GDPR Compliance Kit

Every company established in the EU — or that processes EU residents' data — is in scope. The "fewer than 250 employees" threshold for the ROPA exception under Art. 30(5) GDPR almost never applies in practice: HR processing, CRM and marketing consent each meet the "not occasional" criterion and exclude the exemption. Rule of thumb: if you have employees, customers, or newsletter subscribers, you are in scope.

Basis (EUR 990 net) — You have internal compliance staff (DPO/CISO/HR lead) who can adapt and implement all documents themselves. No employee e-learning required.

Plus (EUR 1,290 net) — most popular — You want to train employees interactively (e.g. to fulfil the AI literacy obligation under Art. 4 EU AI Act or the Section 12 AGG protective measures for the liability privilege). Includes a ready-made e-learning module with quiz and attendance certificate.

Komplett (EUR 1,490 net) — You want to run the trainings internally and repeatedly (e.g. for new hires) without booking an external trainer every time. Additionally includes the Trainer Pack: PowerPoint slides with notes, trainer handbook and quiz pool.

67 professionally created documents (Word, Excel, PowerPoint) covering the full GDPR documentation cycle: records of processing (Art. 30), data processing agreements (Art. 28), TOM checklists (Art. 32), data protection impact assessment (Art. 35), data subject rights workflow (Art. 12-22), breach response, deletion concept (DIN 66398), cookie banner concept, privacy notices for website / employees / applicants. Personalised with your company name on delivery.

Yes. After purchase you receive a download link containing all personalised professional templates. The files belong to you completely — you can store, integrate, edit and archive them. No cloud dependency, no per-device license activation, no internet connection required for use.

You receive all updates of the kit as long as the kit is maintained in its current major version. Major version means: same regulatory basis, same scope. Updates arrive when authorities publish new guidance, new case law is published, or known follow-up phases of a regulation kick in. If a substantially new regulation supersedes the existing one, a new major version emerges — existing customers receive a 50% discount. Details in Terms § 7.

If a template content is provably legally incorrect (proven by a lawyer's letter or authority statement), we refund the purchase price. Deadline: 60 days from delivery. Processing within 14 business days from full defect report. Details in Terms § 8.

Yes, in practice almost always. The 250-employee threshold in Art. 30(5) GDPR only applies if the processing poses no risk to data subjects, is not regular AND does not concern special categories of data. HR processing, CRM and newsletters each individually meet the "regular" criterion and exclude the exemption.

Mandatory — where a high risk is likely under Art. 35 GDPR. Supervisory authorities publish must-lists (DSK "List of mandatory DPIA cases"): systematic evaluation, large-scale Art. 9 data, tracking, AI profiling. A prior threshold assessment is practice standard.

Up to EUR 20 million or 4% of worldwide annual turnover (higher value). Germany 2024: AOK EUR 1.24 million, H&M EUR 35.3 million, Deutsche Wohnen EUR 14.5 million. Typical SME fines: EUR 5,000-80,000 per violation. The BfDI activity report shows: 85% of supervisory enquiries start with a request for an RoPA.

Mandatory from 20 permanent employees engaged in personal data processing (§ 38 BDSG). Also: where core activities involve profiling/monitoring or special categories (Art. 9 GDPR), regardless of headcount. External DPO is permitted and often more cost-effective.

No. The Bavarian DPA (BayLDA) clarified in 2024 that tax advisors are not processors but independent controllers. No DPA required. Payroll service providers are different — they typically act as processors, so a DPA under Art. 28 GDPR is mandatory.

Within 72 hours of becoming aware, the competent supervisory authority must be notified (Art. 33 GDPR). Content: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken. If a high risk to data subjects is likely, the data subjects must be informed as well (Art. 34 GDPR). Practice tip: document the workflow in advance.

Yes. SCCs 2021/914 remain the primary instrument for third-country transfers. The EU-US Data Privacy Framework (DPF, in force since 07/2023, upheld by the General Court 09/2025) additionally permits transfers to certified US companies without SCCs. A Transfer Impact Assessment (TIA) is still required.

No. The CJEU confirmed in C-673/17 and subsequent rulings: a cookie banner must offer a genuine choice — "Accept" and "Reject" must be equally prominent. No dark patterns. No pre-ticked boxes. German TDDDG compliance additionally requires a pre-consent mode for non-essential cookies.

Yes, with adjustments. The Data Protection Conference (DSK) clarified in 2024 that the M365 standard configuration is not GDPR-compliant. Mandatory: DPA with Microsoft, EU Data Boundary enabled, telemetry reduced, Copilot with tenant isolation. A documented M365 assessment process is audit-mandatory.

Supervisory standard: annual refresher plus ad-hoc trainings on demand (new processes, incidents, case-law changes). DSK and BvD confirm: a one-time training is not sufficient. Records with proof of attendance are mandatory (Art. 5(2) GDPR accountability principle).

For automated decisions (scoring, ADM under Art. 22 GDPR), controllers must disclose "meaningful information about the logic involved" to data subjects. In practice: credit scoring, HR algorithms, insurance tariffs — the algorithm must be explainable.

No, but it is an excellent TOM building block. ISO 27001 covers Art. 32 GDPR (TOMs) by approximately 80%. GDPR requirements beyond this: RoPA (Art. 30), data subject rights (Art. 12-22), DPIA (Art. 35), third-country transfer documentation — are not included in ISO 27001. A mapping workbook helps to close the gap.

Yes, derived from Art. 5(1)(e) GDPR (storage limitation) and Art. 17 GDPR (right to erasure). Standard: a DIN 66398-compliant deletion concept with retention periods per data category. Statutory retention duties must be considered: HGB (10 years), AO/tax code (10 years), SGB/social code (5 years), employment-law retention duties.

The GDPR is directly applicable EU law. The BDSG (German Federal Data Protection Act) supplements the GDPR via national opening clauses: employee data protection (§ 26 BDSG), public-authority data processing, DPO duty (§ 38 BDSG), sanctioning rules (§§ 41-43 BDSG). In case of conflict, the GDPR prevails.

§ 53 BDSG requires a written commitment to confidentiality upon taking up the activity — it does not prescribe a specific training format. Practice standard: written confidentiality declaration plus a basic GDPR training. Supervisory authorities accept an online course with quiz, provided attendance is documented.

Mandatory for companies established outside the EEA that process personal data of EU data subjects and fall within Art. 3(2) GDPR. In practice: US, UK (post-Brexit), Swiss and other third-country businesses with EU customers. Cost: from approximately EUR 80/month via specialised providers.

When a DPIA indicates a high residual risk that cannot be mitigated. Consultation duration: 8 weeks, extendable. Practical examples: large-scale biometric identification, AI profiling of children. A prior consultation significantly reduces the fine risk.