The General Data Protection Regulation (EU) 2016/679, abbreviated GDPR, came into force on May 25, 2016, and has been applicable since May 25, 2018, following a two-year transition period. The GDPR has harmonized and tightened data protection law in the European Union (EU). It also applies to many companies and organizations in Switzerland and other countries outside the EU, especially if they offer goods or services to EU citizens.
Anyone who violates the new EU data protection law can be punished with fines of up to €20 million or up to 4 percent of global turnover. These are the maximum penalties, especially with regard to large tech companies such as Google or Facebook.
Regardless of any penalties, the costs incurred by proceedings for an alleged violation of the GDPR can be painful.
Data protection violations are also often the subject of warnings from other companies, consumer protection associations, or the individuals affected themselves. This can not only result in considerable costs, but also severely restrict a company’s ability to act.
With the GDPR, the EU is introduced the market location principle into data protection law:
The GDPR applies to the processing of personal data of all individuals located in the EU. The GDPR also applies if such data is processed in Switzerland and other countries outside the EU—in so-called third countries.
Companies in Switzerland offering services to individuals in the EU must comply with the GDPR. This also explicitly applies to free services such as e-books and newsletters for individuals in the EU.
In addition, the GDPR applies to companies in Switzerland that monitor the behavior of individuals in the EU, for example by analyzing the activities of visitors to an app or website (profiling and tracking).
Swiss companies that must comply with the GDPR are exempt from the requirement to appoint a data protection representative in the EU under the following three conditions:
The exception only applies if all three conditions are met. We advise against invoking this exception.
Within a company, the company’s data protection officer is responsible for monitoring compliance with data protection regulations in accordance with Art. 39 (1) (b) GDPR.
In addition, companies are monitored by the competent supervisory authority in accordance with Section 40 of the Federal Data Protection Act (FDPA). In Germany, these are the data protection supervisory authorities of the federal states, such as the Bavarian State Office for Data Protection Supervision.
Section 1 (1) of the Federal Data Protection Act (FDPA) states: “The purpose of this Act is to protect individuals from any infringement of their personal rights through the processing of their personal data.” Data protection law therefore does not protect data as such, but rather the privacy of each individual from infringement through the collection, processing, and use of personal data.
The content of the privacy policy depends on what data is specifically collected and used on the website and in what form. The user must be informed about this in a complete and truthful manner. The specific requirements are set out in Articles 12 and 13 of the GDPR. In particular, information must be provided about all processing operations, the respective processing purposes and legal bases, and the recipients of data. Furthermore, website visitors must be informed about their rights as data subjects, for example, their right to information or deletion.
For many simpler websites, a standard template, such as those found on the internet, should suffice. However, anything beyond this requires an individually formulated declaration, which a specialized lawyer can draft after thorough consultation. Special requirements arise in particular when using social media plugins, analysis tools, or other applications that collect and use data.
Just like the imprint, the privacy policy should be easy to access with a single click. It is therefore advisable to place it on a separate page and to include a link labeled “Privacy Policy” or “Data Protection” next to the link to the imprint, e.g., in the footer of the website.
From a competition law perspective, the consequences of a missing or incorrect privacy policy are controversial. According to some rulings, for example by the Higher Regional Court of Karlsruhe and the Higher Regional Court of Hamburg, the obligation of a website operator to inform users about the collection and use of personal data constitutes a market conduct rule. Consequently, competition law warnings can be issued in the event of missing privacy policies.
Currently, warnings are frequently issued for the use of tracking services such as Google Analytics or other third-party tools such as web fonts without compliance with legal requirements, in particular without effective consent by means of a so-called cookie consent tool. Illegal data transfers to service providers in the US are also a hot topic at present.
When companies decide to outsource data protection management, they often find it difficult to find the right experts for data protection and the GDPR. Here’s what matters:
The collaboration usually begins with an assessment of the current state of data protection in your company, for example, during a kick-off meeting. Based on this, we define specific measures, prioritize areas of action, and establish a clear roadmap.
During ongoing operations, we are available as your permanent point of contact, providing support for projects, reviewing contracts, accompanying audits, and training your employees. Pragmatic and solution-oriented.
Support can usually start at short notice, usually within a few days of commissioning.
As your external data protection officer, we are available to assist you in your day-to-day business via email, telephone, or video conference. Requests are processed promptly and, in urgent cases, prioritized as a matter of course.
You will be assigned a dedicated contact person, ensuring clear communication channels and short coordination processes. This enables us to ensure that data protection issues can be resolved quickly, pragmatically, and in a legally compliant manner.
We offer transparent package models tailored to your individual consulting needs:
All-inclusive packages are suitable for companies with regular consulting needs. You receive an annual time allowance that can be used flexibly for data protection consulting and support. If the allowance is not sufficient, you benefit from reduced hourly rates. We offer all-inclusive packages starting at € 279 net per month.
They are typically used by B2C companies, agencies, software or AI providers, and companies with sensitive data (e.g., in the health or finance sector).
Basic packages are ideal for those with lower consulting needs. Here, we take on the role of data protection officer from € 129 net per month. Additional consulting services are billed at the regular hourly rate.
This model is often suitable for smaller service providers, B2B companies, or craft businesses.
Contact us for an individual quote.
A data protection representative in the EU is a legal or natural person established in an EU member state. The establishment must be located in one of the EU member states where the data subjects are located in the EU. The appointment must be made in writing.
In many cases, appointing an EU Data Protection Representative is not optional – it’s required by law. Under Article 27 of the EU General Data Protection Regulation (GDPR), companies without a physical presence in the EU are required to appoint an EU Data Protection Representative if they:
1) offer goods or services to individuals in the EU – whether paid or free, or
2) monitor the behavior of individuals in the EU, such as through online tracking, analytics, or profiling.
Get a free, individual compliance check now.
In any case, it is advisable to select an EU representative who has a thorough understanding of the legal, organizational, and technical aspects of data protection in order to be able to respond appropriately to inquiries from supervisory authorities.
The EU Data Protection Officer is the point of contact for supervisory authorities and data subjects for all inquiries relating to ensuring compliance with the GDPR.
FX Data Services Include:
Our services target legal entities and individuals based outside the EU who process data belonging to individuals located in Germany and other EU countries. This includes companies in Switzerland, the UK, the US, etc. Many such companies and organizations, as well as individual self-employed persons, require a data protection representative in the EU in accordance with Art. 27 GDPR.
Failing to appoint an EU Representative is itself a GDPR violation under Article 27. This can lead to administrative fines imposed by EU supervisory authorities under Article 83 GDPR — typically up to €10 million or 2 % of global annual turnover, whichever is higher.
In practice, authorities have issued fines for lacking an Article 27 representative (e.g., a € 525,000 fine for failing to appoint a representative in a GDPR enforcement case).
Yes. In addition to fines, regulators may require compliance before permitting further processing or EU-wide operations. Some enforcement actions can result in operational restrictions until an EU Representative is appointed.
No. An EU Representative under Article 27 GDPR is a local contact and facilitator for data subjects and authorities, not an internal compliance role. A DPO (Article 37 GDPR) oversees data protection compliance within the organisation. The two roles are distinct and may both be required depending on your processing activities.
A data protection incident occurs when personal data is unintentionally or unauthorized disclosed, altered, lost, or made accessible. This includes, for example, hacked email accounts, compromised passwords, accidentally sent files, or technical malfunctions that could result in data loss.
A report is required if the incident is likely to pose a risk to the rights and freedoms of affected individuals. This is the case, for example, if sensitive data is involved, a possible data leak cannot be ruled out, or attackers gained access to systems. Important: The report must be made immediately, within 72 hours at the latest.
Affected individuals must be informed if there is a high risk to their rights and freedoms. This is the case, for example, if attackers have gained access to personal customer data or particularly sensitive information. The information must clearly state which data is affected, what risks exist, and what protective measures are recommended.
Unauthorized access to data by a hacker or as part of a phishing attack typically also is a criminal offense. Even though the perpetrators are often located abroad and police investigations usually remain inconclusive, we recommend filing a criminal complaint in addition to reporting the incident under data protection law. This is often necessary because most cyber and liability insurance policies require a report to the police in the event of a claim.
In the meantime, the State Criminal Police Offices of the federal states have set up central reporting offices for crimes on the Internet, such as the Central Cybercrime Contact Point (ZAC) of the Bavarian State Criminal Police Office. Hacker attacks can be reported online there. This spares the victim a trip to the police station.
We not only report the incident to the relevant reporting center on your behalf, but also coordinate the subsequent communication between the State Criminal Police Office, the police station responsible, and any witnesses (such as your IT service provider).
No. The GDPR applies regardless of the size of the company. Even small businesses must report incidents and inform those affected if there is a significant risk. However, no action is required if the risk is very low. The decisive factor is therefore always the risk assessment, not the size of the company.
As part of the data protection check, your website or online shop is analyzed from a technical and legal perspective. In particular, we examine the use of cookies, tracking and marketing tools, integrated third-party providers, and data connections to external servers. The aim is to identify data protection risks transparently and evaluate them in a comprehensible manner.
Yes. Even smaller websites are fully subject to the provisions of the GDPR and the TDDDG. The use of analysis tools, fonts, embedded media, or contact forms is subject to data protection regulations. The data protection check helps to minimize the risk of warnings and liability, even for small websites.
Yes. You will receive specific and practical recommendations for adapting your website. These are based on the current guidelines of the data protection supervisory authorities and applicable case law, and include an individual risk assessment so that you can prioritize measures.
No. The data protection check does not replace an internal or external data protection officer. However, it provides a comprehensive snapshot of your website’s data protection status and serves as a valuable addition to your company’s ongoing data protection management.
The whistleblower portal must be freely accessible to all employees—in particular, permanent staff, temporary workers, trainees, and interns. Companies also have the option of opening the whistleblower portal to third parties (e.g., customers or business partners) in order to identify risks early on along the entire supply chain.
The subject of a report may, for example, be information about violations of criminal law or regulations on environmental protection, data protection, or consumer protection. The whistleblower must have obtained this information in connection with their professional activities.
The disclosure of information to the reporting office is permitted despite legal or contractual confidentiality obligations, provided that the whistleblower acts in good faith and the report is necessary to uncover a relevant violation.
Reporting offices are legally obliged to maintain confidentiality. This includes the identity of the whistleblower and all persons named in the report. When processing personal data, the provisions of the GDPR must also be complied with.
Any discrimination against whistleblowers is prohibited by law – this includes threats or attempts to discriminate. If a whistleblower nevertheless suffers professional disadvantages, the law presumes that this is an inadmissible reprisal. In the event of a dispute, the employer must prove that the measure was objectively justified and had nothing to do with the report. Violation of this prohibition may result in damages!
If false information is provided intentionally or negligently, damages may be claimed!
Data protection has long been more than just a legal obligation. Customers are increasingly paying attention to how responsibly companies handle their data. Establishing transparent, data protection-compliant processes and actively communicating them builds trust. And trust influences purchasing decisions. Studies show that people are more likely to choose providers who respect and protect their data.
A clearly communicated data protection concept signals reliability, professionalism, and a sense of responsibility. This reduces uncertainty, strengthens customer loyalty, and increases the referral rate. In the B2B sector in particular, data protection is often a decisive selection criterion in tenders and contract negotiations.
Pure legal compliance is the basis, but it is not a distinguishing feature. Companies that think strategically about data protection integrate it into their processes, their communication, and their brand image. Those who explain data protection in an understandable way, create clear consent processes, and practice transparency stand out clearly from the competition.
Through clear, understandable privacy policies, transparent information processes, privacy seals or certifications, and trained employees. Proactive communication is also important—for example, by providing information about secure processes, encryption, or data-efficient technologies. Data protection should not be hidden in the fine print, but should be visible as part of the company’s values.
FX Data is a data protection company that focuses on all services related to the implementation of data protection for businesses. We advise small and medium-sized companies, train employees, and provide external data protection officers and EU data protection representatives.
FX Data’s consulting services are characterized by a deep understanding of the specific technical and economic requirements. We combine in-depth technical knowledge with comprehensive legal expertise.
FX Data specializes in handling all questions and requirements that arise and may arise in connection with data protection and data security. Thanks to its many years of experience in supporting online shops and other clients in the B2C sector, FX Data has in-depth experience in dealing with consumers and their concerns.