Skip to content

The new Data Protection Act (nDSG), which comes into force on 1 September 2023, brings with it a number of new and amended legal provisions. However, legal texts are not necessarily known for being easy to understand. However, as it is well known that ignorance is no defence against punishment, HÄRTING has formulated the following ten commandments on the new Data Protection Act (nDSG) for everyone to understand, which we are also making available to you free of charge in our shop.

  1. Requirement: The company’s managers are awareof the consequences of breaching the protection of personal data (including personal criminal liability). The roles and responsibilities in the company or group with regard to the protection of information are clearly defined and trained.
  2. Requirement: A register of processing activities with the categories of processed personal data and data subjects as well as other legally required information is available and regularly updated.
  3. Requirement: The data protection information in the privacy policy, the cookie policy and the other information obligations in contracts with customers, employees and suppliers fulfil the legal requirements and are in line with the processes used in the company.
  4. Requirement: The legal bases of the processing carried out, including data transfers, have been identified, verified and documented
  5. Requirement: Transfers of personal data to other countries comply with the relevant legal provisions and any necessary data protection impact assessments, including any transfer risk assessments , are available.
  6. Requirement: If consent is used as a legal basis, the way in which it is obtained and managed complies with the relevant requirements and transparent information is provided.
  7. Requirement: If personal data of vulnerable persons (such as minors or other persons lacking capacity) are processed, the consent of a legal representative must be available.
  8. Requirement: There is a process for recognising, reporting, documenting and managing security incidents, which is tested on a regular basis.
  9. Requirement: The individual rights of affected persons are not violated and can be easily exercised or reported.
  10. Requirement: The procedures for the protection of personal data are understood and applied by all affected stakeholders as standard from the design phase onwards.

Sources (links, citation of books)