GDPR
Data Protection as a Fundamental Right

• Consent, contract, legal obligation, vital interests, public task or legitimate interest
• Processing fair and transparent to data subjects
• Clear information about purposes

• Data collected for specified, explicit and legitimate purposes
• Further processing only if compatible with original purpose
• Purpose change requires new legal basis or consent

• Data must be adequate, relevant and limited to what is necessary for the purpose
• No “collection in advance”
• What is not needed is not collected

• All reasonable measures to erase or rectify inaccurate data
• Data subjects can request rectification
• Systems for data quality management required

• Identifiable form only as long as required for purposes
• Then: anonymization, pseudonymization or deletion
• Document retention concepts and periods

• Protection against unauthorized/unlawful processing, loss, destruction, damage
• Encryption, access controls, backup, monitoring
• Appropriateness to risk

• Controller must be able to demonstrate at any time that all principles are being followed
• Documentation, policies, audits, reviews
• Burden of proof on controller

• Data subjects may request information about: what categories of data, for what purposes, to which recipients, storage period, source of data
• Free copy of data
• Response within 1 month

• Data subjects can request immediate rectification of inaccurate personal data
• Completion of incomplete data
• Notification of all recipients about rectification

• Erasure when: purpose fulfilled, consent withdrawn, objection raised, unlawful processing, legal erasure obligation
• Exceptions: legal retention obligations, defense rights, public interest

• When accuracy contested, unlawful processing (but data subject refuses erasure), or during review of objection
• Data may only be stored, not actively processed

• Data subjects can receive their data in structured, commonly used, machine-readable format
• Direct transfer to another controller where technically feasible
• Applies to automatically processed data based on consent/contract

• Against processing based on legitimate interest or public task
• Against direct marketing (absolute right to object)
• Controller must cease processing unless compelling legitimate grounds override

• Right not to be subject to solely automated decision (including profiling) that produces legal effects or significantly affects
• Exceptions: contract, law, explicit consent
• Human review

• Technical/organizational measures already in design/development
• Data minimization, pseudonymization, encryption as standard
• Privacy-by-default: only necessary data by default, minimal storage period, limited accessibility

• Encryption (at rest, in transit), pseudonymization, access controls
• Availability/resilience, recoverability
• Regular tests/audits
• Appropriateness: risk, state of art, costs

• Name/contact of controller, purposes, categories of data subjects/data, recipients
• Third-country transfers, retention periods, security measures
• Exception: <250 employees (with limitations)
• Present to supervisor on request

• Systematic evaluation, extensive processing of special categories, public monitoring
• Automated decisions with legal effect, new technologies
• Content: description, necessity/proportionality, risk assessment, mitigation measures
• Prior consultation with supervisor if residual risk

• For breach of confidentiality, integrity, availability of personal data
• Description, categories/number of affected, consequences, measures
• Notification to data subjects for high risk (without undue delay)
• Exceptions: encryption, subsequent measures

• Processor only on documented instructions
• Contract with: subject, duration, nature/purpose, data categories, controller obligations/rights
• Security measures, sub-processors, support obligations
• Deletion/return after end

• For certain countries (e.g. UK, Switzerland, Japan, Israel) Commission has found adequate data protection level
• Transfer possible as within EU
• Regular review
• EU-US Data Privacy Framework since July 2023

• Standard Contractual Clauses (2021/914) as transfer instrument
• Controller-to-processor, controller-to-controller, processor-to-processor
• Transfer Impact Assessment (TIA) additionally required
• Additional measures for third-country access

• For multinational corporate groups
• Approval by lead supervisory authority required
• Binding rules for entire group
• Enforceable rights for data subjects
• Complex approval procedure

• Derogations: explicit consent, contract performance, legal claims, vital interests, public interest, public registers
• Codes of conduct, certification as safeguards possible
• Ad-hoc approval by supervisor

• Modular, data-minimized architectures
• Logical isolation of personal data
• Pseudonymization/anonymization where possible
• Privacy-by-default configurations
• Infrastructure-as-code with privacy patterns
• No “data collection in advance”

• Germany as primary region
• EU-based infrastructure providers
• No third-country transfers in standard setup
• GDPR Art. 44-50 compliant
• EU jurisdiction, EU law, EU supervision
• Full control over data flows

• TLS 1.3+ for data in transit, encryption at rest
• Customer-managed keys (BYOK/BYOHSM)
• Access controls (RBAC/ABAC), MFA, PAM
• Regular vulnerability scans
• ISO 27001-certified processes
• Audit logs for all access

• Standardized Data Processing Agreements
• Clear role separation (controller/processor)
• Documented instructions, sub-processor lists, security measures
• Support for data subject rights
• Deletion/return after contract end
• EU SCCs where required

• Complete processing register internally
• Customer-specific processing documentation on request
• Categories: data, data subjects, purposes, recipients, retention periods, security measures
• Audit-ready

• Self-service portals for data export (Art. 20 data portability)
• Structured, machine-readable formats
• Erasure/restriction mechanisms
• Response within GDPR deadlines (1 month)
• Technical support for customers with data subject requests

• Structured incident response playbooks
• Breach detection mechanisms
• Forensic analysis capability
• Coordination with customers (controller) for data breaches
• Template notifications for supervisory authorities
• Post-incident reviews, lessons learned

• Internal Data Protection Officer
• Data protection as part of our Integrated Management System (IMS)
• Regular privacy audits, training
• Data protection impact assessments for new services
• Continuous compliance monitoring

• ISO 9001 (Quality Management) and ISO 27001 (Information Security Management) certified
• Regular external audits by accredited certification bodies
• Compliance attestations for customers
• Certificates available on request

GDPR regulates data protection, Data Act regulates data access/use. Both together: protection AND availability. Data Act data access must not violate GDPR – legal bases, DPIAs required. Anonymization/pseudonymization as bridge.

More about Data Act

GDPR protects personal data, NIS-2 protects network/information systems. Overlaps: Art. 32 GDPR (security) ↔ NIS-2 risk management. Incident reporting in parallel (GDPR → DPA, NIS-2 → CSIRT). Integrated compliance required.

More about NIS-2

DORA specifies ICT resilience, GDPR remains applicable for data protection. DORA ICT third-party risk includes GDPR processing agreements. Incident reporting coordinated (DORA → financial supervisor, GDPR → DPA). DORA compliance requires GDPR compliance.

More about DORA

CRA requires secure products (software, hardware), GDPR requires data protection in their use. Privacy by Design (GDPR Art. 25) ↔ Security by Design (CRA). Vulnerability management (CRA) supports Art. 32 GDPR.

More about CRA

EU data residency, customer key sovereignty, exit capability address GDPR requirements (Art. 32, Art. 44-50). Cloud Sovereignty Framework evaluates GDPR compliance as core factor. EU-only stacks = GDPR-native.

More about the Framework

How ayedo systematically addresses GDPR, Data Act, NIS-2, DORA, CRA. Certifications, processes, technical measures. Integrated compliance roadmap. Audit readiness. Complete documentation.

To overview