Section 1
The genuine must-do list
These are cheap, they matter, and skipping them is where small firms actually get bitten. • A privacy notice (Datenschutzerklärung) on your website. Required, standard, and generated well by reputable tools. This is the single most common thing regulators and warning-letter lawyers (Abmahnung) check, because it is public. • A lawful basis for what you collect, and data minimisation. Do not collect what you do not need. For a small firm that mostly means: contact forms ask for the minimum, and you can say why you hold each category of data. • Basic data security. Locked devices, sensible passwords, access limited to who needs it, backups. Unglamorous, and it is what turns a lost laptop from an incident into a non-event. • Contracts with your processors (Auftragsverarbeitung, AVV). When a third party processes personal data for you (your newsletter tool, your cloud bookkeeping, your IT provider), you need a data-processing agreement in place. The providers supply the template. You sign it and file it. • A records-of-processing document (Verzeichnis von Verarbeitungstätigkeiten, the Article 30 ROPA). People believe the "fewer than 250 employees" line exempts them. Read Article 30(5): the exemption falls away if processing is not occasional, which describes every firm that runs payroll and keeps a customer list. So yes, you almost certainly need a ROPA. The good news is that for a six-person firm it is a short, honest list of what you process and why, not a corporate tome. That list is the real job. Most of it is a couple of afternoons and then light maintenance.
Section 2
The theater you can usually drop
Here is where the fear economy oversells a firm of six. • An appointed Datenschutzbeauftragter (DPO), in most cases. German law (Paragraph 38 BDSG) requires a formal DPO when at least 20 people are constantly engaged in automated processing of personal data. A six-person shop is far under that line and normally does not need to appoint one. Confirm your specific situation, because special-category data can pull you in regardless of headcount, but the default reflex to "hire a DPO" is misplaced at your size. • Corporate-scale documentation binders. The 80-page policy set, the annual data-protection management system, the impact assessments for routine processing. These exist to protect large organisations with large exposure. A firm holding ordinary contact and payroll data does not manufacture that risk and does not need the paperwork built for it. • Overlay and "instant compliance" widgets. The one-line script that promises to make your site DSGVO-compliant. Compliance is about what you actually do with data, and a widget cannot fix a process it cannot see. The reason to name the theater is not to be reckless. It is that every hour spent on oversized documentation is an hour not spent on the five things that genuinely protect you, and small firms routinely get this backwards.
Section 3
The line to watch
Two things move a small firm from the light regime into the heavier one, so know them: • Special-category data (health, biometric, and similar under Article 9). If you handle it, the exemptions tighten and you should get advice. • Processing as a core activity at scale, or crossing the 20-person automated-processing threshold, which triggers the DPO requirement. If neither applies, you are in the light regime, and the must-do list above is close to the whole job.
Section 4
The fitness test
Your DSGVO work is right-sized if: • You have the privacy notice, the processor contracts, and a short ROPA, and you can find all three in under five minutes. • You are not paying for a DPO or a corporate policy binder that your size and your data do not require. • You handle no special-category data and stay under the 20-person automated-processing line, so the heavy regime does not apply. If you have the binder but not the ROPA, you bought the theater and skipped the substance. Reverse it. Do the five real things, drop the oversized rest, and revisit only if your data or your headcount crosses the lines above.