GDPR Basics for German SMEs: Processing Records, TOM, and Practical Compliance Steps

The GDPR is not just for tech giants. Every business collecting customer names, email addresses, phone numbers, or payment details must comply. That includes your 5-person SME. Non-compliance carries fines up to €20 million or 4% of annual turnover — whichever is higher. For a €10 million business, that's a €400,000 penalty. Even a €1 million startup risks €40,000.

This guide breaks down GDPR into actionable steps. You'll learn which personal data you can process legally, how to document it (processing records), what technical safeguards to implement (TOM), and how to respond if things go wrong. By the end, you'll have a practical roadmap for compliance.

Who Must Comply with GDPR?

Simple answer: anyone processing personal data. That's every business. You don't need to be a global corporation. Processing includes:

• Collecting customer email for newsletters or order confirmations
• Storing employee phone numbers in a contact list
• Processing customer IP addresses via Google Analytics
• Maintaining accounting records with customer names and addresses
• Recording sales transactions with payment details
• Storing customer feedback or support tickets
• Using CCTV with recorded faces

The 6 Lawful Bases for Processing (Artikel 6 DSGVO)

You cannot process personal data randomly. Article 6 GDPR lists exactly 6 scenarios where processing is legal. At least one must apply.

1. Consent (Einwilligung)

The person explicitly agrees. Consent must be:

• Free: Not coerced. No "agree or we won't sell you anything."
• Specific: Clear what data and for what purpose.
• Informed: The person understands what they're agreeing to.
• Unambiguous: Affirmative action required. Pre-ticked boxes are illegal.

Example: Newsletter signup with a checkbox "I want to receive marketing emails" (unticked by default). The person must actively tick it.

2. Contract (Vertragserfuellung)

Processing is necessary to perform a contract with the person. Examples: processing customer address to ship an order, storing payment details to charge for services.

This is the easiest lawful basis for e-commerce and SaaS businesses.

3. Legal Obligation (Rechtliche Verpflichtung)

You're required by law to process the data. Examples: storing invoices for German tax law (GoBD requires 10 years), keeping employment records, reporting suspicious transactions for money laundering (AML).

4. Vital Interests (Lebenswichtige Interessen)

Processing is necessary to protect life or serious health. Example: using medical records in a hospital. Rarely applies to SMEs.

5. Public Task (Wahrnehmung von Aufgaben im oeffentlichen Interesse)

Processing is necessary for a public task. Applies mainly to governments and public institutions, not private businesses.

6. Legitimate Interest (Berechtigte Interessen)

Processing serves your legitimate business interests, provided the person's rights aren't overridden. This is tricky and fact-dependent.

Example of legitimate interest: Processing customer behavior data to improve your website UX. You have a legitimate interest in UX optimization, and customers don't have a strong counter-interest.

Example of NOT legitimate interest: Selling customer emails to competitors. You have an interest, but customers clearly expect their data won't be shared.

Processing Records (Verarbeitungsverzeichnis / VVT)

Article 30 GDPR requires you to maintain a Verarbeitungsverzeichnis (processing record) if you:

• Have 250+ employees, OR
• Process personal data as your core business activity (e.g., you're a data processor, marketing agency, HR consultancy), OR
• Process data "on a large scale"

Practically? Almost all SMEs should maintain a VVT because most process data on a large scale (e.g., customer database, employee records, website analytics).

What goes in the VVT:

You don't need a fancy template. A Google Sheet or Excel list with these columns is sufficient. Keep it updated as your data practices change.

Technical and Organizational Measures (TOM)

Article 32 GDPR requires you to implement reasonable security measures to protect personal data. "Reasonable" means proportionate to the risk. A solo consultant's email doesn't need bank-level encryption, but a healthcare business does.

Essential TOM for most SMEs:

• Encryption: All sensitive data (passwords, payment details) must be encrypted in transit (HTTPS) and at rest (encrypted databases).
• Access Control: Only authorized staff can access personal data. Use role-based access (e.g., only finance team sees payment details).
• Authentication: Strong passwords, multi-factor authentication (MFA) for sensitive systems.
• Backup: Regular automated backups of critical data, tested recovery procedures.
• Pseudonymization: Where possible, use anonymized data (e.g., in analytics, remove identifiers).
• Employee Training: All staff handling personal data must understand GDPR basics. Document that you trained them.
• Data Minimization: Collect only data you actually need. Delete it when no longer necessary.
• Incident Response Plan: Written procedures for data breaches (see below).

Reference your TOM in your VVT. For each processing activity, note which measures apply.

Data Protection Officer (Datenschutzbeauftragter) — When Required

You need a DPO if you:

• Are a government agency (usually mandatory)
• Have 20+ employees regularly processing personal data (GDPR applies stricter than EU law)
• Process data as your core business (data brokers, processors)

Most SMEs don't need a full-time DPO. But some should designate someone (even part-time) responsible for GDPR compliance — often the HR/finance manager.

Data Processing Agreements (Auftragsverarbeitung / AVV)

If you use external vendors to process personal data (cloud storage, SaaS tools, marketing agencies, payroll providers), you must have a Data Processing Agreement (AVV).

Examples where you need an AVV:

• Using Salesforce to store customer data
• Using Google Analytics to track website visitors
• Using HubSpot for email marketing
• Using a payroll provider (Lexware, Sage, etc.) to process employee data
• Using Dropbox or Google Drive to store customer files
• Using an email service (Brevo, Klaviyo) for newsletters

The AVV specifies that the vendor (processor) can only process data on your instructions, must implement security measures, and can't share data with third parties without permission.

See our detailed guide on /blog/auftragsverarbeitung-avv-dsgvo-guide for negotiating AVVs.

Data Breach Notification (Datenpanne)

A breach = unauthorized access/disclosure/loss of personal data. Examples: hacked customer database, employee laptop with unencrypted files stolen, accidental email to wrong recipient.

Your obligations:

• Notify authorities (Aufsichtsbehoerde): Within 72 hours of learning about the breach. Contact the German data protection authority for your state (e.g., Badesuettembergische Datenschutzbehoerde if in Baden-Württemberg).
• Notify affected people: Without undue delay if the breach poses high risk to their privacy. Example: credit card data stolen, definitely notify. Anonymous data accessed, probably not necessary.
• Document everything: Keep records of what happened, when you found out, what you did.

Important: Notification to authorities is mandatory and automatic. You can't escape it by "handling quietly."

Rights of Data Subjects (Betroffenenrechte)

Individuals have 8 key rights. You must honor requests within 30 days (extendable to 90 days if complex).

• Right of Access (Auskunftspflicht): "What data do you have on me?" You must provide a copy of all personal data you hold.
• Right to Rectification (Berichtigungsrecht): "Fix my address; it's wrong." You must update inaccurate data.
• Right to Erasure (Recht auf Loeschung / Right to be Forgotten): "Delete my data." You must delete it unless you have a legal basis to retain it (e.g., tax law).
• Right to Restrict Processing: "Don't use my data until you fix it." You pause processing but keep the data.
• Right to Data Portability: "Give me my data in a portable format (CSV, JSON)." Applies if you based processing on consent or contract.
• Right to Object: "Stop processing my data for marketing." You must stop (unless you have a legal basis like legal obligation).
• Right to withdraw Consent: If consent was the lawful basis, they can withdraw it anytime. You must stop processing.
• Rights related to Automated Decision-Making: If you use AI/algorithms to make decisions about them (e.g., loan approval), they have rights to explanation and human review.

Practical tip: Set up a process for handling these requests. Assign one person as the point of contact. Keep a log of requests and responses.

GDPR Fines and Penalties (Busgelder)

Violations carry staggered fines:

Important: Fines are based on global annual revenue, not just the German branch. A €1 billion company pays €40 million; a €10 million startup pays €400,000.

Privacy Policy Requirements

You must publish a privacy policy (Datenschutzerklaerung) describing:

• What data you collect and why
• Your lawful basis for each processing activity
• How long you retain data
• Who you share it with (third parties, processors)
• How people can exercise their rights (access, deletion, objection)
• Contact information for exercising rights
• Your DPO contact (if you have one)
• Information about automated decision-making / profiling

Place the privacy policy on your website, email signup forms, and app. Make it readable and accessible (not hidden in tiny font).

Cookie Consent & Website Tracking

Tracking cookies are personal data (they identify devices/people). You need consent before placing them.

Exception: "Strictly necessary" cookies (for site functionality, security, load balancing) don't need consent. All others do.

Google Analytics: Technically requires consent in EU (GDPR + ePrivacy Directive). Best practice: ask for consent before loading GA.

Tools: Use cookie management platforms (Cookiebot, OneTrust, Onetrust CMP) that handle consent banners, track consent choices, and manage scripts.

Email Marketing Consent

Sending marketing emails requires prior explicit consent (with limited exception for existing customers).

Best practice: Double opt-in. Person signs up, you send a confirmation email saying "Click here to confirm," only then you add them to your list. Keeps your list clean and proves consent.

Every email must include: unsubscribe link, company name, address. Honor unsubscribe requests immediately.

Employee Data

Processing employee data (salary, phone, address, performance reviews) is contract-based (employment contract = lawful basis). But you still need to:

• Store it securely (encrypted, access restricted to HR/management)
• Limit retention (e.g., delete performance reviews after 3 years, keep payroll records for 10 years per tax law)
• Inform employees in your employee handbook about data processing
• Have a processor agreement if using HR software (Personio, BambooHR, etc.)
• Grant employees rights to access their own data

10-Step GDPR Compliance Checklist for SMEs

• Step 1: Inventory: List all systems/software where you store personal data (CRM, email, website, accounting, HR system, Google Analytics, social media, etc.). Identify what data each collects.
• Step 2: Audit Lawful Basis: For each data collection, determine which of the 6 lawful bases applies (consent, contract, legal obligation, etc.). Document it.
• Step 3: Create Verarbeitungsverzeichnis: Build a simple spreadsheet listing all data processing activities with purpose, data types, retention periods, recipients, and TOM.
• Step 4: Implement TOM: Audit your technical security. Ensure encryption (HTTPS, encrypted databases), access control, MFA for sensitive systems, backups, and staff training.
• Step 5: Sign Data Processing Agreements (AVVs): Contact all SaaS vendors, request their AVV, and sign it. Document compliance.
• Step 6: Privacy Policy: Write or update your privacy policy. Describe all data collections, lawful basis, retention, and individual rights.
• Step 7: Cookie Consent: Install a cookie management platform (Cookiebot, OneTrust) and get consent before tracking cookies.
• Step 8: Data Subject Rights Process: Create a simple form/email address where people can request data access, deletion, correction. Document responses.
• Step 9: Breach Response Plan: Write an incident response procedure. Outline who to notify (Aufsichtsbehoerde), timelines (72 hours), and what documentation to keep.
• Step 10: Staff Training: Conduct basic GDPR training with all staff handling personal data. Document that it happened. Repeat annually.

Schrems II and Implications for US Cloud Providers

The Schrems II ruling (July 2020) invalidated the Privacy Shield framework for transferring data from EU to US. This affects AWS, Azure, Google Cloud, Salesforce, HubSpot — all US-based providers.

Requirement: If using US cloud providers, you must sign a Standard Contractual Clauses (SCC) addendum with explicit security guarantees. Most reputable providers (AWS, Salesforce, Azure) now include SCCs.

Alternative: Use EU-based providers (Hetzner, IONOS, OVH for hosting; Lexoffice, DATEV for accounting). Ensures data stays in EU.

Practical Resources for SMEs

• Datenschutzkonferenz (DSK): German data protection authorities. Free guidance at https://www.datenschutzkonferenz-online.de
• Bundesdatenschutzbehoerde (BfDI): Federal DPO. Excellent templates and FAQs at https://www.bfdi.bund.de
• State DPOs: Each German state has a Datenschutzbehoerde. Find yours via BfDI website.
• GDPR Documentation Templates: Free templates for VVT, privacy policy, AVV from GDPR.eu or your state DPO.
• Tools: Cookiebot (cookie consent), Termly (privacy policy generator), Personio (HR with AVV included)

Connection to GoBD and Accounting

German tax law (GoBD) requires you to store invoices and accounting records for 10 years with metadata (date, amount, parties). This is a legal obligation lawful basis under Article 6(1)(c) GDPR. Your accountant/Finanzamt is a recipient of this data. Ensure your accounting software has an AVV or at least a data processing clause.

When to Get Help

If you're processing only basic customer data (names, emails) for a simple business, the 10-step checklist above gets you 80% compliant. But consider hiring a GDPR consultant if you:

• Process sensitive data (health, payment details, children's data)
• Use complex AI/algorithms for decision-making
• Have international customers (GDPR applies globally)
• Recently had a data breach
• Are in a heavily regulated industry (fintech, healthcare)
• Have 100+ employees

A GDPR consultant costs €2,000-€10,000 for a full audit and implementation plan — expensive, but far cheaper than a €100,000+ fine.

Final Thought

GDPR isn't meant to destroy business; it's meant to protect people's privacy. If you're transparent about data collection, implement reasonable security, honor people's rights, and document your decisions, you'll be compliant. Start today with the 10-step checklist and stay consistent.