M.23) Privacy

Category:        Privacy, Organizational, Operational

Responsible:   CTO, Privacy responsible

Effort:              10 hours

Based on:       “the law” [1], [2]

The following list is a numeration of privacy related tasks which should also be performed in a startup. In case the startup grows in terms of employees and/or users it is definitely good if a privacy expert or lawyer reviews everything.

a) Privacy Responsible – The company should have a person responsible for Privacy matters (further referred as “privacy responsible”). That does not mean that this person is only handling privacy related concerns, it just means that this person is the responsible for privacy within the company and also the contact person for management and employees.

Every employee needs to know that he/she should contact this person in case of privacy related questions.

b) Gain knowledge 1 – The privacy responsible should inform himself/herself about the Directive on privacy and electronic communications (incl. cookie law) [3] and the Data Protective Directive [1] of the European Union and the actual implementation of these directives in the company’s country. A good place to start is Wikipedia, but it’s recommended to read through the legal text (usually not more than a few pages). From the law the responsible will also get an indication about the penalties in case of a conviction. In Austria the law which implements the Data Protective Directive is called DSG2000 [2] and the penalties can be up to a 1 year jail sentence or 25.000 Euro [2], § 52.

c) Gain knowledge 2 – The privacy responsible should also inform himself/herself about changes of laws and regulations in the future, like the new EU General Data Protection Regulation. If decisions have to be made it is good to make them safe for the future [4].

d) Gain knowledge 3 – The privacy responsible should have a look on services of other companies in his/her country and how they implement the different privacy laws. Many companies have a so called “Privacy Policy” on their website which is referred to in the terms and conditions. In this policy they inform the users which personal data they collect and how the data will be transmitted, processed and stored.

e) Plan privacy topics

The privacy responsible and the founders (management) should make a privacy kick-off meeting in which they plan how and when to create and implement the privacy policy.

f) External Privacy Policy – The privacy responsible should create a privacy policy for the company’s product, which documents which kind of data the company collects, transmits, processes and stores. According to [3] is also necessary to inform users about third-party cookies. Those are cookies which are used by third-party services which are included into the company’s source code. An example for such a service is Google Analytics, which is used by a great majority of websites.

g) Internal Privacy Policy – The privacy responsible should create a privacy policy for the company, which documents which kind of data the company collects, transmits, processes and stores. In opposite to the external privacy policy the internal one also includes all kind of processing of internal data. Example: If a company has employees it also needs to process the personal data of employees for human resource management and payroll accounting.

In the internal privacy policy it should also be written down which roles are allowed to access and modify which data. A person with access to personal data should have some kind of contract with the company (employment contract or cooperation agreement).

In addition to the external privacy policy, the internal policy should also include what is strictly prohibited.


  • Personal data may not be imported, used or processed in any way by tools and services which are not on the company’s software inventory list.
  • Personal data may not be stored on unencrypted mobile devices (smartphone, USB, hard drive, Laptop, etc.) and devices which are not on the company’s IT inventory list.

The internal privacy policy can be quite short for startups, but will grow larger and larger with the company’s growth. Once the policy has more than a few pages a summary for the employees should be made. The experience of the author shows that no employee will read or remember policies with more than 5-10 pages.

h) Document privacy related decisions – Every privacy related decision which is not part of the security policy should be documented. This needs to be done for conservation of evidence.

i) Ensure that personal data is protected and secure – The privacy responsible should work together with the responsible for security to ensure that all personal data is subject to authentication, access control, logging and backup. [2], §14 (1)

j) Manage privacy topics – The privacy responsible should help other employees in case of questions. He/She should be the contact person and responsible if a new application is installed which processes personal data or if data should be processed by other companies or in other countries. In opposite to the common practise to collect as much data as possible, the privacy responsible should ensure that as little personal data as possible is collected. Sometimes it might be possible to remove the assignment between data and the data subject. (see also “privacy by design” [5]).

k) Inform management – The privacy responsible should give regular status updates regarding the implementation and maintenance of the privacy policy.

l) Register personal data processing – The privacy responsible should register all the company’s applications which process personal data. This has to be done at the supervisor authority. (This step depends on the country the company is located).

m) Spread knowledge (trainings) – The privacy responsible should train the other employees and the management regarding privacy topics and the privacy policy.

n) Data Breach Notification – In case personal data gets lost or is stolen it is necessary that the company informs the concerned data subjects ([2]24, 2a – since 2010). In the future (GDPR, [4]) it will be necessary to inform the country’s supervisor authority.


Outsourcing, data transmission to third parties and 3rd party code

The following process should be an overview and might not fit each country of the European Union. Nevertheless if a startup uses this process, it should be on the safe side.

Startup Privacy Process

If data should be sent to or processed by third parties or third party code (like Google Analytics, Mixpanel or jQuery) should be included in a company’s software the privacy responsible needs to check a couple of things:

a) Is data transmitted to the other external entities (the other company)?

  • Yes – Proceed with next question.
  • No – Ok, then there is no problem from the privacy point of view. (A security responsible has to check all the security aspects of third party code).

b) Can be ensured that the transmitted data is not sensitive?

  • Yes – Proceed with next question.
  • No – In some countries the company needs to pre-audit from the supervisor authority in this case. The privacy responsible needs to check what kind of actions his/her company needs to do in such cases. It is important to do this prior to the activation of the service, since there might be high fines in case of violations (in Austria up to €10.000).

After clarification proceed with next question.

c) Can be ensured that the transmitted data is not personal?

  • Yes – Ok, then there is no problem from the privacy point of view.
  • No – The data subject has to be informed about the transmission, the processor and the purpose and has to give his/her consent.

On the other hand it would also be possible to remove any data which identifies the data subject. In this case the transmitted data wouldn’t be personal data any longer because there is no relation between the data and a person (Caution: In Germany also the IP address is personal data).

Additionally, the company (which is in the “controller” role) has to sign a contract with the third party (which is the processor of the data), in which the duties of the processor are described. This needs to be done for conservation of evidence purposes. The Austrian supervisor authority created a model contract which can be used in such cases [6].

Now proceed with next question.

d) Can be ensured that the other party just collects personal data to which the data subject has given his/her consent?

  • Yes – Proceed to next question.
  • No – It has to be understandable for the data subject what personal data is processed by the 3rd A possibility is to refer to the privacy statement from the 3rd party within your own privacy policy. If the other company doesn’t have a privacy statement and it isn’t obvious what data will be processed (also in the future with new releases) then the 3rd party service should not be used.

Proceed to next question.

e) Is the other company located within the European Economic Area?

  • Yes – Nothing further to do.
  • No – Proceed to next question.

f) Has the other company a Privacy Shield certificate (only US companies) or is the other company located within a country which provides appropriate privacy (this is defined by the government)?

In Austria those countries are Argentina, Canada, Switzerland, Guernsey and Isle of Man [7].

  • Yes – Nothing further to do.
  • No – The company needs to get an approval from the supervisor authority in the company’s country.


Infrastructure, platform and Software as a Service (IaaS, PaaS, SaaS)

Basically all those 3 terms are related to outsourcing and were already discussed in the section above. Because outsourcing of IT infrastructure and IT services is very popular among startups (more or less state of the art), the privacy aspect related to this topic is especially considered in this paragraph.

IaaS, PaaS

A great majority of startups is using external and cloud infrastructure to host their website or online services instead of buying the hardware themselves. The reasons for this are the numerous advantages which are described in M.20 together with the security topics. Nevertheless there seems to be one drawback: PRIVACY. All the data is stored on external servers which are not in control of the company which is responsible for it. This is especially an issue because the most popular and big players on the IaaS and PaaS market are all from the US:

  • Amazon Web Services
  • Google Cloud Platform
  • Microsoft Azure Cloud
  • IBM Cloud Computing
  • Rackspace
  • VMware
  • Red Hat
  • Oracle Cloud

Of course each of these cloud service providers offers data centres within the EU or owns a Privacy Shield certificate which allows European companies to use their services without an approval from a local authority. But what does this really mean for companies within the EU? The following paragraph answers this question based on a research with Amazon Web Services (AWS).


How Amazon Web Services implement Directive 95/46/EC ( [1])

Like for all the other big players it is very important for Amazon Web Services (AWS) to be compliant with the EU Data Protection regulations. This is why they have set up a webpage and created a white paper dedicated to this topic. Both can be found in [8].


In case the customer stores or processes personal data on AWS infrastructure, the customer has to take over the role “controller” or “processor” depending on if the customer triggers the processing or the processing is requested by another party. In both cases the customer is responsible for ensuring that the data is processed according to the laws of his country.

AWS Security

AWS is only responsible for “Security of the cloud” and the user of the cloud services is responsible for “Security in the cloud”. That means that Amazon is only responsible for the infrastructure and not for elements which can be configured by the user, like operating system, applications, firewall, etc. AWS implements various information security standards, like ISO/IEC 27001 and also takes huge efforts to make their cloud infrastructure a very safe environment. The details can be found in [9]. It is very unlikely that a startup can implement and configure better security mechanisms for IT infrastructure than the experts of AWS did over the last years.

AWS Regions

AWS builds its data centres in clusters in different countries around the world. The clusters are called regions and two of the eleven regions are situated in the EU – Ireland and Germany (Frankfurt). Customers can choose one or more regions where their content will be hosted and AWS will not replicate/copy/backup the data into another region unless the users explicitly want AWS to do this. This way it is possible for European customers to deploy their services exclusively within the European Union.

Access to customer data from AWS employees

AWS does not know what kind of data the users are storing on its infrastructure and does not differentiate between personal data and other data. Therefore they have implemented all the security measures for any kind of data.

AWS employees do not access a customer’s data unless it is necessary for a certain service the customer requested.

Access to customer data from governments

Amazon, like any other company, has to follow the laws of the country it operates from and of the country where the data is stored. That means that Amazon has to follow to the U.S. Patriot Act and has to provide information to the US government if they make a request with a valid court order. Furthermore AWS has implemented mechanisms which prevent access to customer content by their employees. [10]

Data processing addendum and Model Clauses

Hint:    The data processing addendum is also called “Auftragsdatenverarbeitungs-vereinbarung” in Germany (§11 BDSG) or “Dienstleistervereinbarung” in Austria (§11 DSG2000).

If AWS customers want to process personal data on AWS infrastructure it is necessary that a so called data processing addendum is set up between AWS and the customer. Since March 2015 the data processing addendum also includes the Model Clauses. This means that an AWS customer who needs to transmit personal data to a country outside the European Economic Area can now simply sign the AWS data processing addendum. [10]

Of course there are also good European Cloud Service providers, like 1&1, UpCloud, CityCloud, CloudSigma, vCloudAir, etc. But directly compared with the top US providers they have significant price and feature deficits (author’s analysis on 01.08.2016) and the key drawback for a company is still there: Company secrets might be stored on external servers and databases. The only real advantage is that the US government is not able to get access to the company’s data.

My recommendation:

Usage of IaaS and PaaS providers is legitimate for many reasons and there are also no real limitations regarding protection of personal data even if services of the major US providers are used. Anyhow, for storing company secrets or if a company collects sensitive data the author recommends to use own hardware and not the infrastructure of external service providers. Employees of service providers can be squared with something to extract data from your servers and pass the information to an interested party. Of course the own employees can do the same thing, but with a proper setup it is more likely that the company will notice an internal security breach. It can’t be ensured that the service provider makes such incidents public when they notice them, because such events would lead to a huge loss in trust from (potential) customers.



Usage of Software as a Service tools like Gmail, Trello, Google Drive, Google Docs, Dropbox, Slack, Salesforce, Google Analytics, etc. is also standard for many companies and startups. Again there are many advantages, like free usage, easy collaboration and access from anywhere, but there is the privacy drawback (this time there might also be a security drawback in some cases).

Is it wise to process company secrets and personal data with all these kinds of online tools? Unlike the Infrastructure as a Service providers, the companies behind those tools do not always promise that they do not have access to the user’s data. If this is the case the author strongly suggests to prohibit processing of personal data and company secrets with such services. If the other company does ensure that it uses strong access control mechanisms (even for their own employees) and compliance to the EU privacy directives, then there should be no problem by processing personal data with such services. Anyhow also in this case the “Recommendation of the author” is the same as in the previous section.

Attention: If SaaS apps like Dropbox or Slack offer the integration of other 3rd party applications, then it is also necessary to check the privacy policies of those applications.



[1] European Parliament and Council, Directive 95/46/EC, 1995.

[2] Datenschutzgesetz 2000, Fassung vom 24.09.2016.

[3] European Parliament and of the Council, Directive 2009/136/EC, European Union:
EUR-Lex, 2009

[4] The European Parliament and Council, Regulation 2016/679, European Union,

[5] P. Schaar, “Privacy By Design,” Identity in the Information Society, [Online].
http://www.bfdi.bund.de/SharedDocs/Publikationen/”PrivacyByDesign”.pdf?__blob=publicationFile. [Accessed 01 10 2016] [6] “Austrian Supervisor Authority,” [Online]. Available:
https://www.dsb.gv.at/site/6208/default.aspx. [Accessed 03 10 2016] [7] Wirtschaftskammer Österreich, “Datenverkehr mit dem Ausland,” [Online].
Available: https://www.wko.at/Content.Node/Service/Wirtschaftsrecht-und
Verfassungsrecht/Datenschutz/Datenverkehr_mit_dem_Ausland.html. [Accessed
01 10 2016] [8] Amazon Web Services, “EU Data Protection Whitepaper,” [Online]. Available:
https://aws.amazon.com/de/compliance/eu-data-protection/. [Accessed 08 07
2016] [9] Amazon Web Services, “AWS Security Whitepaper,” [Online]. Available:
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf. [Accessed 01 08
2016] [10] Amazon Web Services, “AWS EU Data Protection Whitepaper,” [Online]. Available:
paper.pdf. [Accessed 15 08 2016]



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.