Data Protection as a competitive advantage

NOTOS Xperts GmbH focuses on data protection.

We are convinced: The legally compliant handling of personal data in the digital business is a - if not even the - success factor. Digitalization creates new business and process models - but at the same time requires access to flexible, decentralized IT resources (cloud computing: SaaS, PaaS, IaaS). Valuable business-critical data must be stored comprehensively, systematically and everywhere, and analyzed, evaluated and used profitably. This immediately focuses on data protection compliance.

Whether as external data protection officers or consulting experts, we see our task in reconciling your economic goals with the interests of data protection and the data subjects in the best possible way.

Professional consulting

All our consultants (IT specialists, information counsels and IT specialists) have the necessary expertise and are already working as external data protection officers for more than 50 companies in Germany - from retailers to international corporations.

Data protection consulting is essential for a company's compliance. The fines standardized in Art. 83 GDPR - which can amount to millions for larger corporations - clearly illustrate the relevance of data processing in compliance with the law.

Almost all business models today are data-driven. Ways must be found to ensure that the economic interests in data processing can be guaranteed to the greatest extent possible to the extent permitted by law.

Our services

Our data protection consulting offers you the support you need to optimize your business and prevent sanctions. The focus is always on your economic interests and the particularities of your business model and operational processes.

Our working languages are German and English.

NOTOS Xperts GmbH cooperates with the law firm NOTOS Partnerschaft von Rechtsanwälten mbB in the field of data protection consulting. Thus we guarantee our customers at any time a deepened and process-dependent legal consultation and representation.


External data protection officer and his deputy

If your company regularly processes personal data, it requires a data protection officer in accordance with Art. 37 GDPR. In addition, according to § 38 BDSG (German national data protection law), your company requires a data protection officer if at least ten persons are constantly engaged in the automated processing of personal data. We will provide you with an external data protection officer. Our external data protection officers are specialists in the field of data protection and related fields and offer you first-class support. The following services are included in the appointment of one of our external data protection officers:

  • Advice on compliance with statutory data protection requirements
  • Information about relevant data protection developments that may have an impact on your company and your business practice
  • Monitoring and supervision of compliance with data protection regulations
  • Development of data protection strategies that take your economic and business interests into account to the greatest possible extent
  • Promoting data protection compliance
  • Protection against fines of up to € 20,000,000 or 4% of the worldwide annual turnover of the previous business year
  • Identifying, evaluating and eliminating or minimising risks associated with the processing of personal data
  • Carrying out data protection audits and stocktaking and jointly developing necessary measures
  • Advice on and implementation of data protection impact assessments in accordance with Art. 35 GDPR
  • Support in data protection documentation and ensuring the accountability of the Controller in accordance with Art. 5 para. 2 GDPR
  • Provision of legal contract samples, texts, forms, templates for data protection and adaptation of these to the business conditions
  • Support in the creation and maintenance of records of processing activities in accordance with Art. 30 GDPR
  • Conception and coordination of operational data protection
  • Establishment of a process-oriented data protection management system
  • Introduction of a data protection organisation adapted to operational processes and conditions
  • Evaluation of existing software under data protection law and support in the introduction of new software with regard to data protection
  • Design of functional data protection processes for the optimal implementation of data protection requirements
  • Correspondence with supervisory authorities
  • Function as a single point of contact for supervisory authorities in data protection matters

↑ back to the top


External data protection coordinator

The data protection coordinator can often be found in corporations or companies with an existing data protection organisation. He or she works on a project-related basis and provides support in all data protection issues within his or her area of responsibility. Our external data protection coordinators - as well as our external data protection officers - work solution-oriented and have in-depth knowledge of data protection law and related legal areas as well as IT know-how.

↑ back to the top

External data protection consultant

We will provide you with an external data protection consultant. He or she will advise the data protection officer and the data protection organisation of your company. Our data protection consultants support you with their expertise both in regular operations and in project work. 

↑ back to the top

Data protection compliance

Data protection has long been a compliance task. This has been made clear once again by the draconian penalties which the GDPR stipulates and which are reminiscent of fines from the area of antitrust law. The data protection supervisory authorities have several possibilities and powers to sanction unlawful data processing by companies. These powers are regulated in Art. 58 GDPR. These include, among others

  • warnings issued to controllers or processors with regard to intended or existing processing of personal data
  • orders to respond to requests from data subjects regarding their data subjects' rights
  • orders to bring unlawful processing operations into compliance with data protection regulations within a specified time period
  • the imposition of a temporary or definitive restriction on processing, including a ban on such processing
  • imposition of administrative fines under Art. 83 GDPR (in the worst case € 20,000,000 or 4% of group turnover) in place of or in addition to other remedies

We help you to make your company compliant in terms of data protection and support you with inquiries and measures from supervisory authorities. Our expertise enables us to immediately define the need for action and prioritize it according to its importance.

 ↑ back to the top

Corporate data protection

The processing of personal data within a group can be very complex. Business processes and data processing cannot always be assigned to a single business area and often take place across companies or business areas. In addition, it can be difficult to correctly record data flows and ensure the lawfulness of processing in each processing step. Our services cover all the challenges of corporate data protection and coordinate the complex data protection in your corporation.

↑ back to the top

Data protection in the field of healthcare

Data protection in the field of healthcare is very sensitive; supervisory authorities pay particular attention to the processing of health data. This affects medical practices and doctors, hospitals, nursing and elderly care services, pharmacies, pharmaceutical companies, laboratories and much more. According to Art. 9 GDPR, health data belong to the special categories of personal data and are therefore particularly worthy of protection. We help you to make the processing of health data as legally correct as possible. 

↑ back to the top

Employment data protection

What is the most important capital of a company? Of course the employees. If the employees are so important for the success of a company, then of course so are their data, which are ultimately their inseparable part. Employers can do a lot with their employees' data; they can assess work performance, monitor employees or gain insight into employees' private lives. Or often, employee data is also fed into databases that are accessible to a large number of people within the company. Such processes must be critically evaluated from the data protection point of view. At first glance, seemingly harmless processes with employee data often turn out to be prohibited under data protection law on closer inspection or are at least tied to stricter conditions. In order to determine what can be done with employees' data, competent data protection consulting is necessary. We will show you how you may proceed with the data of your employees and where the limits of data protection law lie.

↑ back to the top

Data protection for small and medium-sized enterprises (SMEs)

Data protection also does not stop at small and medium-sized enterprises. Such companies often lack the human and professional resources to implement data protection requirements on their own. Competent help is urgently needed here. We relieve your company of the heavy burden of data protection and support you in complying with data protection regulations. We provide you with tailor-made data protection that is customized to the specific needs of your company.

↑ back to the top

Data protection for associations

Associations must also comply with data protection requirements, regardless of their size, organisational form or commercial interests. They process personal data of their members, sponsors and cooperation partners.

However, as it is the case with small and medium-sized companies, associations regard data protection as a burden. From the point of view of an association, competent and demand-oriented assistance is here of high value. Our expertise helps you to bring data protection in your association "up to speed" without affecting your activities.

↑ back to the top

Data protection texts

From large corporations to small businesses, business practice requires the use and application of various data protection documents, which on the one hand must meet and reflect the legal requirements, but on the other hand must also represent subjective interests as far as possible. We support you in the creation and adaptation of all data protection documents that your company needs. We carry out an inventory and first determine which documents and templates you need. Then we provide you with raw templates and individualize them according to the specifics of your business. You also have access to the documents and templates in your personal area of our homepage under "Documents, Templates" on the basis of your data protection subscription.

↑ back to the top

Data protection-compliant corporate organization incl. group-wide and international data transfers

The unrestricted use and utilisation of personal data (customer, supplier and employee data) is a major incentive for many companies. The transfer and exchange of data between individual companies and affiliated companies should be possible. However, data protection law stipulates certain requirements here. In particular, if the data is to be transferred to a so-called insecure third country, increased data protection requirements must be observed. Insecure third countries are countries that do not have an adequate level of data protection. The reason for this is primarily the lack of or inadequate data protection legislation and the lack of supervisory authorities with corresponding enforcement powers, which is why the data protection rights of data subjects cannot be adequately protected. We review your (intended) data transfers and bring them into compliance with European and German data protection law.

↑ back to the top

GDPR audits at group, company, department and application level

A serious data protection consultation should always begin with an audit to determine which data protection deficits the company has and which measures need to be implemented as a result. Audits can be carried out on company, department and application level. The data protection requirements can be projected almost equally on every level. During an audit it can be determined, for example, whether and which gaps exist in the data protection documentation, which existing technical and organizational measures do not meet the legal requirements or whether and to what extent active business processes and applications need to be optimized under data protection aspects.

↑ back to the top

Data protection contract management (data processing agreements, joint controller agreements, controller-to-controller agreements)

Proper contract management is very important in data protection. Often there are many players who need to access personal data to varying extents. Here you quickly lose the overview. Every business relationship in which data is processed in any way must first be able to be justified on a legal basis. In addition, the use of contracts is often necessary. In data protection practice, so-called data processing agreements are very frequently used. For example, whenever a company uses external service providers to outsource certain business processes and the contractor gains access to personal data, such a contract must be concluded with the company by defining its scope of action and regulating its rights and obligations in accordance with data protection law.

↑ back to the top

Data protection impact assessments

The data protection impact assessment pursuant to Art. 35 GDPR is a novelty in data protection law which was introduced for the first time by the GDPR. It is based on the risk-based approach of the GDPRand therefore pursues the objective of eliminating or at least minimising risks to the rights and freedoms of data subjects as far as possible. Processing operations involving risks must first be identified in order to be able to subsequently propose technical and organisational measures to combat the risks.

↑ back to the top

Concepts for fulfilling the data subjects' rights

Data subjects' rights are the key to safeguarding data protection law and the autonomy of data subjects. These rights are standardised in Art. 15 - 22 GDPR. The data subject has the right to request from the controller information, rectification, erasure, restriction of processing or transfer of his/her personal data. Furthermore, the data subject may object to the processing.

The handling of requests from data subjects to exercise their rights requires certain steps to be taken in chronological order. Our consultants have experience in the handling of data subjects' rights and can work with you to develop a concept that regulates all relevant points from the identification of the data subject to the documentation of the request.

↑ back to the top

Establishment of a company/group-wide data protection management system

A functioning data protection management system offers numerous advantages. The term data protection management is to be understood in the sense of a logical and optimised organisation of internal data protection that is suitable for the fulfilment and implementation of all tasks arising from data protection law. On the one hand, the processes are faster and coordinated when data protection tasks have to be completed. For example, rights of data subjects can be fulfilled much more easily if responsibilities have been defined from the outset and the storage locations of personal data have been identified. A well thought-out data protection management system also speaks for itself in crisis situations where action is needed more quickly. If, for example, a personal data breach exists and, according to the wording of Art. 33 GDPR, this must be reported "without undue delay and, where feasible, not later than 72 hours" to the lead supervisory authority, an optimised data protection management system can be optimally used. It can avert greater damage for the data subjects and leave a good impression on the supervisory authority, which at best can lead it to refrain from measures such as the imposition of fines. We will help you to set up or build a solid data protection organization and optimize your processes to shorten reporting and response times.

↑ back to the top

Direct marketing, digital marketing, generation and use of qualified leads/interest data

Leads and interests are in the focus of sales activities. The continuous acquisition of new customers is a substantial factor for the success of a company. But not every measure is permissible from a data protection point of view. Addressing leads and interests  represents a processing of personal data. A legal basis is therefore necessary. In addition, competition law requirements resulting from the UWG (German Unfair Competition Act) must be observed. We examine your project from a data protection and competition law point of view and ensure that you comply with these requirements.

↑ back to the top

Setup of CRM databases

Customer data is a particularly valuable asset for companies. It needs to be maintained regularly to stay up to date. The use of CRM databases makes it easier for numerous employees from different departments to access customer data and thus also their organization and administration. However, data protection requirements must be observed. In particular, the focus here is on Art. 25 GDPR (Privacy by Design and Default). Data protection must already be observed when selecting and purchasing IT systems and applications. This means that the software must be able to meet basic data protection requirements, such as the erasure of personal data or the system-side assignment of roles and rights according to the need-to-know principle. This requirement applies not only to developers, but also to software users, including your company.

↑ back to the top

Conception and implementation of technical-organisational measures (TOMs)

The GDPR obliges the controller to implement appropriate technical and organisational measures to ensure a level of protection that is appropriate to the risk to the rights and freedoms of data subjects. These measures must be able to ensure, among other things, the confidentiality, integrity, availability and resilience of IT systems. Our consultants support you in the selection and implementation of suitable and appropriate technical and organizational measures and the documentation of these.

See also IT Security.

↑ back to the top


Crisis communication with the supervisory authority

When the horse has already left the barn... only competent and prompt communication with the supervisory authority can help. We take over the correspondence with the supervisory authority and strive for a quick clarification of the facts. We initiate all necessary steps as quickly as possible and try to keep the damage as low as possible for both your company and the data subjects.

↑ back to the top

Information duties and social media connections and applications

In the communication with interests, customers, suppliers and employees as well as in public relations, the use of social media components and fan pages is indispensable. More modern websites often have interfaces to social media platforms through which companies can expand their online presence. This often takes the form of so-called social plug-ins, which in turn can also enable direct interactions between website visitors - such as likes, shares and comments. However, care must be taken to ensure that personal data of website visitors is also transmitted from the website to the platform operators. The use of such services must therefore be reflected in the company's data protection information. We create the necessary information for your company, such as data protection statements and notices, with which you can fulfill your information duties.

↑ back to the top

Data protection reports

Data protection is a matter of management. Art. 38 para. 3 sentence 3 GDPR already states that the data protection officer reports "directly to the highest management level". We support you in the preparation of data protection reports, usually at the end of each financial year. We prepare for you the contents that would have to be included in the respective report. On request, we can also take over the conception and preparation of the report in its entirety.

↑ back to the top

Your contact person:

Erdem Durmus

Authorized representative | External Data Protection Officer

ISO 27001
Cerificates of competence for data protection officers
Basic certificate of project management from GPM

Your contact person:

Jens Engelhardt

Managing Partner | External Data Protection Officer

Specialist lawyer for Copyright and Media Law
Specialist lawyer for Intellectual Property Law
Specialist lawyer for IT Law