Data protection training for employees

We would like to remind you of the topic "Employee training in data protection law".

Do all employees of a company have to receive data protection training?

According to data protection regulations, all employees of a company must receive training in data protection law. This is derived from various regulations of the General Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG).

Why is data protection training useful for a company?

The most important reason is that employees can only comply with data protection law if they know the legal rules and regulations. This knowledge of data protection law is imparted to the employees in the data protection training.

Another reason is that data protection training eliminates many reservations and prejudices about data protection law.

Who must carry out the data protection training?

The data protection training must be provided by the controller within the meaning of Art. 4 No. 7 GDPR. This means that the natural or legal person, authority, institution or other body which alone or jointly with others determines the purposes and means of the processing of personal data is obliged to arrange for the data protection training.

So often the company, the entrepreneur, the employer.

The data controller must also ensure that data protection training is provided. It is explicitly not the task and duty of a company's data protection officer to arrange and/or conduct data protection training in the company. It was even disputed for a long time whether the data protection officer of a company may conduct data protection training at all. However, this legal question has now been clarified.

An external service provider, the data protection advisor and also the external data protection officer can carry out the data protection training for the controller.

However, the person in charge must arrange and commission the training.

In short: The company/entrepreneur/employer must arrange and conduct the data protection training(s).

When does data protection training have to take place?

In principle, every employee in a company must be trained in data protection law. Whenever a new employee starts working in the company, a general training/basic training of the employee must take place. The implementation of the training should be noted in the personnel file.

How often does data protection training have to take place in the company?

There should be regular updates and follow-up training for all staff. A period of between 6 months and one year should be chosen between trainings. A risk-based approach should also be taken. Sensitive departments, such as HR, marketing, IT, purchasing and sales should be trained more frequently, as sensitive personal data is sometimes handled in these departments.

Other departments that handle personal data to a lesser extent or do not process sensitive data do not need to be trained as frequently.

What content must data protection training have?

The training must deal with data protection in the company.

Your employees must be made aware of which personal data is processed in the company, which data processing is permissible, which is not and how to deal with data protection violations.

Depending on the department, special content can, should and sometimes must also be trained. For example, the staff of the human resources department should be trained specifically on issues of employee data protection.

What is the scope of data protection training?

The scope of data protection training is not regulated by law.

At least "basic training" is required. Employees should be made aware of how to handle personal data. It is therefore recommended that a basic training session be conducted first, lasting between 30 minutes and 1 hour. Afterwards, the employees should have the opportunity to ask their questions.

How must training be provided?

There is no legal requirement on how to train.

The training can take place as on-site classroom training, via a software solution or via a video platform with presentation.

We ourselves have already conducted data protection law training at our clients' premises in every form. Given the current Corona situation, we currently conduct most training via video systems with corresponding online presentations.

Do you and/or your company have training needs?

We are happy to conduct data protection training (basic and/or update training) for your employees.

You decide in which form the training should take place (face-to-face or online training). We coordinate the training content with you, depending on whether the entire company or individual departments are to be trained. We will be happy to advise you on this issue.

In smaller companies, joint training for all employees has proven successful, and in larger companies, separate training for the employees of the individual departments.

If you have any questions or training needs in your company, please contact us. We have kept some training dates "free" for our clients this year.

With kind regards

Attorney at Law Michael Ullrich, LL.M. (Information Law)

Specialist lawyer for industrial property protection

Specialist lawyer for information technology law

Seal