Skip to main content
Metasoul Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Metasoul Docs
  2. /
  3. Data privacy tips & tricks
  4. /
  5. Internal Data Protection Policy

Internal Data Protection Policy

What is the difference between a privacy notice and a data protection policy?

The privacy notice is an external document aimed at data subjects — such as customers, employees, etc. It transparently informs about which personal data is processed for what purpose, on which legal basis, and for how long, what rights data subjects have, and whom to contact for data protection questions or complaints. It is typically published on the website or as part of contracts. Important to note: A privacy notice is strictly an information to the data subject and not a contract. This distinction is often misunderstood.

The data protection policy is an internal document that establishes the rules, responsibilities, and procedures for handling personal data within the company. It is intended for employees and serves as a binding guideline on how data protection should be practically implemented in daily operations.

What is the purpose of an internal data protection policy?

An internal data protection policy aims to translate legal data protection requirements (e.g., GDPR) into specific company guidelines. It defines:

  • Rules for handling personal data so that employees know how to act in compliance with data protection laws.
  • Clear processes and responsibilities to ensure quick workflows and minimize errors.

The benefits of an internal data protection policy include:

  • It serves as proof of compliance, as the company can show during an inspection by the data protection authority that it has taken organizational measures. This is also important from the perspective of management’s liability.
  • When communicated properly, it raises awareness of data protection within the company.

What must an internal data protection policy contain?

An internal data protection policy does not go into detail but should be understood as a strategic document. It outlines the general direction in which the company should develop from a data protection perspective. The following points should at least be covered:

  • Purpose and scope (What is the objective of the data protection policy, and who is it applicable to?)
  • Principles of data processing (Lawfulness, purpose limitation, data minimization, storage limitation, integrity, and confidentiality)
  • Responsibilities (Who is responsible for what?)
  • Procedures for data collection, processing, and deletion
  • Technical and organizational measures
  • Handling data subject rights
  • Reporting data protection incidents (What should be done in the event of a data breach?)
  • Training and awareness (How are employees informed and trained?)
  • Sanctions (What happens in the event of violations of the policy?)

How do I communicate an internal data protection policy?

Ideally, the data protection policy should be communicated to each employee with proof (e.g., through signature or using a consent-tracking tool). It is important that the data protection policy is freely accessible to all employees and that they know how to view it. A dedicated contact person for data protection questions is beneficial, and the contact details should be known to all employees.
Dedicated data protection training, aligned with the content of the data protection policy, ensures that employees have understood the material.

How do I work with the internal data protection policy in day-to-day operations?

We are currently working with Metasoul on a way to create an internal data protection policy tailored to your company. This feature will be available in the Metasoul Business package at no additional cost.