The key points are:

• A legal basis or consent from the individual concerned is necessary for the lawful processing of personal data.
• Data may only be stored as long as it is needed for the purposes for which it was collected.
• Individuals have the right to access the data that companies have stored about them.
• Individuals have the right to request the deletion of their stored data.

• Data must be securely stored and protected from third-party access.
• Privacy by Default: Default settings must meet basic data protection requirements.
• Companies with more than ten employees handling personal data need a data protection officer.
• Violations are punishable by fines or imprisonment.

Data protection must-haves for companies of all sizes:

• Transparent and comprehensible privacy policy
• Data-saving surveys and forms 
• Privacy by default 
• Data protection officer 
• Obligation of employees to maintain data secrecy 
• Encryption of personal data on mobile data carriers 
• Secure disposal and deletion of sensitive information 
• Documentation of data protection measures and test reports 
• Regular data protection audits 
• Powerful firewall to protect sensitive data 
• Procedures and guidelines for dealing with data breaches 

Data protection no-gos are the following:

• Data collection and processing without a legal basis 
• Data processing outside the purpose of collection 
• Use of data for advertising purposes without consent 
• Data transfer to third parties outside the EU 
• Unauthorized disclosure of personal data 
• Blindly trusting service providers with regard to data protection 
• Delaying or avoiding the deletion of personal data 
• Private devices at work or private use of company devices 
• Insecure passwords at the workplace