> Please note that this template includes provisions specific to Germany, referencing the German Federal Data Protection Act (BDSG). Companies based outside Germany should adjust the content accordingly before using the template.
As part of your role, you may be required to process personal data or data that may potentially be personal, in accordance with data protection laws. This document outlines the key regulations relevant to your responsibilities. Any data you become aware of while performing your duties must not be used for personal gain or any other unauthorized purpose. This duty extends beyond your employment period. Deliberate or careless violations may lead to legal consequences.
Personal data refers to any information that can identify an individual, either directly or indirectly. Such data must not be collected, processed, shared, or used without proper authorization. Processing must always align with company guidelines. These include directives from supervisors, as well as documented instructions within the company’s quality management system, operational manuals, flowcharts, company agreements, and employee handbooks.
I, \
hereby agree to maintain the highest level of confidentiality concerning personal data and to only process such data according to the directives of \
Examples of prohibited actions include using mobile storage devices for personal data, taking printed data home, or sharing passwords with third parties. Additional guidelines on data protection can be found in:
- The company’s technical and organizational safeguards
- Company forms detailing employee responsibilities related to hardware use
- The company’s record of data processing activities
- \
This confidentiality obligation remains in effect even after my employment with \
I acknowledge that any breach of this obligation, or non-compliance with data protection laws such as Art. 83 of the GDPR or Sections 42 and 43 of the BDSG, may result in substantial penalties, including fines, imprisonment, and possible harm to individuals or entities, including the employer. Such violations may also breach employment contract terms and specific confidentiality clauses, potentially leading to disciplinary action, dismissal, or compensation obligations. Legal consequences may include personal liability for damages, and I may be liable without limit, with no opportunity for debt relief through insolvency. Other confidentiality obligations, including those outlined in the employment contract, remain applicable.
I have read and understood this commitment to confidentiality and compliance with data protection regulations:
\<Place, date and signature of employee>
\<Place, date and signature of supervisor>
I confirm that I have been made aware of the importance of this data protection obligation. I have been given the option to receive a copy of this agreement and additional information on data protection, including the text of Art. 29 GDPR, Art. 83 para. 4-6 GDPR, Art. 42 para. 1 and 2 BDSG, and Art. 43 para. 1 and 2 BDSG.
\<Place, date and signature of employee>
\<Place, date and signature of supervisor>
Annex: Additional Data Protection Information
- Processing as defined in the EU General Data Protection Regulation (GDPR) includes any operation or series of operations performed on personal data, with or without automated means. This includes actions such as collection, organization, storage, alteration, retrieval, use, sharing, transmission, dissemination, matching, restriction, erasure, or destruction. All processing must be based on a valid legal basis under Art. 6 GDPR and only for the specific purposes for which the data was collected.
-
Personal data under the GDPR means any information that relates to an identified or identifiable individual. A person is considered identifiable if they can be directly or indirectly identified, for example, by their name, identification number, location data, online identifier, or specific attributes related to their physical, genetic, mental, economic, cultural, or social identity. The principles of the GDPR outlined in Art. 5 para. 1 must be followed and include:
- Processing must be lawful, fair, and transparent in relation to the data subject (“lawfulness, fairness, and transparency”).
- Data must be collected for specified, legitimate purposes and not processed in a manner that contradicts those purposes. Processing for archival, scientific, historical, or statistical purposes is permitted if compliant with Art. 89(1) (“purpose limitation”).
- Data collected should be adequate, relevant, and limited to what is necessary (“data minimization”).
- Data must be accurate and kept up to date; reasonable steps should be taken to ensure inaccuracies are corrected or deleted without delay (“accuracy”).
- Data should be kept in a form that allows identification of data subjects only as long as necessary for processing purposes, with the exception of archiving, research, or statistical purposes under Art. 89(1) with appropriate safeguards (“storage limitation”).
- Processing must ensure the data’s security, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage through suitable technical and organizational measures (“integrity and confidentiality”).
Art. 29 GDPR: Processing under the authority of the controller or processor
Individuals processing personal data under the authority of the controller or processor may only do so in line with instructions from the controller unless mandated by EU or member state law.
Art. 83 GDPR: Conditions for imposing administrative fines
(4) Violations of the following provisions may result in fines up to 10,000,000 EUR or, for companies, up to 2% of the total global revenue from the previous financial year, whichever is higher:
- Obligations of the controller and processor under Articles 8, 11, 25-39, and 42-43;
- Obligations of certification bodies under Articles 42-43;
- Obligations of monitoring bodies under Art. 41(4).
(5) Violations of the following may result in fines up to 20,000,000 EUR or, for companies, up to 4% of the total global revenue from the previous year, whichever is higher:
- Core principles for processing, including consent, under Articles 5, 6, 7, and 9;
- Rights of data subjects under Articles 12-22;
- Transfers of personal data to third countries or international organizations under Art. 44-49;
- Violations of member state law under Chapter IX;
- Non-compliance with supervisory authority orders or suspensions per Art. 58(2).
(6) Non-compliance with supervisory authority orders under Art. 58(2) may incur fines up to 20,000,000 EUR or, for companies, up to 4% of the total global revenue from the previous year, whichever is higher.
§ 42 BDSG: Penal provisions
(1) Unauthorized actions related to personal data that is not public may result in up to three years’ imprisonment or fines if done with intent:
- Transferring data to third parties;
- Making data accessible for commercial purposes.
(2) Actions involving personal data that is not public may incur up to two years’ imprisonment or fines if done with intent or fraudulently for personal gain or harm.
§ 43 BDSG: Administrative fines
(1) Negligent or intentional violations, such as failing to manage information requests as per Section 30(1), may lead to administrative fines up to 50,000 EUR.