Applicable from 25.05.2018: Check list of measures to be implemented according to the EU General Data Protection Regulation (EU GDPR).

Your company’s status quo in respect of data protection law should be checked against the agenda below. This is a truncated catalogue. A detailed version containing explanations, notes and recommendations is available from our Stuttgart office by request.

By Dr. Jens Bücking, specialist lawyer for IT law (simultaneously data protection officer), Stuttgart

(1) Does the EU GDPR apply to you at all? In particular…

a) Do you offer goods or services with or without charge, and do you process the data of persons residing in the EU in the scope of this?
b) If yes: Do you carry out collection, processing (i.e. storage, transfer, editing, blocking and deletion) in this context and
c) Do you observe the behaviour of natural persons in the EU for the purposes of profiling?

2) Have you carried out an evaluation (GAP analysis, target-performance comparison)?

(3) Have preparatory measures in the company’s organisational structure been taken? In particular…

a) Has the company-internal/official or external data protection officer been involved as required by regulations and at the correct time?
b) Has the workforce been prepared effectively and in good time with regard to the requirements of the Regulation and been trained in its application?
c) Has the works council and/or employee committee been involved in the implementation methods at the correct time and have the relevant employment and/or company agreements been adjusted appropriately?
d) Are regular awareness-raising and training measures going to be implemented from now on (including with regard to the immense penalty fees)?

(4) Do you exchange personal data with offices outside the EU?

a) If yes: Are there justified grounds for this data transfer, such as, particularly,

a. a voluntary, informed, express and specific declaration of consent to a particular processing purpose, or
b. are there other statutory permissive grounds, such as e.g. a company agreement, or
c. is the transfer required, without alternative, for the performance of a contract between you and the data subjects?


b) If yes: Do you transfer personal data to offices outside of the following territories: EU, Andorra, Argentina, Iceland, Canada, Liechtenstein, Norway, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay, New Zealand?

c) If yes: Can you base this transfer on a cross-national or multilateral agreement?

d) If no: Do you use any of the following for this transfer as a legal basis with the receiving office?

a. EU standard contract clauses, or
b. Approved company-/group-wide data protection regulations, or
c. any other recognised data protection guarantees, or
d. certification of particular acts of processing?

e) Have the underlying agreements (e.g. task outsourcing, group or consortium etc. collaborations, third-party data processing, data processing centre contracts, cloud, SaaS, ASP, hosting, etc.) been reviewed in accordance with the requirements of the Regulation?

f) If yes: Has an index of all processing activities been drawn up which can be made available to the supervisory authority?

g) Can you prove that the third-party data processor also complies with the requirements of the Regulation?

h) Have all internal office holders and departments which are affected by the data transfers been involved?

(5) Is compliance with the principles of data processing ensured?

a) Is the legality of any and all processing of personal data in all business processes used by you ensured, in particular the principles of …

• limitations with regard to purpose,
• data economy,
• correctness,
• transparency,
• limitation of storage period,
• integrity and
• confidentiality

of data processing?

b) Are the data subjects informed of all circumstances relevant to data protection law and of their rights as data subjects in precise, transparent, intelligible and easily accessible form in clear and simple language prior to the collection of their personal data?

(6) Have information and complaint management procedures been put in place?

(7) Can the right of data subjects to deletion and to be forgotten be exercised effectively? In particular…

Is a deletion policy (including the right to be forgotten) with appropriate deletion periods in place?


(8) Is the validity of consents continuously checked and ensured?


(9) Are you prepared for the data protection impact assessment? In particular…

Is a policy in place for the implementation, documentation and involvement of authorities of the data protection impact assessment procedure?

(10) Are the principles of the Regulation regarding data protection by data security (privacy by design, privacy by default) respected?

(11) Is an effective notification system for data protection incidents in place?

(12) Has advertising (including in particular online advertising) been adjusted according to the EU GDPR?

(13) Has the increased risk potential for the company due to the EU GDPR been implemented into obligatory risk management? In particular…

Have the following been adjusted ?

a. the data protection regulations and the data protection policy,
b. the IT security/data security policy,
c. the archiving, backup and deletion policy (incl. the new right to be forgotten),
d. the emergency policy for data breaches for extended notification duties,
e. the crisis reaction plan (disaster recovery/business continuity) due to extended notification duties,
f. the process index and process descriptions,
g. the data protection management system (DMS) as a further component of the risk management and control system (including for the implementation of the new data protection impact assessment)?
h. Have the declarations of commitment to data secrecy and, if applicable, the confidentiality clauses been adapted?

(14) Has the contract and personnel management been adapted to the EU GDPR?

(15) Have the general documentation duties of the EU GDPR been implemented?