German ROPA Compliance

Jurisdiction-aware Article 30. Structured for Germany.

Seven stages extend the Article 30 register with BDSG and DSK requirements — structured Löschkonzept, DSK-categorised TOMs, Betriebsrat tracking, six-area compliance scoring, and a 7-sheet Verzeichnis export formatted for German supervisory authorities.

Get started →

Acompli German ROPA Compliance Brochure — page 1

View brochure

The German overlay

From jurisdiction detection to DPA-ready export

Each stage adds German-specific governance on top of the standard Article 30 register. The overlay adapts the UI, AI extraction, validation, and export format — all from a single configuration.

StartDetect

German requirements applied automatically

Create an entity with jurisdiction DE or assign a German supervisory authority. The BDSG/DSK overlay activates — field visibility, requirement levels, AI guidance, and export format all update.

Organisations with entities in Germany, Ireland, and the UK see the correct requirements for each. Detection works from supervisory authority codes, ICO registration, or explicit jurisdiction assignment.

Supervisory authorityBfDI or Landesdatenschutzbehörde code activates the German overlay

Jurisdiction codeDE maps to BDSG/DSK, IE to DPC, GB to ICO — automatic per entity

AI extraction adaptsThe AI receives German-specific guidance and populates BDSG fields during extraction

No manual templatesNo template selection or configuration — jurisdiction drives everything

01Extend

Nine additional fields for German entities

The overlay adds nine structured fields on top of the standard Article 30 set. Each has a defined requirement level — mandatory, expected, or recommended — based on BDSG and DSK guidance.

Rechtsgrundlage (legal basis) is promoted to mandatory for German entities — including BDSG § 26 for employment data and § 22 for special categories. All fields are structured forms with defined components, so completeness is measurable.

LöschkonzeptStructured deletion rules — retention periods, legal bases, triggers, methods

TOMs (Art. 32 / DSK)Security controls by DSK category — confidentiality, integrity, availability, resilience

Betriebsrat (§87 BetrVG)Works council consultation status, date, and Betriebsvereinbarung reference

RechtsgrundlageExtended legal basis including BDSG § 26 and § 22 provisions

ZweckbindungPurpose limitation with compatibility assessment per Article 6(4)

Betroffenenrechte & MeldepflichtData subject rights procedures and breach notification path

DSFA-VerknüpfungLinks to associated DPIAs with risk assessment outcomes

Datenherkunft & RichtlinienData sources and linked internal policies with version tracking

02Löschkonzept

Structured deletion concept per processing activity

The Löschkonzept captures per-category deletion rules as a structured form — retention periods, legal bases, deletion triggers, methods, and verification. Each data category gets its own entry.

Teams define retention per category (e.g., 6 years post-employment for payroll per §257 HGB), the deletion method, who is responsible, and how deletion is verified. Incomplete entries are flagged as NICHT DOKUMENTIERT in the dashboard and export.

Löschkonzept — Personalverwaltung

OverviewComplete

Per-category rules4 categories

Retention periodsDefined

Legal basesLinked

Deletion triggersDefined

Deletion methodPartial

VerificationDefined

Last reviewed2026-03-15

Structured →Each component is a defined field — completeness is scored, gaps are flagged

03DSK TOMs

Security measures organised by the DSK framework

Article 32 technical and organisational measures are structured into five DSK categories — each with defined control areas. The platform maps your measures to this structure and flags coverage gaps.

Acompli supports framework references including ISO 27001 and BSI IT-Grundschutz, so teams can cross-reference existing certifications against DSK expectations.

Vertraulichkeit

Confidentiality

Access control, encryption, pseudonymisation, physical security, and data separation

Integrität

Integrity

Input control, transfer control, logging and monitoring

Verfügbarkeit

Availability

Backup, recovery, and business continuity measures

Belastbarkeit

Resilience

Capacity planning, stress testing, and failover procedures

Verfahren

Procedures

Incident response, vendor assessments, staff training, and formal testing

04Betriebsrat

Works council consultation tracking

For processing activities involving employee data, the register captures whether the Betriebsrat was consulted, the consultation date, and any Betriebsvereinbarung reference — per §87 BetrVG.

Activities that involve employee monitoring or performance evaluation without documented consultation are flagged in the compliance dashboard.

Consultation status

Ja / Nein / Nicht zutreffend — tracked per processing activity with date and contact.

Betriebsvereinbarung reference

Link to the applicable works council agreement (e.g., BV-2026-003).

Gap flagging

Activities requiring consultation without documented status are surfaced in the dashboard.

Consultation status

PendingConsultedApprovedN/A

05Score

Six-area compliance scoring for German entities

A dedicated German dashboard scores each processing activity across six areas. Completion percentages are visible at entity level and in the Deckblatt (cover sheet) of the export.

Three requirement tiers — mandatory, expected, and recommended — make it clear where to focus effort. The dashboard filters to German-jurisdiction entities with expandable activity rows showing all German-specific fields and status indicators.

Löschkonzept

Deletion concept

Per-category retention rules, deletion methods, and verification

TOMs

Security measures

DSK 5-category coverage with gap identification

Richtlinien

Policies

Internal policies linked, current, and version-controlled

Zweckbindung

Purpose limitation

Purpose-to-legal-basis linkage per processing activity

Betriebsrat

Works council

Consultation documented where required under §87 BetrVG

DSFA

DPIA linkage

Datenschutz-Folgenabschätzungen completed and linked

06Export

7-sheet Verzeichnis export in one click

The German export generates an enterprise-ready XLSX workbook with seven sheets — structured for supervisory authority review and ready to hand to an auditor without reformatting.

The Herkunftsnachweis sheet documents where each value came from — manually entered, imported, or AI-drafted and confirmed by your team — providing an auditable provenance trail.

Verzeichnis Export — 7 Sheets

1. DeckblattCover

2. VerarbeitungstätigkeitenRegister

3. LöschkonzeptDeletion

4. TOMs (Art. 32)Security

5. RichtlinienPolicies

6. BetriebsratCouncil

7. HerkunftsnachweisProvenance

Export →DPA-ready workbook with compliance summary, gap flags, and AI source provenance

Included capabilities

Practical features for German Article 30 compliance

🔍

Auto Jurisdiction Detection

Supervisory authority code or jurisdiction assignment activates the correct overlay per entity.

🗑️

Structured Löschkonzept

Per-category deletion rules with retention periods, legal bases, triggers, and verification.

🛡️

DSK-Categorised TOMs

Article 32 measures structured across five DSK categories with gap identification.

👥

Betriebsrat Tracking

Works council consultation status, dates, and Betriebsvereinbarung references per activity.

📊

Six-Area Scoring

Compliance scoring across Löschkonzept, TOMs, Richtlinien, Zweckbindung, Betriebsrat, and DSFA.

📤

7-Sheet Verzeichnis Export

DPA-ready workbook with compliance summary, gap flags, and AI source provenance.

See German ROPA compliance in action

BDSG-specific fields, six-area compliance scoring, and a 7-sheet Verzeichnis export — jurisdiction-aware, connected to your assessments and risk register in one platform.

Get started →Book a demo