
Our GDPR guide for everyone
GDPR need not be complicated. We have created a small guide for you on the most important points to consider when processing personal data. Our guide works well for companies of different sizes. This article contains advertising for our product JOUO.
Understand and apply basic principles
The following principles apply to all data processing of personal data. It doesn't matter whether you work with pen and paper, Excel or databases. Yes, you heard right. These principles also apply when working with pen and paper.
- Lawfulness: A legal basis is required for any processing of personal data. According to the GDPR, lawfulness of data processing means that personal data may only be processed if there is a legally permissible legal basis for doing so. Without such permission, any processing is unlawful.
You can use the following table to easily check whether one of the criteria for lawfulness applies to you:
Type of processing | yes/no |
Have you received consent from the data subject (e.g. consent to receive a newsletter) and have you documented this consent? | |
Is the processing necessary to fulfill a contract with the data subject (e.g. shipping address for an order)? | |
Is the processing of the data you want to collect required by law (e.g. tax retention obligations)? |
|
Are vital interests of a data subject or another person to be protected (e.g. in a medical emergency)? | |
Do you have to perform a task in the public interest or in the exercise of official authority? | |
Is there a legitimate interest in the collection of data, such as a credit check by a bank. This is permitted unless the interests or fundamental rights of the data subject take precedence. | |
Is there a legitimate interest in the collection of data, such as a credit check by a bank. This is permitted unless the interests or fundamental rights of the data subject take precedence. |
- Purpose restriction: Collect and use the data only for specified, explicit and legitimate purposes. You can use the table above to document your purposes.
- Data minimization: Only collect as much data as necessary. If only the email address is required for communication, then simply refrain from requesting further data, such as the address. If you want to provide your users with a personal experience, then also ask for their surname or first name. But you can also optionally collect this information if it is a newsletter, for example.
- Accuracy: Keep the data up to date and correct. An often overlooked point! Outdated or incorrect data is not only bad for business.
- Retention: Do not store data for longer than necessary. Statutory retention periods must be observed (e.g. for invoices).
- Integrity and confidentiality: Take technical and organizational measures to protect data.
- Accountability: It must be possible to prove compliance with all GDPR requirements at any time.
Technical organizational measures (TOMs) are also a central part of this accountability.
If you need support or the effort seems too great, let JOUO help you create them.
Click here for the TOM generator jouo.de. Available from 01.08.2025
You must fulfill your documentation obligations
This obligation actually also applies to micro-enterprises, sole traders and freelancers.
Basically, it's very simple. First create a record of your processing activities: Include all processes in which personal data is processed (e.g. customer data, employee data, newsletters) etc.
Document legal bases and purposes: For each activity, record the legal basis on which the data is collected and what purpose it serves. Use the Legal bases table as a template.
Define retention periods: Define how long which data is stored. Simply differentiate between statutory retention obligations such as invoices and information about customers in your CRM. Regularly check compliance with the deadlines you have set. This will save you trouble and expense in the event of a claim.
Implement information obligations
The GDPR obliges you to provide information about your data protection measures. Create a comprehensible privacy policy and publish the policy on your website, for example, and refer to the link with the privacy policy in your correspondence. If you do not have a website, but have social profiles, add a note stating that your privacy policy can be sent on request, for example.
Information obligation during or before data collection: Inform data subjects (e.g. customers, employees) about the purpose, scope and legal basis of data collection as well as their rights (information, deletion, objection). Even if you take this information for granted, you should document this process.
Technical and organizational measures (TOMs)
TOMs are an important part of your data protection strategy and you should know what this requirement is all about.
TOMs describe all technical AND organizational measures that you take in your company. This includes the description and protection of the storage location for documents created with pen and paper, the infrastructure in your office, network, workstations and servers and your IT and internet infrastructure.
What information must be included in a TOM?
Do you restrict the access rights of your employees and service providers? Describe which persons have access to data in your company. For example, describe that only authorized persons have access to personal data and that a password is required for this.
There are numerous tools on the Internet that make it easier for you to create TOMs.
With a subscription to JOUO, you not only get an overview of the risks of your website, but also the TOM generator, which you can use to easily create your own TOMs from 01.08.2025 jouo.de
Data security and data integrity are also among the basic principles of the GDPR
To protect your data, you must secure your IT systems and data with password protection and encryption.
Backups: Protect yourself against data loss with regular data backups
Training courses: You should regularly raise your employees' awareness of data protection. You can do this yourself or commission service providers to do it for you.
Regulating order processing
What does this mean for you?
You should conclude data processing agreements (DPAs) for your external service providers (e.g. IT, cloud providers or your payroll accounting). Many providers will come to you with the relevant contracts of their own accord. The DPA is an essential part of your data protection concept.
Check whether you have order processing contracts for all your service providers.
Here are some examples of order processing:
- Use of cloud or SaaS services for customer data
- External hosting of websites or databases
- Maintenance contracts from IT service providers
- Use of newsletter or marketing tools
- External payroll accounting
JOUO can help you identify the infrastructure for which you may need a DPA: jouo.de
Contracts, contracts, contracts: You should check whether your service providers are GDPR-compliant. You can download and save the data protection declarations of your service providers as a PDF.
Guarantee data subjects' rights: respond to inquiries promptly
In our opinion, data protection and the GDPR are all too often perceived as an excuse for obstacles to digitalization. In fact, data protection is a useful instrument for safeguarding our rights as users and consumers. This is exactly how we should perceive and apply the GDPR as entrepreneurs.
This means that we must respond to requests from data subjects (e.g. information, erasure, rectification) promptly and in full. In fact, it is very easy to respond to such requests if everything has been documented correctly in advance.
Therefore: Define processes for responding to user requests, for example. This will save you a lot of fuss and time in the event of a data protection request. When describing your processes, you can also define the storage locations for your documents.
Report data breaches
Reporting obligation: Data breaches must be reported to the supervisory authority at your company location within 72 hours. If you suspect that personal data has been copied, i.e. stolen, by criminals, you are obliged to report this incident. Your regional police incident management team will support you in this.
Establish incident management: Define clear procedures in the event of an emergency. You can find templates on the Internet.
Data Protection Officer (DPO)
For companies with 20 or more employees, the following applies: A DPO must be appointed for 20 or more people who regularly work with personal data. This can be internal or commissioned externally
For smaller companies: A DPO can be useful, but is not mandatory.
Register with JOUO and receive regular information on data security and data protection for your IT infrastructure.
Understand data protection as a continuous process
Your business and your business relationships are constantly changing. It is therefore necessary to regularly review and adapt your data protection measures.
You should always consider and evaluate new projects or orders from a data protection perspective. Be it on a construction site or in a coffee house. Don't forget that handwritten lists with personal information of your customers or employees also fall under data protection.
Finally, our step-by-step guide
- Inventory: What personal data is processed where and how?
- Create a list of processing activities.
- Implement privacy policy and information obligations.
- Check technical and organizational measures and improve them if necessary.
- Check/conclude contracts with service providers.
- Train employees.
- Define processes for data subject rights and data protection violations.
- Regular review and adjustment.
Last but not least, check with JOUO whether you have all the information about your web infrastructure and its security. For the GDPR, you must also be able to provide information on how your web infrastructure is secured, whether you are aware of any vulnerabilities and how these are protected.
Simply register for free and carry out an initial SCAN: jouo.de
If you find JOUO useful, you can take out a JOUO subscription online at any time. The subscription gives you a detailed insight and you can also book the JOUO TOM functionality. All our subscriptions can be canceled monthly.
With JOUO Surface Attack Monitoring, you can strengthen your cyber resilience in the long term.