Personal data

Data protection

Every individual has the right to the protection of their personal data, and anyone processing personal data in a non-private context is obligated to respect these rights and protect the data. These rights and obligations are collectively referred to as "data protection."

Data protection is a rapidly evolving field. National supervisory authorities and European institutions are continuously issuing new guidelines, rulings, and clarifications, which both public and private organizations must comply with.

There is also increasing attention to data protection—from consumers and society at large—in response to data breaches and the misuse of personal information. Data protection is therefore more than just regulatory compliance; it is a foundation for stakeholder trust. For this reason, data protection should be an integrated part of any organization’s operating model, with compliance continuously monitored and controlled.

A strong and up-to-date GDPR compliance framework reduces risk for data subjects and protects the organization from data breaches, regulatory investigations, liability claims, enforcement actions, fines, and reputational damage.



GDPR


BDO offers

Establishing a strong GDPR compliance framework—and maintaining it as the regulatory landscape and the organization itself evolve—can require significant internal resources. This includes changes such as new business areas or customer groups, acquisitions, or the adoption of new technologies.


BDO supports organizations in this process through services including:

  • Supervision of data processors
  • Drafting and negotiation of data processing agreements
  • GDPR 2.0 – development and updating of GDPR documentation
  • Implementation of governance structures
  • Preparation of risk assessments and data protection impact assessments (DPIAs)
  • Support for system implementation and integration
  • Assistance with ad hoc GDPR-related questions arising in daily operations


With BDO Data Protection, you get:

  • A team of experienced advisors with deep expertise in data protection and compliance
  • Access to specialist knowledge in related areas such as IT, cybersecurity, AI, and ESG
  • Hands-on involvement, including from senior professionals
  • Ongoing communication and close collaboration with you as the client, with advice tailored to your specific challenges
  • Transparency in task execution and deliverables


protection

The general data protection regulation

All companies, organizations, and public authorities that process personal data are subject to the General Data Protection Regulation (GDPR), which was adopted in 2018. Personal data is not just information about health, political beliefs, sexual relationships, and the like, but it is all information that can be attributed to a person, such as address, phone number, and email.

The EU General Data Protection Regulation (GDPR) has generated and continues to generate much discussion due to its stringent requirements and large fines, often leading to more questions than answers.

Q: Are only sensitive personal data (information about health, political beliefs, sexual relationships, etc.) covered by the new regulation?

A: No – it includes all information that can be attributed to a person, such as address, phone number, and email.

Q: Do all companies need a Data Protection Officer (DPO)?

A: No – far from it. A DPO must be appointed when the company’s core activity largely involves either regular and systematic monitoring or processing of sensitive personal data.

Q: Is a record of personal data processing necessary?

A: Yes – we recommend creating such a record to document personal data processing for the Data Protection Authority. Companies with over 250 employees must prepare the record.

Do you have more questions about the new data protection law?

Let us help answer all the other questions you may have about the EU General Data Protection Regulation and provide advice on implementing the new requirements for data controllers or processors.

We have extensive knowledge of the GDPR and advise on the legislative requirements for companies, organizations, and public authorities. Our advice focuses particularly on how the many provisions of the regulation can be implemented in practice, thereby providing value and ensuring that personal data is recorded and processed correctly. In our advice, we build on already established policies, procedures, and security measures for the protection of personal data.

Contact us

Contact person