

In Article 32, the GDPR requires processors of personal data “to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.” There is no further ascertainment, instead the GDPR lists some protection goals:

  • Personal data must be pseudonymised and encrypted.
  • The ongoing confidentiality, integrity, availability and resilience of processing systems and services must be permanently ensured.
  • It must be possible to quickly restore the availability and access to personal data in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

To do all this, you must on the one hand ensure that all data carriers and computers on which personal data is stored and processed are protected. On the other hand, you should change your business processes so that they meet the requirements of the GDPR.  
At Digistore24, for example, we only store our customer data in strictly guarded and secure service rooms. In addition, our employees’ laptops are encrypted and the passwords meet strict security standards. For further protection, each employee signs a comprehensive confidentiality agreement.

Note: The appearance of your TOMs individually depends a lot on what exactly happens in your business. As a rule, Digistore24 vendors and affiliates do not require personal data to be stored on terminal devices used by themselves or their employees. If you process or save such data, you should store it encrypted on a secure cloud service and not on your terminal device.


    Downloads / Learning materials

Example processing directory

Example declaration of confidentiality

Wir möchten ausdrücklich darauf hinweisen, dass dieser Online-Kurs keinesfalls eine Rechtsberatung durch einen Fachanwalt ersetzt und auch keinen Anspruch auf Richtigkeit oder Vollständigkeit hat.

www.digistore24.com | Impressum | Datenschutzerklärung