Skip to main content

Every company must prepare for the GDPR, but not every company needs to prepare with the same intensity. Not all tasks need to be completed before 25 May, and not every activity is mandatory for every business.

The decisive factor is that the implementation of a GDPR project must be adapted to the concrete situation and risk potential at the respective company, i.e. that it is appropriate.

Three goals should be pursued: (1) to achieve an overview of the necessary tasks quickly, (2) to master the challenge as cost-effectively as possible, and (3) to optimize the output of the project over a short period of time.

If a GDPR project is approached in a targeted, structured and systematic fashion using suitable tools and templates, the challenges posed by the GDPR can be mastered quickly without overburdening employees or lapsing into activism, while the risk of penalties can be minimized and a high level of legal compliance assured.

Sourcing International supports businesses in understanding the ten essential GDPR to-dos, and shows how to design a GDPR project in three phases and structure the individual challenges sensibly into 24 work packages. Guidelines and infographics, forms, templates and online tools help to achieve an appropriate GDPR status quickly.

The Sourcing International method guarantees GDPR-readiness within a short time.

Phases and Methods

Phases 1 and 2 are carried out according to the proven PDCA methodology


Planning of the approach


Implementing actions


Gap analysis or effectiveness analysis


Full company-wide implementation and periodic review

The 20 Most Important Questions and Answers

In short, the GDPR must be observed by natural and legal persons who process personal data by automated means. In detail: The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (Art. 2 Para. 1 GDPR). In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used (Recital 15 GDPR). 

Personal data means any information relating to an identified or identifiable natural person (Art. 4 Para. 1 GDPR). It makes no difference whether the data themselves are to be additionally considered in need of protection, worthy of protection or sensitive. Data of legal persons are not protected by the GDPR. To clarify: The GDPR explicitly does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity. While these 20 Q&A deal with the private sector, it should be noted that the GDPR does not apply only to the private sector.

The GDPR also applies to pseudonymised data (Art. 4 No. 5 GDPR) as they are considered personal data as well (Recital 26 GDPR). The only type of personal data that the GDPR does not apply to are anonymised data (Art. 2 Para. 1, Recital 26 GDPR). Whether encrypted data are anonymised or have merely undergone pseudonymisation cannot be answered unequivocally for all data, as the answer depends on the specific form of encryption used, as well as on whether there is a decryption key and who possesses it. 

Nevertheless, pseudonymisation and encryption are considered and encouraged as means of mitigating the risks of processing where appropriate (Recital 83, Art 6 Para 4 Subpara e, Art 32 Para 1 Subpara a, Art 34 Para 3 Subpara a GDPR). 

The GDPR also applies to backup and archived data. The regulation stipulates no exceptions from its area of application regarding archived or backup data.

The GDPR must be observed by private enterprises (cf. Answer 1) if they process personal data in an automated fashion within the EU. Specifically, the regulation must be observed if the processing takes place within the context of the activities of an establishment of a controller or processor within the EU, regardless of whether the processing takes place in the EU or not (Art. 3, Para. 1 GDPR). The GDPR applies to the processing of personal data of data subjects within the EU by a controller or processor not established in the EU only if the processing activities are related to: 

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of the behaviour of data subjects as far as their behaviour takes place within the Union (Art. 3 Para. 2 GDPR).

Although the GDPR only mentions EU Member States, the EEA countries that are not EU Member States are obligated to apply the GDPR as a condition for being part of the EEA.

The GDPR does not abrogate current principles of personal data processing. In particular, the GDPR maintains the four elementary principles of Directive 95/46/EC:

  1. Prohibition unless consent is obtained or processing is based on another legal ground (“”Processing shall be lawful only if and to the extent that at least one of the following applies ...””) (Art. 6 Para. 1 GDPR). This states a general prohibition unless authorised. 
  2. Purpose limitation (Art. 6 Para. 4, Art. 5 Para. 1 Subpara. b GDPR);
  3. Transparency (Art. 13 & 14 GDPR);
  4. Rights of data subjects (Art. 15 ff. GDPR).

Compared to Directive 95/46/EC, the GDPR does stipulate more obligations for data controllers and data processors in regard to their documentation of fulfilment of the GDPR requirements by organisational measures, as well as changes in the territorial scope of EU privacy regulation. In particular: territorial scope (Art. 3 GDPR), accountability (Art. 5 Para. 2 GDPR), obligations for controllers relating to the rights of data subjects (Art. 12 GDPR), obligation for organisation of the controller (Art. 24 GDPR), data protection by design and by default (Art. 25 GDPR) (combined with “”data minimisation”” (Art. 5 Para. 1 Subpara c GDPR)), data breach notification (Artt. 33 & 34 GDPR), data protection impact assessment (Art. 35 GDPR), consultation of controlling authorities (Art. 36 GDPR) and, within a defined scope, the data protection officer (Artt. 37 ff. GDPR), administrative sanctions (Art. 83 GDPR) as well as joint liability of controller and processor under the requirements of Art. 82 GDPR. This means that the fundamental new aspect is the principle of comprehensive obligations for documentation and organisation of the observance of data security at the controller (enterprise).

To browse the entire content, download the full "GPDR: The 20 Most Important Questions and Answers" publication.

Request Publication

About us

SOURCING INTERNATIONAL is not an exclusively Austrian undertaking. It is a joint venture formed by the fusion of Höllwarth Consulting and 42virtual. The two companies have existed for many years and have frequently cooperated successfully on large projects.

"The consolidation of experience in a close and professional cooperation allows SOURCING INTERNATIONAL to provide high efficiency and offer a broad spectrum of services."

Mag. Oliver Lindlbauer

Dr. Tobias Höllwarth is certified by Austrian Standards (GDPR Data Protection Officer)


Formular [EN]