Skip to content
TECHNOMATON | Docs SAI Certified Trainers

Data Protection

Version: 1.0 | Effective from: 1 January 2026

1. Purpose

This directive defines the rules for processing personal data in compliance with the GDPR (EU 2016/679) and applicable national data protection legislation.

2. Core Principles

PrincipleDescriptionImplementation
LawfulnessHave a legal basisLegal basis check before processing
Purpose limitationOnly for a defined purposePurpose documentation in ROPA
MinimizationOnly necessary dataData audit, deletion of unnecessary data
AccuracyData must be correctValidation, updates, corrections
Storage limitationNo longer than necessaryRetention policy, auto-delete
IntegrityData securityEncryption, access control
AccountabilityDemonstrate complianceDocumentation, audit trail
Legal basisWhen to useExample
ConsentVoluntary, specific, informedMarketing, cookies
ContractNecessary for contract performanceProduct delivery
Legal obligationRequired by lawTaxes, accounting
Legitimate interestYour interest > data subject’s rightsFraud prevention
Vital interestProtection of lifeMedical emergency
Public taskExercise of public authorityGovernment administration

3.2 Consent — requirements

Valid consent must be:

  • Freely given — without coercion, not a condition of service
  • Specific — for a clearly defined purpose
  • Informed — the data subject knows what they are consenting to
  • Unambiguous — active action, not a pre-ticked checkbox
  • Withdrawable — at any time, as easily as it was given

3.3 Legitimate interest — LIA

Before using legitimate interest, conduct a Legitimate Interest Assessment:

  1. Purpose test: What is the legitimate interest?
  2. Necessity test: Is the processing necessary?
  3. Balancing test: Does the interest outweigh the data subject’s rights?

4. Data Subject Rights (DSAR)

4.1 Overview of rights

RightArticleSLADescription
InformationArt. 13/14At collectionWhat we process
AccessArt. 1530 daysCopy of data
RectificationArt. 1630 daysCorrection of errors
ErasureArt. 1730 daysDeletion of data
RestrictionArt. 1830 daysSuspension of processing
PortabilityArt. 2030 daysData export
ObjectionArt. 2130 daysObjection to processing
Automated decision-makingArt. 2230 daysHuman review

4.2 DSAR Workflow

5. Data Breach Management

5.1 Breach definition

TypeExampleIs it a breach?
ConfidentialityData leaked to a third partyYes
IntegrityData was modifiedYes
AvailabilityData lost without backupYes
Encrypted data stolenAttacker has encrypted dataDepends on context

5.2 Notification Timeline

5.3 When not to notify the DPA

  • Data was encrypted and the key was not compromised
  • The breach is unlikely to impact the rights of data subjects
  • Document the decision!

6. Vendor Management (DPA)

6.1 Before vendor onboarding

  • Due diligence (security questionnaire)
  • DPA (Data Processing Agreement)
  • Sub-processor list
  • Data location (EU preferred)

6.2 Required DPA content

ItemDescription
Subject of processingWhat the vendor processes
Duration of processingHow long
Nature and purposeWhy
Types of dataWhat data
Categories of data subjectsAbout whom
Rights and obligationsController vs. Processor
Sub-processorsList + approval process
Security measuresTechnical + organizational
Breach notificationReporting SLA
Audit rightsRight to audit
DeletionAfter contract termination

7. Privacy by Design

7.1 Principles

PrincipleImplementation
ProactivePrivacy from the start, not retroactively
DefaultPrivacy as default setting
EmbeddedPart of the architecture
Full functionalityPrivacy + functionality
End-to-endEntire lifecycle
VisibilityTransparency
User-centricRespect for data subjects

7.2 New project checklist

  • Data minimization: Are we collecting only necessary data?
  • Purpose limitation: Do we have a clear purpose?
  • Legal basis: What is the legal basis?
  • Retention: How long do we retain?
  • Security: Encryption, access control?
  • Third parties: Who has access?
  • Subject rights: How do we handle DSARs?

8. DPIA (Data Protection Impact Assessment)

8.1 When a DPIA is required

  • Automated decision-making with legal effects
  • Large-scale processing of special category data
  • Systematic monitoring of public spaces
  • New technologies with high risk
  • Profiling with significant effects

8.2 DPIA Process

  1. Description of processing — What, why, how
  2. Necessity assessment — Is it necessary?
  3. Risk identification — What risks?
  4. Risk mitigation — How to minimize?
  5. DPO consultation — Review
  6. Approval — Sign-off
  7. DPA consultation — If high residual risk

9. Retention & Deletion

9.1 Retention Schedule

Data categoryRetentionBasis
Customer dataDuration of contract + 3 yearsBusiness need
Employee dataDuration of employment + 10 yearsLegal requirement
Financial records10 yearsAccounting regulations
Marketing dataUntil consent withdrawalConsent
Log data1 yearSecurity
Backup data30 days after deletionTechnical

9.2 Deletion Process

10. Training & Awareness

RoleTrainingFrequency
All employeesGDPR basicsAnnually
Customer supportDSAR handlingSemi-annually
EngineeringPrivacy by designSemi-annually
MarketingConsent, direct marketingAnnually
HREmployee dataAnnually

11. Policy Review

  • Quarterly: Review DSAR log, incidents
  • Semi-annually: Update per regulatory guidance
  • Annually: Full policy review + DPO approval

Next review: Q2 2026