What companies need to consider for secure data storage according to GDPR (2023)

Von:What companies need to consider for secure data storage according to GDPR (1)Caroline Schmidt

Expertly checked by:What companies need to consider for secure data storage according to GDPR (2)Attorney Soren Siebert

(1Evaluation,5.00von 5)

the essentials in brief

  • Data storage includes archiving and storing files. When backing up the data, the information is additionally backed up.
  • Companies that deal with sensitive personal data must observe the legal provisions of data protection law.
  • Our partner law firm Siebert Lexow takes care of your data protection concerns and ensures that you do not receive any warnings.

I want to get detailed informationI want to secure my website

What's the matter?

Over the past two decades, data storage has undergone a transformation. Up to now, companies in particular have mainly backed up their data on their own servers or data carriers. Nowadays they are increasingly setting upexternal service providers with high-performance servers. High data security, fast write and read access and unlimited expansion of storage capacity are just a few of the few advantages. But which storage medium should you rely on for your company? What disadvantages result from the possibilities? And what should you use fordata protectionwhat to pay attention to when storing data and losing data? You can read more about this in our article.

1. Data Storage and Backup: What's the Difference?

At first glance, the term data backup could be a synonym for data storage. But are the terms to be used synonymously? What is data storage? When storing data, data isarchived and stored for the long term. The data remains unchanged.

And here is the difference to data backup: Sensitive data fromPursueshould not only be saved, but above allsecuredbecome. Not every storage location is therefore suitable for data backup.

To prevent a broken data carrier, theGDPRto comply and theIT securityto ensure it is necessary that data is regularlycopied to different mediabecome. This is calledBackup. For example, if the data is no longer accessible on an external hard drive because the hard drive is defective, you can still access the data provided you have made a backup.

How does data storage work?

Information is stored on a data memory. This allows the user to read the information at any time. To save the files, a storage medium or adiskneeded.

There are various ways of storing the data digitallyexternal data media such as hard drives via cloud-based or self-hosted servers. You can read about the advantages and disadvantages of data storage in different storage locations in the third chapter of this article.

2. Data storage according to GDPR: What companies have to pay attention to legally

On-site tracking (link to sub-hub Tracking) is a popular marketing tool. Use it on your site thoughTracking-SoftwareIn any case, in order to collect information from your users or customers, the data collected must beanonymized or pseudonymizedbecome – so it writesGeneral Data Protection Regulationbefore.

It is important that you always keep your website visitors in theCookie Bannerthe possibility of oneOpt-Outsand the user can thus actively refuse tracking and cookies (link to the "Tracking & Cookies" hub).

For companies, thesecure data storageimportant. Once you as a companypersonal datacollect, save and manage, the strict rules of the General Data Protection Regulation (GDPR) apply. In principle, you may only process personal data if the processing pursuant to Art. 6 Para. 1GDPRis required by law. Otherwise you have toObtain consent from the individualwhose personal data you want to process.

Above all, the purpose of the data collection (link to the "Data collection" spoke) must be specified before the data is stored. can be saveddifferent information. This can be a person's name and address, as well as their date of birth and e-mail address.

Do you need help and support around the topicGDPR and data protectionfor your company? Our partner law firm Siebert Lexow (https://www.kanzlei-siebert.de/) is at your side with advice and action.

What companies need to consider for secure data storage according to GDPR (3)

Soren SiebertLawyer

Data storage: How long is data stored?

In theLength of timeWhen it comes to the storage of personal data, the purpose plays a crucial role. The data can be loudGDPR stored only for as long as they are needed. The principles of storage limitation (Art. 5 Para. 1 lit. e GDPR) and the principle of data minimization (Art. 5 Para. 1 lit. c) play a decisive role here. As soon as the purpose no longer applies, the data records must be deleted immediately (Article 5 (1) (b) GDPR).

Example:The customer of yoursOnline-Shopsregisters with his e-mail address for the newsletter dispatch. You can use the email addressfor the purpose of sending the newsletter emailssave on computer. However, as soon as the customer opts for theNewsletterunsubscribes, you must delete their personal data.

This is to ensure thatpersonal datanever stored longer than necessary. Further deletion obligations result from Art. 17 GDPR. Accordingly, data subjects can have their data deleted upon request or revoke their consent. If you do not comply with this request as a company, you must go with usfines and claims for damagescalculate.

Here it is advantageous if you use one for your companyData storage deletion conceptput on. In this way, you can keep an eye on the corresponding deadlines for the files and regulate corresponding responsibilities among employees.

Interesting:Added to thatstatutory retention requirementsFor companies. This includes, for example, the data storage of trading books and invoices for ten years - even if they contain personal data from customers.

How do you need to protect the data while it's in storage?

Basically you can use the recordsboth electronically and in paper formstore. Separation of the data that is still actively used is particularly useful for data that you store solely because of the statutory retention obligation.

3. Data storage options

In order for you to securely store data electronically, you needstorage devices. These primarily include DAS storage (direct attached storage) and network-based data storage (NAS). How exactly these work and what advantages and disadvantages they offer can be read below.

Direct Attached Storage (DAS storage)

When you back up records to DAS storage, the information resides on a directstorage medium connected to the PC. As a user of the computer, you have direct access to the data medium. This can be, for example, CDs and DVDs, hard drives, flash drives or solid-state drives (SSDs).

As a file system, the DAS storage is particularly suitable for backing up data fromlocal recordsat. If you want to call up the data together with other people at the same time and/or from any location, this variant is not suitable.

In addition, with this form of data storage, you should be aware that the data will degrade over time due to chemical decomposition processeslose informationcan. This period of time varies depending on the data medium.

Network-based data storage

As the name suggests, data storage takes place herein a networkinstead of. Above all, this cloud data storage offers the advantage that several users can work at the same time andlocation independentcan access the data. Because the information is backed up on a server at a different location, this online data storage is more secure than that using DAS storage.

Network-based storage includes e.g. theNetwork Attached Storage (NAS)and theStorage Area Network (SAN). NAS systems are server services that provide the appropriate file systems that you can access via LAN or WLAN. The data storage consists of one or more server-independent hard disks.

SAN, also called storage area networks, are mainly forHigh-speed transfers of large amounts of databeen developed. SAN is an extension of DAS storage. Using SAN, several servers can be connected to several storage systems via a network.

DAS storage and network-based data storage in comparison

You can see them in our tableAdvantages and disadvantagescompare the individual data storage options:

DAS storage

(Direct Attached Storage)

Network-based data storage



read and write speed



very fast, safe from overload

location independent




security of the data

without a backup, the data can no longer be accessed if the hard disk is defective (can be remedied with a RAID system)

very safe if you have more than one drive

very secure, distributed across multiple physical data stores



Operation: cheap

Acquisition: expensive

very expensive

file access

by a user

at the same time by restricted users

simultaneously by several users

memory expansion


limited expandability

arbitrarily expandable

IT skills

not necessary

not necessary


company size

small and medium-sized companies

small and medium-sized companies

large companies

4. Enterprise Data Storage: Redundant Data Storage (RAID)

As these individual systems of data storage show, it is particularly important for companies to keep the datato secure multiple timesso they don't get lost. A so-called RAID is aredundant data storageon different hard drives. This increases protection against data loss.

Example:A hard drive has a hardware defect. If you have also backed up the records to other hard drives, you still have the ability to easily access the data. If you only want the data on thedefective hard disksaved, they may be broken or incomplete.

The RAID can be indifferent levelsbe subdivided:

  • RAID-0:Increased speed by dividing the data sets on two hard disks. In the event of a failure, the data is lost because both hard drives contain different data.
  • RAID-1:Protection against failure by storing the identical data sets on two hard disks. If one hard drive fails, the data is still available on the other.
  • RAID-5:Data packets are split across three or more hard drives. Parity data is used to check whether there have been any losses during storage. This is how they can be restored. However, if two or more hard drives fail, the data is lost.
  • RAID-6:Data storage on at least four hard drives, two of which are used as data backup media. Data packets are otherwise divided. A failure of two hard drives at the same time is therefore not a problem.
  • RAID-10:Mixture of level 0 and 1. Storage of the identical data packets on two hard disks. If two specific hard drives fail, the data is still secured. The writing and reading speed here is faster than at level 6.

However, you should note thata RAID cannot replace a backup. With a RAID, the data sets are only protected in the event of a hard disk failure. Software bugs andvirusesbut can still cause lost data.

Create a privacy policy for free

Practice tip:

In theData protectiondata storage must also be mentioned. It includes, for example, the handling of personal data as well as a reference to the obligation to provide information and the right to correction or deletion of the data. Onelegally secureYou can create a data protection declaration in just a few minutes with our free data protection generator. Try it now!

Create a privacy policy for free

5. Security risks of different storage media

If you as a company process personal data, proper data backup is essential. Depending on the data medium arisedifferent security risks, which you should consider.

Checklist: How to prevent the loss of sensitive data

Pay attention to the following 6 points

  • Prevent a data storage device from becoming defective by using redundant data storage and making backups
  • Encryption of the server to avoid data theft
  • Avoid open and unencrypted WLAN connections
  • Keep software up to date
  • Activate virus scanner and do not click on unknown links, domains or e-mail attachments
  • Observe the data protection regulations of the respective country in which the server is located

What companies need to consider for secure data storage according to GDPR (4)

Caroline Schmidt

Caroline Schmidt is an online editor and responsible for content and SEO at eRecht24. As a legal writer, she takes care of updating existing articles and prepares both old and new texts in an understandable way. After studying media education, she was able to gain initial editorial experience in various areas of law, e.g. B. Labor, traffic and family law.

What companies need to consider for secure data storage according to GDPR (5)

Soren Siebert

Lawyer and founder of eRecht24

Lawyer Sören Siebert is the founder of eRecht24 and owner of the law firm Siebert Lexow. With 20 years of experience in Internet law, data protection and e-commerce and with more than 10,000 published contributions and articles, lawyer Sören Siebert not only has excellent specialist expertise, but also has the right feeling for his readers, clients, customers and partners when it comes to legally secure solutions in online marketing and B2B / B2C services as well as online shops. In addition to the numerous articles on eRecht24.de, Sören Siebert has also published various e-books and guides on the subject of internet law and knows exactly what is important to entrepreneurs, agencies and web designers in their daily business with customers: complex legal requirements that are easy to understand and with practical instructions for action implement legally secure websites.

You might also be interested in these articles:

Continue reading...What companies need to consider for secure data storage according to GDPR (6)

How to use OneTrust GDPR compliant on your website

Continue reading...What companies need to consider for secure data storage according to GDPR (7)

What types of cookies are there - and what is their function?

Continue reading...What companies need to consider for secure data storage according to GDPR (8)

Is using Facebook Pixel on my website GDPR compliant?

Continue reading...What companies need to consider for secure data storage according to GDPR (9)

How to embed legally compliant images and videos on your website

Continue reading...What companies need to consider for secure data storage according to GDPR (10)

Tracking on the Internet: Definition, Types & Data Protection in Web Tracking

Continue reading...What companies need to consider for secure data storage according to GDPR (11)

Cookies, tracking & data protection: All information at a glance

Continue reading...What companies need to consider for secure data storage according to GDPR (12)

With these tips & tools you can prevent tracking on the Internet

Continue reading...What companies need to consider for secure data storage according to GDPR (13)

Tracking without cookies and user consent - is that possible?

Continue reading...What companies need to consider for secure data storage according to GDPR (14)

Cookies on websites: Everything you need to know about the definition, types of cookies, function and user consent

Top Articles
Latest Posts
Article information

Author: Pres. Carey Rath

Last Updated: 11/05/2023

Views: 5307

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.