A GDPR compliance audit maps all personal data processing activities in a company against the requirements of the GDPR. Key outputs include: a Record of Processing Activities (RoPA) identifying all data flows, purposes, legal bases, and retention periods; an assessment of technical and organizational security measures; an identification of missing data processing agreements with service providers; and a gap analysis against GDPR requirements. The audit provides the foundation for a structured compliance program and prioritizes actions by risk level.
Every processing of personal data must have a lawful basis. The GDPR provides six lawful bases: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. In business practice, the most commonly relevant bases are consent, contract performance, and legitimate interests. Each basis has its own requirements and limitations: consent must be freely given, specific, informed, and unambiguous; legitimate interests processing requires a balancing test showing that the interests of the data subject do not override the legitimate interests of the controller.
Any service provider that processes personal data on behalf of your business must have a GDPR-compliant data processing agreement (DPA) in place. This covers cloud providers, SaaS tools, email marketing platforms, HR systems, and many others. International transfers of personal data outside the EEA require additional safeguards: Standard Contractual Clauses (SCCs) are the most commonly used mechanism, supplemented by a Transfer Impact Assessment (TIA) for transfers to high-risk countries. We identify all processors and manage the DPA and transfer documentation.
When a personal data breach occurs — whether through a cyber attack, accidental disclosure, or human error — a tight legal response timeline begins immediately. Under the GDPR, a breach that is likely to result in a risk to the rights and freedoms of individuals must be notified to the competent supervisory authority within 72 hours. If the breach is likely to result in a high risk, affected individuals must also be notified directly. Preparing a breach response plan in advance — including escalation procedures, documentation templates, and authority notification protocols — is essential to meeting this deadline.
The GDPR applies to any organization that processes the personal data of individuals located in the EU, regardless of where the organization is based. If you have customers, employees, or website visitors in the EU — including Germany — the GDPR almost certainly applies to you. There is no minimum size threshold: even sole traders and small businesses are covered. The scope includes processing by automated means and (in certain cases) processing in paper files.
GDPR fines can be significant: up to €20 million or 4% of global annual turnover (whichever is higher) for the most serious violations, including insufficient legal basis for processing, violations of data subjects' rights, and international transfers without adequate safeguards. Less serious violations attract fines of up to €10 million or 2% of global annual turnover. In practice, German supervisory authorities have imposed multi-million euro fines on major companies and have also sanctioned smaller businesses for systematic violations.
A Record of Processing Activities (RoPA) is a documented inventory of all data processing activities carried out by an organization. It is required by Article 30 GDPR for organizations with 250 or more employees and for smaller organizations whose processing poses risks to data subjects' rights. In practice, a RoPA is a fundamental compliance tool for all businesses: it provides the foundation for privacy notices, data processing agreements, data retention policies, and the assessment of data breaches.
When you receive a data subject access request under Article 15 GDPR, you must respond within one month. The response must confirm whether personal data about the individual is processed, and if so provide a copy of the data together with specified information about the processing. The deadline can be extended by a further two months in complex cases, but the individual must be informed of the extension within the first month. Failure to respond within the deadline is itself a GDPR violation.
Yes, in principle, it is possible – but not without scrutiny. For tools like ChatGPT, Microsoft Copilot, Google Gemini, or other AI systems, the main questions are what data is entered into the systems, for what purposes this happens, and whether personal data or confidential information is involved. Particularly relevant from a legal perspective are: Legal basis for processing Data security Possible data transfers to third countries Confidentiality of sensitive information Internal usage guidelines Especially in a corporate context, the use of AI tools should not happen "just like that," but should be secured by clear guidelines, training, and data protection audits.
