On May 25th, 2018, the new data protection law came into force.
Here you'll find an overview of the new requirements and necessary actions.


Overview of the new data protection law

What's it all about?

The new General Data Protection Regulation (short. GDPR) defines, how companies handle and process personalised data. The new law aims to professionalize how companies handle the data protection of EU citizens.

Who is affected by the GDPR?

Everyone, who is collecting and processing personalised data, no matter whether it's a company, society or authority.

What is personalised data?

Personalised data is data that refers to a (theoretically identifiable) person (e.g. prospective clients, employees, applicants…). Even the IP address is considered as personalised data, since it only requires little effort to identify a person by his or her IP address. This means: As soon as you're using an analysis tool (like Google Analytics) or even if your server only saves access files, you are processing personalised data.

Can I simply ignore this topic?

For sure ;). However, we don't recommend to. Considering sanctions up to 2% (resp. up to 4%) of the annual sales, data protection breaches can become quite costly. So take a deep breath and get to it – once started, implementing the GDPR is not as hard as it might seem.

Don't panic :)
GDPR for companies: No worries about the new privacy regulation

GDPR and your company

How your company is affected by the new data protection regulation

Record of processing activities

You are obliged to establish and maintain a record of processing agreements as soon as you are processing personal data on a regular basis. This applies, e.g., as soon as you are managing contact data with the help of a software application or tracking and analyzing access data with the help of Google Analytics.

In the record of processing activities, you specify how your company handles personal data. You list, what kind of data is collected and how long this data is stored. Furthermore, you inform about the kind of security measures that are installed in order to protect personal data.

Contents of the record of processing activities

Basic details about your company

This part is quickly fulfilled and consists of general data about your company like company name, contact details, registration number, name of your data protection officer etc.

List of the individual processing activities

Subsequently, you're listing whose personal data is processed, in what kind of way, to whom you transfer this data to and how long the data is stored.

Technical and organizational measures

This section contains information about how your data is protected from loss and unauthorized access, e.g. through backups, encryption, access control etc.

Further Information & Examples

  • Information about the record of processing activities
    Learn more

  • Example record by the WKO
    Download PDF

  • Information for German companies
    (with examples from page 29 onward)
    Download PDF

Data Processing Agreements

In order to pass on personal data to your external service providers while complying with the GDPR, you have to conclude a data processing agreement. Thereby, you ensure that your data is protected and processed in legal conformity by third parties.

You have to file a data processing agreement with every company you pass personal data on to: From external accounting and hosting providers to Google & sternpunkt. In the latter case, please send an e-mail to – we'll gladly send you our data processing agreement.

Data Protection Officer

Do I need a data protection officer?

In Austria, it is only necessary to appoint a data protection officer if the core business of your company is to monitor people on a regular basis (e.g. banks or insurance companies), or in case you are processing sensitive data (health data, genetic or biometric data, data of criminals etc.)

In Germany, ou are required to appoint a data protection officer as soon as more than 10 employees of your company are regularly processing personal data.

Who can take over responsibility?

You can either appoint one of your employees as data protection officer or commission an external service provider. It is also possible to appoint a data protection officer voluntarily, who supports you on all topics concerning data protection and assists you in implementing the required measures.

A word of warning: If you appoint a data protection officer voluntarily, it is not possible to reverse this appointment without further ado.

Tip: To find out if you are required to appoint a data protection officer, it is often sufficient to call the WKO or – for German companies – ask your relevant chamber of commerce.

Let's go!
location of the internet advertising agency sternpunkt: Mondsee in Upper Austria

GDPR for Websites & Online Shops

How to get your online presence ready for the GDPR

Whether it's a website or an online shop: In order to comply by the GDPR, you likely have to make some changes regarding your online presence. As a start, we're listing the most frequent adjustments:

Privacy Policy

Your privacy policy has to comply by the new GDPR regulations: Inform the user about his right of disclosure, correction, deletion and withdrawal and explain, why you're collecting personalised data. 

Cookie Notice

Nowadays, every stat-of-the-art website uses cookies. Inform you users about this fact with the help of a cookie banner. Subsequently, go into detail about the personalised data collected by cookies in your privacy policy.


With the DSGVO becoming effective, you are only allowed to collect personalised data that is actually required in order to process a request. Review, which data is mandatory and adjust your form fields accordingly. Furthermore, add a link to your privacy policy and state, how you are using the required data.


In order to achieve legal conformity for your newsletter registrations, we recommend using a double-opt-in process. In your registration form, inform about the contents of your newsletter and link to your privacy policy. In case you utilize a third-party provider like Mailchimp or CleverReach: Add this info to your privacy policy as well and sign a data processing agreement with your provider.

Google Analytics

Anonymize the IP addresses collected by Google Analytics to comply by the GDPR. In addition, enter into a data processing agreement with Google. Supplement your privacy policy about the use of Google Analytics and provide a possibility to opt out.

Facebook Pixel

As with AdSense and DoubleClick, inform your visitors in your privacy policy about the use of the Facebook pixel and provide a possibility to opt out. When using target audiences (custom audience or look-alike-audience), your visitor has to actively agree to the processing of his personalised data.

Google DoubleClick, AdSense & Co.

When using these tools, you should inform your visitors accordingly. Add the corresponding information to your privacy policy and provide the possibility to opt-out. In case you utilise personalised advertising, adjust your cookie notice accordingly.

Social Sharing Buttons

Whether it's "like" or "retweet": In order to comply by the GDPR when using social sharing buttons, implement a 2-click-solution (e.g. Shariff).

Third-party plugins

Google Maps, Google Fonts or Instagram plugin? As soon as personalised data is processed by third party plugins, you have to add this information to your privacy policy. If possible, it's recommendable to provide your visitors with the possibility to opt out.

Further Information

Useful links concerning the GDPR

For Austrian companies:

Further information, examples and handy checklists can be found on the website of the WKO:

An overview about all service offers of the WKO concerning data protection (like webinars or consulting) can be found here.

For German companies:

If you'd like to obtain a deeper level of knowledge concerning the GDPR, we recommend the T3N guidebook. It contains an easy to understand overview, written in a language easily understandable for non-lawyers and contains many examples and templates:

Further questions?

No problem! Leave us a note, we're happy to help!

The small print:
The information on this page is compiled for you in all conscience and refers to Austria, if not mentioned otherwise. We do not guarantee for the accuracy or completeness of the information. For specific legal questions concerning data protection, we kindly ask you to contact a certified data protection officer or a specialized lawyer.