Startups and data protection - or data protection startup?!

Let’s face it: most start-ups and founders’ heads are spinning not only because of all the good ideas, but also because of the countless legal and bureaucratic requirements on the way to implementing the idea.

It is important to bear in mind that legal requirements do not decrease over time. Once company, tax or trademark law issues have been clarified, compliance issues in particular await young companies later on. They also have to observe and implement a wealth of legal requirements. The topic of data protection, i.e. the protection of personal data, becomes even more important than it already was (or should have been), especially for start-ups, which largely set up digital business models.

The upcoming new regulations of the EU General Data Protection Regulation (GDPR) are aimed at companies of all sizes that process personal data. In today's digital age, this applies to almost every company and start-up. For the start-ups addressed, which develop or want to develop digital products and services, it is all the more advisable to include data protection issues in the first steps of the implementation of the idea or development of the product due to the upcoming stricter requirements. This can prevent a rude awakening, for example because the planned app or online marketing solution cannot be realistically implemented for data protection reasons, or legal requirements are so high that implementation fails in practice.

In the next phase, it should be borne in mind that this topic is now at the top of investors' lists. At the latest in the due diligence process, omissions come to light here and in the worst case stand in the way of the hoped-for financing.

Therefore, as a start-up and founder, you cannot have the topic of data protection on your agenda soon enough. The GDPR is now putting even more pressure on us. The requirements for the lawful handling of personal data are increasing and, especially due to the significantly higher fines (up to a maximum of 20 million euros!), you should no longer say "it will be fine".

Some essential obligations of the GDPR, which start-ups should observe as early as possible, are for example:

1. Lawfulness of the processing

In principle, the processing of personal data is prohibited unless it is expressly permitted. Permission may be the explicit consent of the data subject, for example the buyer/user of an app who consents to his or her data being processed.

Legal justifications are also possible. For example, data processing for the performance of a contract is permissible. For example, if you use a mobile game for which a fee is charged, data processing for registration and payment is necessary for the performance of the contract.

Finally, among other possibilities, processing based on legitimate interests of the processor is in particular permissible under the GDPR. This is a possible legal basis especially for processing in the area of marketing. Here, it only has to be checked beforehand whether the interests of the data subject do not outweigh the legitimate interests of the data subject and whether data processing must therefore be stopped.

Start-ups that process or want to process data from users/customers/potential customers should first thoroughly check whether this is permissible at all. The result of this check must also be documented.

2. Transparency and information obligations

In addition to the documentation of such results, it is important to establish appropriate transparency in data processing beforehand or from the beginning and to comprehensively inform data subjects how and to what extent their personal data is processed. For this purpose, in addition to the data protection declaration on the website (which still does not receive the appropriate attention everywhere), special data protection declarations in apps (which must fulfil somewhat different requirements than those of the website), the information within the scope of consent declarations are particularly relevant. Consent is only effective if it is given on the basis of comprehensive information. This must include information that consent can be revoked at any time.

But transparency also means that you have to inform people about what you are doing with the data.

3. Data subjects rights

Data subjects have far-reaching rights. In addition to the right to information about which data is stored about them, the right to correction and deletion, the right to data portability has been newly introduced by the GDPR. Data subjects have the right to demand that their data be made available to them in a common, machine-readable format. If they use an app that was developed by a start-up or another online service, the data stored about them must be made available to them in a common format upon request. This is intended to make it easier to switch from one provider to another in a data-saving manner and to take account of the principle of data economy.

4. Documentation and accountability

As mentioned before, relevant processes and decisions must be documented. It must be verifiable at all times that the processing of personal data complies with the requirements of the GDPR.

The documents that are mandatory for this include the directory of processing activities and the data protection impact assessment. A start-up must also keep such a register, even if it has fewer than 250 employees, as stated in the law, if the processing poses a risk to the rights and freedoms of the data subjects. This is the case, for example, with comprehensive data processing through apps and online services where payment data is also processed. In principle, it can be assumed that such a register must be maintained and always kept up to date.

The data protection impact assessment is now intended to ensure that the data processor thinks about the associated consequences and assesses the risks before starting data processing. This assessment must be documented. In particular, the considerations of this assessment shall be recorded.

5. Privacy by Design and Privacy by Default

Another important principle that start-ups cannot observe early enough is "Privacy by Design". According to this, data protection aspects must already be taken into account in the development phase and in every development step of a product such as software, apps or similar. The aim is to ensure that only the data that is really necessary for the respective service or product is collected and processed.

6. Reporting requirements

Should a data protection incident ever occur, the notification obligations must be observed. Depending on the impact, for example because a large amount of personal data or particularly sensitive data has been lost, it may be necessary to notify the data protection supervisory authorities. This notification must then be made within 72 hours of knowledge, which is hardly manageable without appropriate processes and precautions.

7. Order data processing

Furthermore, even or especially as a start-up, you rely on a variety of digital services that make your life easier and take over processes. Starting with website hosting, cloud services, IT support or HR software. All of these service providers somehow come into contact with personal data, even if it is "only" the data of their own employees. This is referred to as commissioned processing (according to the current BDSG still "commissioned data processing"), which requires a corresponding contract with the service provider. If you do not conclude such a contract, it can be really expensive.

In particular, cooperation with US service providers poses additional challenges that need to be overcome.

8. Data Protection Officer

Finally, even for a start-up, the question "do we need a data protection officer" arises? The answer depends, on the one hand, on whether the "magic limit" of 10 employees who are permanently entrusted with the processing of personal data is reached. This is already the case, for example, if 10 employees use an e-mail programme. But even with fewer employees, the appointment of a data protection officer may be necessary, for example if the core activity consists of processing special categories of data.

In any case, it should be checked whether the appointment of a data protection officer is necessary. The previous practice according to the motto "ok, you do it now", according to which a random employee was "ordered" to do it, is risky. The requirements for an effective appointment are not exactly low. The data protection officer must have special expertise and be correspondingly reliable. This requires further training and corresponding time resources. Thus, the appointment of an external data protection officer, which is explicitly mentioned as a possibility by the GDPR, may turn out to be much cheaper in the end than hiring an employee for this purpose.


As you can see, the requirements in this area are not exactly low. There are countless offers on the internet that promise quick help. Among them are serious offers that are usually not exactly cheap, but also offers that promise to create the necessary documents with a few "clicks" and in a few minutes. It is doubtful whether the latter even comes close to meeting the legal requirements.

Weitere Artikel

Apple requires privacy policies for apps - what to look out for?

Artikel lesen

DSGVO Guide for Startups: The 5 most important ToDo's

Artikel lesen

Data protection audit and fit-gap analysis explained!

Artikel lesen