Basics: The data protection concept – the company’s individual data protection bible

von Carolin

The data protection concept is part of the organizational measures for the security of processing according to Art. 32 GDPR. The concept represents the company-wide guideline for the implementation of the data protection regulations from the GDPR. In the document, your company values and responsibilities are holistically defined, processes are described and data protection standards to be observed are laid down for your employees. In our article we will show you what such a concept looks like in practice.

Why is this document necessary in the company?

Since the documentation of the “technical and organizational measures” usually focuses more on the technical part, the organizational part must be described separately. In a data protection concept, it is recorded how you comply with the strict requirements of the GDPR in detail. This means that the document refers to and describes individual guidelines, standard processes and the specific implementation with the responsible persons. On the one hand, this should make the topic of data protection easier for you in your day-to-day work, as you can always look up your own data protection bible. On the other hand, the concept is intended to provide you with assistance that you can give to them when training new employees. In this way, you automatically convey the importance of data protection to your employees. They explain how you live data protection in your company, who you can turn to for individual topics in the company and the data protection officer is consulted.

Content of a data protection concept

The content of the data protection concept is based on the requirements of the GDPR to be fulfilled. In the document, among other things, the topics of employee data protection, sensitization of employees (training), processing activities, order processing or data protection impact assessment are dealt with. For example, under the heading “Data breach”, it is explained at the beginning what exactly this topic is about and the relevant legal provision. Furthermore, the internal responsibilities are mentioned so that it is clear who to turn to in a specific case. Next, reference is made to the standard process “Data breach notification”, which describes exactly how to proceed in the present case and at what point in time the company’s data protection officer is to be involved.

Proof to the supervisory authorities

As described at the beginning, the data protection concept is the document that records the organizational measures taken by a company in accordance with Art. 32 GDPR and specifies compliance with them. Therefore, the concept also serves as evidence to the supervisory authority in the event of a data protection check in the company.

Rest of the procedure

As your external data protection officer, we will create the data protection concepts for you in 2020 and make them available to you. The document is also automatically stored in your data protection manual.

Do you have any questions on this subject? Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!


Carolin verfügt als geprüfte kaufmännische Betriebswirtin über mehrjährige Berufserfahrung im Bereich Datenschutz und behält den Blick fürs Ganze. Ihre Erfahrungen aus dem kaufmännischen Bereich verknüpft sie bereichernd mit ihrer Qualifikation als TÜV-zertifizierte Datenschutzbeauftragte. Die praktische Umsetzung der DSGVO, individuelle Lösungsansätze für Unternehmen sowie Datenschutz im Gesundheitswesen sind ihre Spezialgebiete. Ihre Tätigkeitsschwerpunkte liegen in der Erstellung von Konzepten, Prozessoptimierungen sowie der praxisnahen und lösungsorientierten Umsetzung des Datenschutzes in Unternehmen.