What is personal data? - Art. 9 GDPR

"Individual information about the personal or factual circumstances of a specific or identifiable natural person (data subject)". This includes all information that says something about a person! In addition to name, (e-mail) address, date of birth, genomic data, medical information (electronic patient dossier), biometric data, bank data, property characteristics, customer and applicant data, online identifiers and special characteristics (e.g. physical, genetic, cultural, social identity).



Rights of the data subjects - Art. 5 - 22 GDPR

They are the core of data protection and are not contractually mandatory:

  1. Right to transparency - Personal data must be processed in a lawful manner, in good faith and in a way that the person concerned can understand. Transparency of the context: who collects what from whom? When? Why and for what?

  2. Right to information - the right to request confirmation of whether your own personal data is being processed and the information about it.

  3. Right to correction, deletion and restriction of processing

  4. Right to data portability - The data subject has the right to receive the personal data relating to them that were provided to the person responsible in a structured, common and machine-readable form ...

  5. Right not to be subject to an automated decision - The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which has legal effects or significantly impairs them.



When do we speak of processing? - Art. 30 GDPR

For the purposes of the regulation, the term “processing” means any process with or without the help of automated processes with personal data such as the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, the Use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, deletion or destruction.



What is profiling? - Art. 4 GDPR

Automated processing that uses personal data to evaluate personal aspects of a natural person, in particular to analyze and predict work performance, economic situation, health, preferences, interests, reliability, behavior, location or change of location.



What is data security?

The protection of data against unauthorized access, unwanted falsification as well as against destruction and loss. The goals are confidentiality, integrity and availability.



Data protection directive or data protection manual - Art. 5 Para . 2 GDPR

Under the EU GDPR, companies are obliged to meet the data protection requirements selectively and structurally. Specifically, this means that in the event of an audit, a company must not only be able to demonstrate that it was working in compliance with data protection regulations at a certain point in time. Rather, evidence must be provided that the data protection requirements are continuously met in business practice.
Therefore, the uniform recommendation of the data protection supervisory authorities is that companies (depending on their size) should adopt a data protection guideline or a data protection manual in order to be able to address the data protection requirements.



List of processing activities - Art. 30 GDPR

Companies are obliged to document their processing activities in a written directory. In other words, a supervisory authority employee who is not familiar with your processing activities in detail should have a rough overview of who is processing how and which data is processed in the company, when it is deleted and how it is technically secured after reviewing the list of processing activities. Order data processing is the collection, processing or use of personal data by a service provider - e.g. a tax consultant who is responsible for payroll accounting on behalf of a company - on behalf of the person responsible.



IT security - Art. 32 GDPR

By increasing the fines, the EU GDPR reinforces the requirement for companies to safely operate their own IT systems according to the state of the art. This includes making sufficient funds available. This formulation could be described as "vague"; what is meant by this is an ongoing adaptation of data protection - data security and - data backup due to the changing digital world and the resulting dangers due to cyber crime, among other things.



Website data protection declaration - Art. 13/14 GDPR

When a company collects and processes personal data of a data subject, data subjects must be informed about data processing processes and learn what happens to their data in detail. This also applies to the collection of data by a website and the use of cookies, Google Analytics etc.



"Digital Fitness" awareness-raising and training of employees - Art. 5 Para. 2 GDPR

Derived from the company's accountability, the employer must inform its employees about data protection issues and requirements. The scope of training depends on the branch and size of the company. Companies are required to document the implementation of the training measures.



Pseudonymization and anonymization - Art. 4 (5) GDPR

With pseudonymization, the personal data is processed in such a way that it can no longer be assigned to a specific person without the use of additional information. A final resolution of the possibilities of assigning data to a specific person, on the other hand, characterizes anonymization and is therefore the higher level of protection.




Your orientation support in the implementation of the GDPR is our online test.
Make an appointment with us.

  • Weißes Xing
  • LinkedIn Social Icon

Kontakt: Monika Wehr

CyberWehr RMS GmbH
Alte Landstrasse 109
8803 Rüschlikon

T. +41 79 348 55 63