Who in the company is affected by data protection?

always bear overall responsibility for data protection and other legal issues. They cannot transfer this responsibility to others and are liable for any breaches with high fines.

Data Protection Officers (internal or external)
are the advisers of management and other responsible people in the company. Their role is to ensure compliance with the legal regulations, to review documentation, to carry out preliminary checks and provide training, and much more besides.

Personnel managers
must comply with data protection requirements relating to employment contracts and the obligation to ensure data confidentiality in accordance with GDPR, and relating to company-wide agreements for the use of IT systems as well as the viewing of automated system logs.

The Works Council
in collaboration with management it draws up, among other things, the company-wide agreements for the use of IT systems such as email and the internet (e.g. private use), and devises rules for viewing staff emails – and also system logs in emergencies – as well as organising the introduction of monitoring and time recording systems and data archiving etc.

Controllers / accountants
work with personal data and processes on a day-to-day basis, e.g. payroll, sickness leave, transmission of data to tax consultants, storage of old data, commission calculations, performance assessments etc. They must ensure that their processes and transferring of data comply with data protection requirements.

IT management
is responsible among other things for implementing systems and IT rules, audit-compliant archiving of emails and files, contracts with external service providers, documentation, helping to draw up company-wide agreements, devising a holistic IT policy and IT security measures (encryption, password procedures), backups, protection against attacks and the diagnosing of vulnerabilities, as well as data recovery and data destruction.

Sales and Marketing management
is responsible for the use of customer data in CRM systems and in online surveys and mailshots etc., but also for the use of data relating to the company's own staff (e.g. commission calculations and employee rankings). In addition to this, the use of mobile devices and collaboration with external service providers (call centres, marketing agencies etc.) has to be arranged in a legally compliant manner.

must be informed and made aware of issues regularly according to the General Data Protection Regulation (GDPR). When they sign an employment contract employees must be bound to observe data confidentiality according to GDPR, and they must abide by the legal provisions contained in the GDPR.

Suppliers, partners, service providers etc.
External partners are also required to comply with the Data Protection Act. Responsibility for this lies with the commissioning party. The latter is legally obliged to carry out checks/audits.