Tailor-Made Data Protection Solutions
Data protection – duty becomes opportunity
Data protection seems to be a tiresome topic for many companies: complex, time-consuming and associated with many obligations. Yet data protection can be more than just a legal necessity – it strengthens your company’s reputation and protects you from legal consequences. We help you to implement data protection pragmatically, efficiently and economically.
Data as the most valuable asset
Data is one of a company’s most valuable assets. Be it customer, process, employee or supplier data: Protecting this “treasure trove of data” against loss and any kind of improper action has become one of the major management tasks of our time, particularly as a result of advancing digitalization. Not least because customers are placing more and more value on the proper use of their data. However, with so many different laws, it is difficult to maintain an overview and not neglect any of the obligations. What’s more, technological progress and innovations such as AI and quantum computing are constantly creating new challenges in data processing and therefore in data protection.
94%
of organizations say their customers would not buy from them if they did not properly protect data.¹
20%
of privacy professionals say they are fully confident that their organization complies with data protection laws.²
48%
of organizations enter non-public company information into GenAI apps.¹
Fulfilling duties – without losing focus
There is an intrinsic motivation behind many business decisions – such as the introduction of a new system to improve customer loyalty or the optimization of processes. Data protection, on the other hand, is usually not driven by intrinsic motivation, but by legal requirements. For many companies, this makes it a mandatory task that does not appear to offer any direct added value. However, data protection can be more than just a legal requirement – it can minimize risks, secure business processes and create trust.
The drivers for external data protection consulting and the final commissioning can be manifold:
Data protection violations can be expensive – not only in the form of fines, but also through the loss of customer trust. Companies that see data protection as a risk want to actively manage it. This includes fulfilling standard obligations such as regularly deleting personal data or ensuring legally compliant processing.
In many companies, data protection is perceived as an obstacle. New systems, innovative business models or data-driven processes seem to be slowed down by data protection requirements. But data protection doesn’t have to be a showstopper: With a strategic approach, requirements can be efficiently integrated into existing and new processes without preventing efficient data processing.
Data protection is often a particular challenge for companies based outside the EU that do business in Europe. In many cases, the GDPR requires the appointment of an EU representative who acts as a point of contact for authorities and customers. We take on this role and ensure that all data protection requirements are met in order to avoid legal risks.
Start-ups often have limited resources for data protection. Many start-ups therefore initially only rely on the bare essentials to keep operations running. However, as the company grows, attracts larger customers or investors come into play, data protection becomes a business-critical factor. We help start-ups to create scalable data protection structures that grow with the company and meet the requirements of partners and investors.
A change in management or HR can raise questions: What data protection processes are in place? Where are there risks? Which responsibilities need to be clarified? Gaps in knowledge can arise, especially when the previous data protection officer leaves the company. We ensure that data protection processes continue seamlessly and that no compliance gaps arise.
Data protection is playing an increasingly important role in company sales, investments or mergers. Investors and buyers check carefully whether a company is well positioned in terms of data protection law – because inadequate data protection measures can be a deal breaker. We support companies in preparing for due diligence and help investors to correctly assess data protection risks for potential investments.
Organization – Operation – Culture
Data protection as an integral part of every company
To make data protection effective, companies must take a holistic approach and understand it as a triad of organization, operation and culture.
We provide support in these areas
Implementation of a Data Protection Management System (DSMS)
A data protection management system (DSMS) enables companies to manage data protection systematically, efficiently and sustainably.
valantic supports companies in the successful introduction and maintenance of a DSMS. We create a customized data protection concept that takes into account not only the legal requirements (including GDPR) but also the individuality of existing company structures. The fulfillment of documentation obligations and regular data protection audits are just as much a part of our tasks as consulting in the area of technical data protection.
Appointment as Data Protection Officer (DPO)
The appointment of a Data Protection Officer (DPO) is a legal requirement for many companies.
The DPO reviews data protection processes, trains employees and advises the company on all data protection-related issues. In addition to the necessary up-to-date specialist knowledge, an external DPO has an objective perspective that helps to identify and minimize data protection risks. Our data protection experts support you in managing data protection requirements and develop a data protection strategy tailored to the company’s needs. This ensures that legal requirements are met and the client’s business objectives are not compromised.
Audits with practical recommendations and templates
In a constantly changing legal landscape, regular audits ensure that companies comply with all legal requirements in order to minimize risks and avoid data protection violations.
Our audit services go beyond a comprehensive analysis of internal data protection processes: upon completion of the audit process, practical recommendations and sample templates are provided that can be implemented immediately. The aim is to help companies identify potential for improvement and provide them with practical tools to not only effectively implement changes to existing processes, but also to create a positive attitude towards data protection.
Transfer of data protection know-how
The transfer of data protection know-how ensures that all employees, including managers, understand and can implement the legal requirements and best practices in data protection.
Through tailored training on topics such as dealing with data subject requests, data security and the implementation of data protection guidelines, we ensure that employees stay up to date and avoid potential data protection violations. This targeted sensitization lays the foundation for conscious and compliant handling of personal data in everyday working life. The aim is to impart theoretical knowledge and provide practical insights and specific instructions to ensure that employees comply with data protection regulations and protect the integrity and security of sensitive information.
Support with Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment (DPIA) is required if planned processing operations are likely to pose a high risk to the rights and freedoms of data subjects.
Topics such as the use of video surveillance systems or artificial intelligence, the transfer of data to unsafe third countries or other risky processes require a data protection impact assessment. Through a thorough analysis, our experts help companies to answer individual questions on a case-by-case basis by identifying potential risks and developing customized and pragmatic recommendations for action. This ensures that data processing complies with data protection regulations at all times.
Advice on data processing systems
The choice and configuration of a data processing system determines the efficiency and security of internal data processes.
To ensure that data processing systems meet the requirements of the GDPR and other data protection laws, aspects such as data security, access control and transparency must be taken into account. valantic offers a comprehensive preliminary review of data processing systems and provides companies with professional advice on data protection-related aspects to ensure smooth and compliant handling of personal data. In this way, we lay the foundation for secure and data protection-compliant data processing.
Immediate assistance in dealing with data protection incidents
In the event of a data protection incident, quick and targeted action is crucial to limit damage and avoid legal consequences.
Whether data protection breaches, complaints or inquiries from authorities and affected parties – we offer you professional immediate assistance to clarify controversial data protection incidents comprehensibly and completely and to take the right measures to restore data integrity. Our experts will support you in clarifying the incident, develop practical solutions to limit the damage and ensure that all necessary steps for reporting to the data protection authorities in accordance with the GDPR are taken. We also support you in implementing preventive measures to avoid similar risks in the future.
Compliance audits of websites (GDPR, TDDDG)
Compliance with the GDPR and the TDDDG (Act on Data Protection and Privacy in Telecommunications and Digital Services) is crucial for websites to avoid fines and legal problems.
valantic offers compliance audits to ensure that companies’ websites comply with data protection regulations – especially with regard to cookies, tracking and the processing of personal data. Our experts check your website for compliance with current data protection laws, identify potential weaknesses and provide practical recommendations for legally compliant optimization. In this way, you not only protect your legal position, but also strengthen the trust of your users.
A selection of exemplary use cases
-
What next?1/5
Non-fulfillment of data subject rights
An employee of the company failed to comply with a customer's right to object to receiving advertising emails (pursuant to Art. 21 GDPR). The customer continued to receive unsolicited advertising by email and immediately complained to the data protection supervisory authority. The company was then asked by the authority to comment on the implementation of the rights of the data subject. What next?
-
What next?2/5
Lack of transparency regarding video recording
A company installs and operates video surveillance cameras on its sales floor without the knowledge of its employees and customers. An employee notices this and requests information about the purpose of the video surveillance in accordance with Art. 15 GDPR. What next?
-
What next?3/5
Disclosure of customer data
Goods ordered online were sent to a customer by post, but an invoice with data from another customer was enclosed with the package. The invoice contained the customer's name, address, information about the ordered goods and bank details. The customer concerned was informed of this and complained to customer service. What next?
-
What next?4/5
Lack of consent for data processing
A company engages in telephone advertising without the consent of its customers. An attentive customer then contacts the company's data protection officer and asks for a statement. What next?
-
What next?5/5
Processing of sensitive company data using AI
An employee uses an AI application that is freely accessible via the web browser to analyze internal documents and enters sensitive company data (trade secrets, customer information) into the prompt. A short time later, the company's IT department documents several data leaks that can be traced back to the input of company data into the AI. What next?
Recommended procedure and legal basis
Procedure:
- Review of implementation: An internal review of the facts shows that the customer has actually exercised their right to object, but that the employee responsible has not complied with this.
- Implementation of the objection: The customer’s data record is provided with a “blocking note” in the system, which clearly indicates that the customer’s data may not be processed further.
- Internal training and process optimization: The company carries out a holistic review of the implementation of data subject requests to ensure that no more violations of this kind occur in the future. Employees are again made aware of how to deal with requests from data subjects.
- Statement to the authority: In its statement to the authority, the company states that it did not in fact comply with the customer’s objection, but has since taken measures to prevent such an incident from occurring in the future. The authority accepts the statement and (exceptionally) refrains from imposing a fine.
Legal background: The rights of data subjects are regulated in Art. 12-22 GDPR and guarantee natural persons control over their personal data. Companies must therefore establish processes to implement the rights of data subjects in their organization.
Procedure:
- Provision of information: The employee is informed that video surveillance is used to prosecute criminal offenses and administrative offenses, which have recently increased.
- Fulfillment of information obligations: The company takes its employee’s request as an opportunity to post signs about video surveillance for everyone to see. These include the name and contact details of the controller and the data protection officer, the legal basis and purposes of data processing and the storage period.
Legal background: The GDPR and the BDSG stipulate that video surveillance in publicly accessible areas may only be carried out under strict conditions. Data subjects must be clearly informed and there must be a legitimate purpose for the surveillance. Surveillance recordings may only be stored for a limited period of time, usually up to 72 hours.
Procedure:
- Risk analysis: Customer service informs the company’s data protection officer, who then carries out a risk analysis. It is determined that this is a reportable data breach.
- Notification and damage limitation: The data protection supervisory authority and the data subjects are informed of the incident and the measures taken or to be taken in accordance with Art. 33/34 GDPR. Furthermore, the customer who received the incorrect invoice is requested to delete it.
- Prevention and training: The employees responsible for preparing shipments are again made aware of the need to always check the documents enclosed with the goods (e.g. invoices) for correctness.
Legal background: In accordance with Art. 33 and 34 GDPR, data breaches that pose a high risk to the rights and freedoms of data subjects must be reported to the competent supervisory authority within 72 hours. The data subjects must also be informed in order to take appropriate protective measures.
Procedure:
- Process review: The company discovers that consent is always required to carry out telephone advertising, which has not been obtained at the current time.
- Process adjustment: The process is redesigned in close cooperation with the data protection officer: From now on, customers’ express consent must be obtained and documented before any telephone advertising is carried out. In addition, all employees will be trained and made aware of these changes to ensure that the requirements are implemented correctly.
- Statement to the customer: The data protection officer informs the affected customer in an official statement that the process has been revised. In future, telephone advertising will only be carried out with the legally required and documented consent.
Legal background: Art. 6 GDPR defines the legal bases for the processing of personal data. One of these legal bases is consent in accordance with Art. 6 para. 1 lit. a) GDPR, which is required for certain processing activities (e.g. telephone advertising).
Procedure:
- Risk analysis: A review of the incident reveals that personal and confidential company data is affected. A breach of the GDPR and the Trade Secrets Act (GeschGehG) is identified.
- Notification and damage limitation: The data protection supervisory authority and the data subjects are informed of the incident and the measures taken or to be taken in accordance with Art. 33 / 34 GDPR. The AI provider is also requested to delete the data.
- Prevention and training: Internal guidelines on the data protection-compliant use of AI applications are drawn up and employees are given special training. In addition, a clear instruction is communicated that only internal AI systems that are operated in the company’s own IT infrastructure may be used. Freely accessible AI systems may only be used to a limited extent.
Legal background: According to Art. 33 and 34 GDPR, data breaches that pose a high risk to the rights and freedoms of data subjects must be reported to the competent supervisory authority within 72 hours. The data subjects must also be informed in order to take appropriate protective measures.
We attach particular importance to this
Expertise
Benefit from our many years of experience and in-depth expertise in data protection law. Our experts are always up to date with the latest legal requirements and technological developments.
Consulting at eye level
Our data protection experts speak your language and understand your individual challenges. We value working together as partners, focusing on your needs and goals.
Tailor-made solution
We don’t provide you with standard solutions – we develop individual strategies perfectly suited to your company size, industry, and working methods. From risk analysis to implementation, we support you with tailor-made solutions that are not only legally compliant but can also be efficiently integrated into your day-to-day work.
Pragmatism
We know that data protection must not only meet legal requirements but must also fit into everyday business life. That’s why we focus on practical and implementable solutions that do not unnecessarily complicate your processes. Our approach is solution-oriented and efficient – so that you can concentrate on your core business while we take care of data protection for you.
Convince yourself and contact us
We look forward to your request
