BasicLOW Privacy requirements150 € p/m Learn more
HandiworkGet an Offer
MediumMODERATE Privacy requirements250 € p/m Learn more
Travel, Tourism, HotelsGet an Offer
Medium+High Privacy requirements350 € p/m Learn more
Small IT companiesGet an Offer
PremiumVERY HIGH Privacy requirements500 € p/m Learn more
Companies with >100 employeesGet an Offer
CorporateINDIVIDUAL Privacy requirementsAs required Learn more
Publicly listed companies
Umbrella organisationsGet an Offer
|GDPR basic protection|
|Appointment of your Data Protection Officer|
|Notification of your Data Protection Officer to the supervisory authority|
|Data protection dossiers with technical and legal updates|
|Annual activity report to the Management Board|
|DataGuard seal for the website and for branding|
|Employee commitment to the principles of the GDPR|
|Employee training courses (digital)|
|Number of employees covered in the training (via the DataGuard platform)||1-50 pax||1-75 pax||1-100 pax||1-150 pax|
|Data protection audit|
|Data Protection audit (data protection assessment)|
|Analysis based on intelligent questionnaires (digital)|
|Audit calls with DataGuard’s Data Protection Officers|
|Audit minutes and prioritized recommendations for action|
|Number of supported Data Protection Impact Assessments (DPIA)||–||1||2||4|
|Data Protection documentation (prepared by DataGuard)|
|Preparation of Technical and Organisational Measures (TOM)|
|Documentation of standard processes without company specific data processing activties (e.g. personnel, purchasing, video surveillance)|
|Number of business units of core processes with documentation of company-specific data processing activties (e.g. gastronomy, medical treatments, car repairs)||1 business unit||2 business units||4 business units||6 business units|
|Additional consultation hours included in the service package – flexibly applicable for e.g.:||–||6 hours per year||12 hours per year||18 hours per year|
|Processing of data subject enquiries or queries by the authorities||–|
|On-site support for inspections by the authorities or external parties||–|
|Checking the data protection compliance of software and hardware||–|
|Duty to provide information pursuant to Art. 13 and Art. 14 GDPR||–|
|Preparation of a customized deletion concept||–|
|Data Processing Agreements (DPA)|
|Preparation of DPAs which the customer distributes to suppliers and external partners||–||5 DPAs per year||10 DPAs per year||15 DPAs per year|
|Checking DPAs which the customer receives from their customers and external partners||–||5 DPAs per year||10 DPAs per year||15 DPAs per year|
|Special services in Medium+ and Premium|
|Printing and delivery of a data protection folder with relevant information and templates||–||–|
|Personalized and industry-relevant training for the management team and other departments (digital)||–||–|
|Company-specific data protection analysis with personalized questionnaires and follow-up telephone calls||–||–||2 per year||4 per year|
|Data protection audit (one-off price)|
|All prices are net||1.000 €||1.600 €||2.200 €||3.000 €|
|Contract period (months)||24||24||24||24|
We support you on your journey towards GDPR compliance
- Industrial and Manufacturing
- Craft and Construction
- Finance and Legal
- Media and Entertainment
- Public institutions
Your data protection team for Industrial and Manufacturing
With our expertise in the industrial and manufacturing sectors, we will support you in the processing of personnel and customer data in a GDPR compliant manner. We will assist you in the transfer of data to third-parties such as suppliers and sub-contractors. With DataGuard, you can guarantee data protection for your clients.
Your data protection team for Craft and Construction
Whether working with property management companies, transferring data to sub-contractors or dealing with WhatsApp, we are familiar with the challenges faced by the craft and construction industries. Pragmatically and in a manner that is solution-oriented, we will support your company on its journey towards GDPR compliance.
Your data protection team for IT
In the IT industry, the processing of personal data is integral. We provide the expertise from cross-border data transfers to the privacy application of software tools. We support you with data protection issues regarding remote maintenance and access.
Your data protection team for Finance and Legal
The protection of personal data in the finance and legal sectors poses particular challenges: As a bearer of trade secrets, companies often processes sensitive data. In addition, individual EU members states have their own derogations of the GDPR. We provide business-focused data protection advice and help you make informed decisions.
Your data protection team for Media and Entertainment
In the communications industry, processing high volumes of personal data is part of the job. But to whom can you send marketing communications? How can old e-mail address lists be used in the new GDPR era? We have the answers for your business and will provide pragmatic support as an external Data Protection Officer.
Your data protection team for Healthcare
The medical and healthcare industry carries many risks with the processing of personal data. We help you deliver on your business objectives while navigating the complaint handling of special-category data.
Your data protection team for Corporations
In the international networking of corporations and corporate groups, the legally compliant handling of personal data can be difficult to manage, especially when dealing with third countries. With our expertise in data protection for international companies, we understand the challenges you face and will support you in implementing the appropriate technical and organisational measures required by the GDPR.
Your data protection team for Churches
We are your experts in the implementation of the KDG, the KDG-DVO, and the DSG-EKD. We are at your disposal for all data protection related questions and will serve as your IT-security guide for day-to-day church activities.
Your data protection team for Public institutions
Public institutions carry a special status under the GDPR and the BDSG which comes with added complexities. In addition, there are EU member state-specific legal requirements to which public institutions must comply. As experts in this field, we provide you with comprehensive data protection support.
Everything within your control
In a continuous exchange, we will work together via an intelligent web platform. The platform is intuitively comprehensive and has no barriers to usability. All information related to your company’s data protection can be accessed at any time via a dashboard.
Our platform is, of course, subject to the highest security standards. All information is protected against unauthorised access via a trusted cloud. Our cloud not only complies with applicable security regulations but also maintains our own high standards of IT and data security.
Take us on a tour of your company
In order to get an overview of the structure and processes of your company, we will perform audits with various departments within your company and address their respective personal data processing procedures.
Each department representative will use our web platform to provide specific information on the department’s operations.
Our platform learns quickly, so it will only ask questions that are relevant to your business.
The GDPR folder
When all the audits are completed, we will prepare your data protection dossier. In the course of the assessment, you will receive concrete recommendations for action, a list of your records of processing activities as well as the documentation of your technical and organisational measures (TOM).
You can retrieve the entire report at any time via the platform and present it to the authorities. If required, we will prepare a Data Processing Agreement (DPA) with which you may use to oblige your service providers to protect the data they process.
Recommendations for Action
During the ongoing cooperation, we will support you in the implementation of the technical and organizational measures (TOM). We will make adjustments and further recommendations where necessary.
You will receive a comprehensive activity report from us for the services and measures that have been performed, which can also be presented to the authorities.
We will coordinate concrete data protection goals with you and prepare a data protection guideline for your company.
Continuous support and cooperation
DataGuard is your partner for all data privacy related questions and challenges. Stand ready to report to regulators, answer to data subjects, and fulfill obligations to stakeholders.
Our platform and team of data protection experts enable structured privacy management through continuous monitoring of your processing activities. We provide legal expertise, assist in step-by-step implementation, and simplify the GDPR into a series of accessible steps.
DataGuard is a privacy and legal-technology company headquartered in Munich, Germany. At DataGuard, we house over 100 employees who are passionate about privacy, compliance and IT security. Well over 1,000 business customers place their trust in our “Privacy-as-a-Service” solution, a hybrid of client consultation and the provision of our self-developed Software-as-a-Service platform. In addition to small and medium-sized enterprises, our customer portfolio also includes major international corporations (industrial, finance and trade), political parties, schools, sports clubs, as well as churches and public institutions.
An interdisciplinary team of TÜV/DEKRA certified Data Protection Officers, including lawyers, computer scientists, engineers, and business economists, provide personal support to both our German and international clients on the subject of privacy and IT security. The process of consulting our clients is supported by the use of our web platform which digitizes and automates manual activities and processes data with machine learning (the software’s patent has been submitted to the European Patent Office under the reference number Q0144EP). The platform is used by both our customers and our privacy team.
We’ll participate in DIGITAL FUTUREcongress in Munich. Visit us directly or make an appointment in advance.
FAQs – Frequently Asked Questions
- Subject Matter
How do the employee training courses work?
Your employees will be trained online via the DataGuard platform. They will initially learn the essential topics on data protection and complete a test thereafter. If the test is passed successfully, the respective employee will receive a certificate. Otherwise, the employee may attempt the test again. Each employee will take approximately 30-45 minutes to complete the course.
How do the audits work?
We will carry out the initial data protection audit (the GDPR assessment) with you online and via telephone. First, you and your department representatives will complete a range of questionnaires based on their respective departments (procurement, finance, human resources, sales, IT, security) and provide us with information on your company’s specific data processing activities (or so-called “core processes”). Your personal Data Protection Officer will evaluate the completed questionnaires and speak to each department representative via phone. After each audit call, DataGuard will prepare the corresponding minutes which will be shared with you.
Based on the audit, we will produce recommendations for action as well as all the documents required under data protection law (records of processing activities, Technical and Organisational Measures).
Who creates the data protection documentation?
Each controller (a natural or legal person which determines the purposes and means of the processing of personal data) or processor (a natural or legal person which processes personal data on behalf of the controller) is responsible for creating data processing documentation.
This data protection documentation, consisting of the records of processing activities and the Technical and Organisational Measures, is prepared jointly by you and your DataGuard Data Protection Officer (DPO). We go beyond the legal obligations of a DPO, as the law only specifies for the DPO to provide information and advice.
What is the difference between a standard processing activity and a company-specific processing activity?
The standard processing activities are secondary processes in a company (e.g. in procurement, finance, human resources, security, sales). The company-specific processing activities represent the value-adding core process of a company.
We prepare the data protection documentation for all these processes in the records of processing activities based on the information you provide during the data protection audit.
What are the Technical and Organisational Measures (TOMs)?
TOMs refers to all activities that are carried out as a standard procedure in an organisation in order to protect personal data. The term is very broad and can mean different things in different companies. As the name suggests, these measures are technical procedures and organisational processes inclusive of security procedures (both offline and online). The TOMs of an organisation must be documented in the records of processing activities and be used to company with the applicable GDPR requirements.
Which companies are required to maintain a records of processing activities?
Companies with 250 employees or more must maintain a records of processing. If a company has less than 250 employees, a records of processing would only be necessary if the processing is not occasional, processing carries a high risk to the rights and freedoms of data subjects, processing includes special categories of data, or personal data relating to criminal convictions and offenses is processed.
What are Data Processing Agreements (DPA)?
If data processing operations are outsourced to an external service provider, it is necessary to complete a data processing agreement. The DPA sets out the subject-matter and duration, nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Through this contract, the contracting company (the controller) ensures that the other party (the processor) is bound to their obligations.
Order processing often already exists if, for example, companies have payroll accounting performed by a third-party company or remote maintenance is performed by external IT service providers.
What does the Data Protection Impact Assessment (DPIA) do?
The DPIA is a risk analysis for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, involve the processing of large volumes of special categories of personal data, include the use of new technologies and profiling / scoring techniques or exercise the systematic and comprehensive monitoring of publicly accessible areas. This assessment is aimed at making it possible for companies to take protective measures for the rights and freedoms of data subjects at an early stage.
How can I use the additional consultation hours?
The additional consultation hours can be can be used for purposes such as data subject inquiries or queries by the authorities, checking documents for employees and customers, verifying the level of GDPR compliance of software/hardware, and for external audits.
How much work will data protection compliance present for my company?
The new data protection legislation often leads to an increased administrative burden and more work in general. However, designating an external Data Protection Officer such as DataGuard will significantly reduce the workload so that your company can focus on its core activities.
How do I commission DataGuard?
After an initial conversation with one of our specialists, you will be recommended a service package that suits your company (Basic, Medium, Medium+, Premium). You may then sign the contract sent to you by email, scan and return it to us via email.
What are the next steps after signing the contract?
When would the contract begin?
The contract can start on the 1st or 15th of each month.
What is the duration of the contract?
The contract period is 24 months. The contract may be terminated with an advance notice of 6 months prior to the end of the contract period.
Can I upgrade my package while my current package contract is still active?
Yes, you can upgrade a package during the contract period without extending the length of the contract period. However, please note that a downgrade is not possible.
Is it possible to book additional consultation hours?
You can book individual sessions for 180 € per hour at any time. However, the privacy needs of your company and therefore, the appropriate package would have been determined during the initial consultation. In other words, the number of consultation hours is generally sufficient.
If necessary, you may upgrade your service package at any time.
Who is DataGuard?
DataGuard is a data protection company headquartered in Munich, Germany. Since our establishment at the end of 2017, we have now grown to 100 employees and have become one of Germany’s leading providers of external data protection. With our self-developed machine learning-driven “Privacy-as-a-Service” solution – a hybrid of personal consulting and software-as-a-service – we cater to over 1,000 business customers in more than 400 cities and 300 industries throughout Europe.
In addition to small and medium-sized companies, our customer portfolio also includes major international corporations (industry, finance and trade), political parties, schools, sports clubs as well as churches and public institutions.
Our partner network includes some of the largest German industry associations (BVDS, DEHOGA, wvib, BVMW etc.) as well as Deutsche Telekom as a sales partner and IBM as a technology partner.
What is DataGuard’s “Privacy-as-a-Service”?
Personal consultation and support + platform/software support:
An interdisciplinary team of lawyers, computer scientists, engineers, business economists etc. supports our customers in teams of 2-4 TÜV/DEKRA certified Data Protection Officers who specialize in the fields of data protection and IT security. As our platform/software is used extensively, we do not consider ourselves a consultancy but a legal-technology company with an approach that is scalable both in Germany and internationally.
The personalized consultation of our customers is supported by a specially programmed web platform. It digitizes and automates manual and repetitive processes using machine learning and processes data input with machine learning, amongst other things. The platform is used by our customers and our team. In June 2018, we filed a patent for our invention with the European Patent Office under reference number Q0144EP.
What is DataGuard’s geographical scope?
We cater to customers nationwide and throughout Europe. Communication takes place primarily via e-mail, phone, as well as on our own specially developed web-platform so that we may advise you anywhere and at any time.
In a continuous exchange, we will work together via an intelligent web platform. The platform is intuitively comprehensive and has no barriers to usability. All information related to your company’s data protection can be accessed at any time via a dashboard. Our platform is, of course, subject to the highest security standards. All information is protected against unauthorised access via a trusted cloud. Our cloud not only complies with applicable security regulations but also maintains our own high standards of IT and data security.
Does the Data Protection Officer have to be on site?
No. What’s important is that the Data Protection Officer has all the necessary information needed to fulfil their tasks and that they can be directly contacted by the company’s management team, employees, customers as well as by the authorities. We offer all of these services as we can be contacted directly via telephone or email Monday-Friday, 8AM-6PM. The advantage here is that you can avoid on-site scheduling allowing you and your employees to focus on your operational needs.
What motivates us?
Data protection of course! The idea that each and every person expects their data to be handled responsibly.
When does the GDPR go into effect?
The new General Data Protection Regulation (GDPR) has been applicable and binding since 25th May 2018.
Which companies must appoint a DPO?
If a company constantly employs at least ten persons who deal with the automated processing of personal data, the appointment of a DPO is mandatory according to German data protection law. This also includes external service providers such as an external accounting department.
If a company carries out out processing which is subject to a data protection impact assessment or processes personal data for business purposes for the transmission / anonymised transmission of personal data, or for the purposes of marketing or opinion research, then a DPO must be appointed, regardless of how many employees are involved in the processing of personal data.
What competences must a Data Protection Officer have?
Many companies prefer to name a DPO internally from their existing workforce. However, there are important qualifications that must be considered when designating a DPO.
A DPO must have the following competencies:
- Expert knowledge of relevant data protection law: GDPR and national laws (BDSG, TMG, TKG)
- Legal understanding
- Extensive technical expertise
- Knowledge of the IT basic protection catalogues of the Federal Office for Information Security (BSI)
- Ideally, relevant data protection certifications
- Reliability and personal integrity
Who may not be appointed as a Data Protection Officer?
The following individuals may not be designated as Data Protection Officers:
- Managing Directors or General Managers
- Senior Management (especially management of the IT department)
- Unqualified or insufficiently experienced persons
The legislative intent of these restrictions is to avoid potential conflicts of interest and possible sources of error.
What are the fines and penalties for a GDPR violation?
A violation could result in fines of up to €20 million or up to 4% of the total worldwide annual turnover of the previous financial year, whichever is higher. Many violations including the non-appointment of a Data Protection Officer, are considered grossly negligent behaviour. Directors may be held personally liable with their private assets.
It took less than half a year for the first company to suffer the consequences of the GDPR: The Karlsruhe-based, provider, Knuddels, was fined €20,000 for a security breach. The grace period for companies has expired with the first round of enforcement. Now, supervisory authorities are vigilantly following-up on infringements.