You can find the second part of our exclusive checklist for freelancers here: *
4. Check whether you need a declaration of consent for the collection and storage of the data.
This step is especially necessary for marketing activities. For example, if you regularly send a newsletter to subscribers, you will need to obtain a consent form. But also for the processing of personal data of your clients, it is advantageous to obtain the declaration in writing or electronically by e-mail, both are legally valid. If a customer has given you a consent, he or she must also have the option of cancellation and objection.
5. Do you transfer data to third parties?
If you submit data to your tax accountant, banks or other service providers, you must also take that into account. In particular, no data should be processed or stored outside the EU. In addition, you should be careful not to use any services with servers outside the EU territory. That would require further extensive data protection activities.
6. Create a directory of procedures
Due to the GDPR a directory of procedures has also become necessary. But this directory has a big advantage: It can help you get an overview of the activities that you already have carried out. You can also use the directory of procedures to find out what steps you still need to take to comply with the GDPR. This document also tells you how to protect your customers’ personal information. This includes classical “analogous” steps, such as keeping folders and other sensitive data in a safe place that can be locked. If you store the personal data digitally, the computer on which the data is stored should be password protected. Often one reads in this context of so-called TOMs. This means appropriate technical and organizational measures that should secure the data of your customers. The exact nature of these actions depends on the individual business model and how the personal data is stored. However, these measures should also help you to find the right path for your individual business field. Service providers in the IT-business should conclude a special order processing contracts with their customers.
7. Check for backups
Do you store back-ups in the cloud? Then you have to hedge yourself as a freelancer again: The server must be located in the EU and the data must be encrypted both when transmitting to the server and while storing on the server. This also concerns the question of how long the backup data is stored (see plan for deletion). Many providers therefore offer the option of a job processing agreement that can be downloaded and signed on the website. Check if this is also the case with your provider, as a separate agreement might be necessary.
Cooperation with other service providers
Do you work with other service providers? If you submit personal data, you must also include this in your GDPR plan. In this case, you should make a contract processing agreement with the other service providers you work with.
If you are still uncertain whether you fully and properly implement the requirements of the GDPR, you can also contact the data protection supervisory authorities. They are available at both national and federal level and have also published many other tips and examples on their homepages. You can find more extensive information on the websites of the data protection professional associations such as https://www.bvdnet.de/en/ or https://www.gdd.de/ . If you have any further questions, you can contact the staff directly to clarify all outstanding issues.
* This text has been carefully researched and made to the best of our knowledge. Nevertheless, it can not replace legal advice and does not claim it.