Basic Information on the mandatory Data Protection Law
All companies, associations and syndicates, authorities and institutions are generally under the obligation of data protection. In case more than nine of your company employees handle personal data you furthermore have to order an expert data protection officer (§ 4f BDSF) (Federal Data Protection Act).
Reporting obligations as well as labelling requirements need to be considered and an organisation for data protection needs to be set up and consistently lived for. Hereto belong all measures for technical and organisational protection of personal information. All activities are to be documented in terms of due diligence.
Blossey & Partner subdivides feasible data protection into four main subject areas:
Technology (ICT - EDP and all related matters)
Business Administration (You finally subsist on that!)
Legal Framework (BDSG and how to reduce the liability risk)
Corporate Culture ("Human Factor" as security element)
If someone might tell you that one of these points is more important than others, he or she will consult you one-sidedly and neglect your liability risk in other areas.
By the way: Already in 2004 the grace period for the implementation of data protection measures has expired (§ 45 BDSG/Federal Data Protection Law). Since that time the regulating authorities perform intensified controls. Besides subsequent work that will occur there is the danger of considerable penalty charges and fines according to §§ 43 and 44 BDSG (Federal Data Protection Law) and § 206 StGB (German Criminal Code).