


GDPR



What is the purpose of the EU Data Privacy Basic Regulation?
The Basic Data Privacy Regulation (GDPR) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. It protects natural persons against the impairment of their personal rights insofar as their personal data are processed.
The GDPR applies to all natural persons and companies in Europe and companies outside Europe that are active on the European market. Until now, the respective national data privacy laws have been very different in the individual countries of the EU. European data privacy directives have been transposed into national law in various ways by the independent and autonomous supervisory authorities of the respective countries. The inconsistency of European data privacy law was brought to an end with the GDPR.
What are the new requirements?



The DSGVO presents companies with new challenges. These include, but are not limited to:
- More extensive obligations to provide evidence and documentation
- Additional rights of those affected, such as extended information obligations, the right to be forgotten, data portality
- Establishment of a reporting procedure to report data privacy violations to the supervisory authorities within 72 hours
- Processing activities of personal data must be documented both on the part of the client and on the part of the contractor.
- Technical and organisational measures must be defined and implemented on the basis of a risk-based procedure
Heavier sanctions
Penalties for data breaches have been increased. Violations may result in fines of up to €20 million or 4% of the total annual worldwide revenue, whichever is the greater. These fines can have serious consequences for companies. In order to avoid these, companies should deal with the requirements of the GDPR in good time and pay particular attention to the documentation and verification obligations as well as the data protection processes.



Data privacy experts
Our data privacy officers advise companies on how to integrate the complex requirements of effective data privacy into their business processes. We support companies in developing processes to process personal data on the basis of current laws and guidelines. Our consultants will work with you to determine your status and assist you in developing the necessary concepts for setting up a data privacy management system that is suitable for your company to implement the requirements of the GDPR.
We can draw on our many years of experience and methods in setting up management and, in particular, information security management systems. In the field of data privacy and information security our experts have the qualifications as certified data protection officers, data privacy auditors TÜV, ISO 27001 auditor, ISO 27001 auditors based on BSI, IT-Grundschutzauditor (BSI), IT-Sicherheitsbeauftragte (BVSW, DIHK), ISO 20000 auditors, ITIL v3, Project Management Professional (PMI) and PRINCE2. Trigonum is also an active member of the data privacy associations of the BvD e.V. and the GDD e.V..



GDPR



What is the purpose of the EU Data Privacy Basic Regulation?
The Basic Data Privacy Regulation (GDPR) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. It protects natural persons against the impairment of their personal rights insofar as their personal data are processed.
The GDPR applies to all natural persons and companies in Europe and companies outside Europe that are active on the European market. Until now, the respective national data privacy laws have been very different in the individual countries of the EU. European data privacy directives have been transposed into national law in various ways by the independent and autonomous supervisory authorities of the respective countries. The inconsistency of European data privacy law was brought to an end with the GDPR.



What are the new requirements?
The DSGVO presents companies with new challenges. These include, but are not limited to:
- More extensive obligations to provide evidence and documentation
- Additional rights of those affected, such as extended information obligations, the right to be forgotten, data portality
- Establishment of a reporting procedure to report data privacy violations to the supervisory authorities within 72 hours
- Processing activities of personal data must be documented both on the part of the client and on the part of the contractor.
- Technical and organisational measures must be defined and implemented on the basis of a risk-based procedure
Heavier sanctions
Penalties for data breaches have been increased. Violations may result in fines of up to €20 million or 4% of the total annual worldwide revenue, whichever is the greater. These fines can have serious consequences for companies. In order to avoid these, companies should deal with the requirements of the GDPR in good time and pay particular attention to the documentation and verification obligations as well as the data protection processes.



Data privacy experts
Our data privacy officers advise companies on how to integrate the complex requirements of effective data privacy into their business processes. We support companies in developing processes to process personal data on the basis of current laws and guidelines. Our consultants will work with you to determine your status and assist you in developing the necessary concepts for setting up a data privacy management system that is suitable for your company to implement the requirements of the GDPR.
We can draw on our many years of experience and methods in setting up management and, in particular, information security management systems. In the field of data privacy and information security our experts have the qualifications as certified data protection officers, data privacy auditors TÜV, ISO 27001 auditor, ISO 27001 auditors based on BSI, IT-Grundschutzauditor (BSI), IT-Sicherheitsbeauftragte (BVSW, DIHK), ISO 20000 auditors, ITIL v3, Project Management Professional (PMI) and PRINCE2. Trigonum is also an active member of the data privacy associations of the BvD e.V. and the GDD e.V..


Our Approach
A data privacy management system should be installed to ensure efficient implementation of the requirements. We have developed a process model with which companies can implement the requirements in a targeted manner. We check the requirements individually and assess the current situation in your company.
Project initialisation


Defining the framework conditions and resources for the project as well as the project organisation and the project procedure.
GAP Analysis


Inventory and identify deviations from data privacy requirements.
Concept development


Development of tailor-made data privacy processes and concepts for the data privacy management system.
Implementation


Implementation of the defined processes and concepts.
Start of DPMS


Living data privacy: Continuous planning, monitoring and improvement of data privacy in the company.


Related Services
If a data privacy incident should occur with the responsible person or a processor working for him, it may be necessary to notify the supervisory authority responsible for him within 72 hours and, if necessary, to inform the persons concerned. An appropriate procedure must therefore be implemented for the processing of data privacy incidents in order to be able to comply promptly with the requirements of the law regarding the containment of the severity of the incident and the duty to provide information.
Answering questions such as “In which processing are personal data processed?” or “Who has access to the data processed within the processing?” is often not easy for those responsible – there is a lack of transparency about this. A first step towards transparency is the collection of the relevant information on the individual processing operations, such as clarification of the legal basis, data transfer or technical and organisational measures to ensure data privacy.
Companies that collect, process or use personal data are obliged to take the technical and organisational measures (TOM) necessary to comply with the provisions of the DSGVO. Measures from the following areas are to be taken, provided that their expenditure is proportionate to the intended protective purpose.