Data Protection Academy » Data Protection Wiki » Compliance management in the company

The importance of compliance management: definition, implementation and system

Compliance management is becoming increasingly important for companies as they are confronted with complex legal and regulatory requirements. Compliance with laws and regulations, as well as ethical and internal company guidelines, is crucial to avoid violations and to gain the trust of customers and business partners.

Compliance primarily serves the goal of averting damage to the company. Companies also have to face the challenges of risks such as corruption, fraud and data loss. In the following article, you will receive all information on compliance management and the compliance management system, notes on the requirements for the CMS as well as an overview of important norms and standards.

Key information on compliance management

  • Compliance management refers to the compliance with laws and standards and ethical and internal company guidelinesapplicable to the business of a company.
  • Companies must have an implemented compliance management system to identify, assess and minimise or avoid risks.
  • Effective compliance management systems must be regularly monitored, updated and improved.
  • Companies that successfully implement a compliance management system can increase the trust of customers and business partners and minimise legal and financial risks.

Definition: What is compliance management?

Compliance refers to adherence to laws, rules and regulations, including ethical and corporate standards. The term compliance comes from the English language and literally means "adherence" or "conformity to rules".

Compliance is often defined as the totality of operational measures to ensure that all employees of a company adhere to the relevant rules and regulations. Through effective compliance management, violations can be detected or prevented at an early stage.

Importance of compliance for companies

Compliance in companies refers to the effort, legal requirements and regulatory requirements (e.g. standards) and to ensure that the company's conduct and business practices comply with applicable laws, industry standards and ethical principles.

This includes monitoring and reviewing business practices to ensure they remain within legal and regulatory requirements. The corporate compliance function supports compliance with laws and regulations to minimise the risk of penalties, claims for damages and negative impacts on the company's reputation.

Legal foundations, norms and standards of compliance

The legal basis for establishing a compliance management system in companies varies depending on the country and industry. In Germany, there are several laws and regulations that require or can support the establishment of a compliance management system. Some important examples are:

  • Federal Data Protection Act (BDSG)
  • German Commercial Code (HGB)
  • Unfair Competition Regulation (UWG)
  • Criminal Code (StGB)
  • Employee Data Protection Act (ADDSG)

In addition, there are numerous normative requirements that companies should or even must take into account. In the example of information security, these are, for example:

  • The standards of the ISO 27000 series
  • The specifications of the BSI-Grundschutz
  • The TISAX standard in the automotive industry

Companies may also have their own internal policies and procedures to ensure that they comply with applicable compliance requirements.

It is important that companies regularly review their compliance requirements and update their compliance management system accordingly to ensure that it complies with applicable laws and normative, as well as their own regulations.

What are the compliance guidelines?

Compliance guidelines are important in companies. They help to minimise the risk of legal and financial consequences. Some reasons why compliance policies are important are:

  1. Legal requirements: Compliance policies help companies to comply with legal regulations and avoid penalties that can be caused by violations of laws.
  2. Reputation protection: Adherence to compliance regulations or standards can help protect the company's reputation and improve its standing with customers, business partners and the public. Certifications such as ISO 9001 (quality management) can significantly improve the external image.
  3. Avoidance of claims for damages: Compliance policies can help protect the company from claims for damages that may be caused by unlawful conduct or practices.
  4. Promoting integrity: Compliance policies set standards and help the company promote integrity and responsibility in its business practices.
  5. Minimising risks: Compliance policies help minimise the risk of legal and financial consequences and provide the company with a framework to ensure that it conducts its business practices within applicable laws and normative requirements.

Which prevention obligations do companies have to take into account?

Companies have to consider the following preventive obligations and risks when adhering to compliance guidelines:

  1. Legal requirements: Companies must ensure that they comply with all relevant legal requirements, such as data protection laws, competition laws, tax laws, etc.
  2. Internal guidelines: Companies must develop and implement internal policies and procedures to ensure that business practices are in line with applicable compliance requirements.
  3. Training and awareness: Companies need to train employees on the importance of compliance and adherence to relevant laws and procedures to raise awareness of these issues.
  4. Monitoring and verification: Companies must regularly monitor and review their business practices to ensure they meet compliance requirements.
  5. Reaction to violations: Companies need to have a process in place to address compliance breaches quickly and effectively.

What risks should a company be looking at?

A company should consider the following aspects when looking at compliance risks:

  1. Legal violations: Check whether the company complies with applicable laws and regulations, e.g. in areas such as data protection, labour law, taxes, etc.
  2. Breaches of internal guidelines: Check that employees comply with internal rules and procedures relevant to the company's business operations.
  3. Reputational damage: Check whether the company could be put in a bad light vis-à-vis customers, suppliers or the public if there are breaches of compliance regulations.
  4. Penalties and fines: Check whether the company can be prosecuted under criminal or civil law for breaches of compliance regulations.
  5. Claims for damages: Check whether the company can be held liable for damages caused by breaches of compliance regulations.
  6. Loss of customers and business partners:Check whether breaches of compliance regulations can lead to customers or business partners leaving the company.
  7. Effects on the operating business: Check whether breaches of compliance regulations can have an impact on daily business operations, e.g. on work processes or costs.

To minimise these risks, the company should implement an effective compliance management system that includes regular reviews, training and monitoring procedures. scope of application should not be expected.

What is compliance management?

Compliance management refers to the systematic monitoring and review of business practices within an organisation to ensure that it complies with applicable laws, regulations and policies. It involves identifying, assessing and monitoring compliance risks and putting processes and procedures in place to ensure that business practices remain within legal and ethical boundaries.

How to integrate compliance management in companies

A compliance management system can be integrated in a company in the following ways:

  1. Review of the legal situation: Review applicable laws and regulations to ensure that the compliance management system meets all relevant requirements.
  2. Appointment of a compliance officer: Designate a person who is responsible for the compliance management system and is in charge of monitoring and implementing all compliance activities.
  3. Introduction of compliance procedures: Implement procedures to ensure that the compliance management system is regularly reviewed and updated, e.g. training and monitoring procedures.
  4. Involvement of all employees: Inform and train all employees about the compliance management system and their responsibilities. Ensure that all procedures and rules are followed.
  5. Monitoring and verification: Regularly monitor and review the compliance management system to ensure that it is effective and meets all requirements.
  6. Adaptation in the event of changes: Adapt the compliance management system as the law changes or within the company to ensure that it remains effective.

An effective compliance management system should be regularly reviewed and adapted to ensure that it meets the current needs of the company and the applicable laws.

Support in setting up your compliance management system

The implementation of a digital and automated compliance management system is a complex task. The consultants of Robin Data GmbH support you, among other things, in setting up the respective management system, in migrating data from existing systems and in automating specific compliance tasks. Find out about the advantages and process with Robin Data.

What are compliance violations?

Compliance violations refer to actions or practices of an organisation or its employees that violate applicable laws, regulations or internal policies. This may include, for example, violations of labour law, data protection laws, environmental regulations or anti-bribery laws.

Compliance violations can include both intentional actions and unintentional mistakes and often have negative effects on the company, such as penalties, claims for damages, image damage and loss of customer trust.

Liability risks from compliance violations

In Germany, managing directors are exposed to several liability risks. For example, they are liable for:

  1. Business losses: Directors can be held liable for the loss of the company if they breach their duties or act negligently.
  2. Violations of laws and regulations: Directors may be held liable for breaches of laws and regulations such as data protection laws, labour laws, competition laws etc.
  3. Harmful commercial practices: Directors may be held liable for harmful business practices such as conflict of interest, insider trading, fraud, etc.
  4. Financial losses: Directors may be held liable for financial losses caused by errors or mismanagement.
  5. Tax offences: Directors can be held liable for tax offences if they knowingly or negligently file false tax returns.

It is important to note that the liability risks for company directors can vary and depend on factors such as legal form, industry and size of the company. It is important that directors are aware of the liability risks that exist and take steps to minimise them.

Liability basis for compliance management

The liability basis for compliance management is § 43 GmbHG, which not only applies to GmbHs, but is also "applied accordingly" to other types of companies. This states:

(1) The managing directors shall exercise the care of a prudent businessman in the affairs of the company.

(2) Managing directors who violate their duties shall be jointly and severally liable to the company for the damage incurred.

This results in duties of care for the managing director to pursue the company's purpose as effectively as possible, taking into account its nature, size and economic situation.

Insofar as the management does not decide on and implement all measures itself, an internal organisational structure must be created that monitors the legality and efficiency of action (the so-called corporate organisation duty). This means that a monitoring system must be created with which risks to the company's continued existence can be monitored and controlled.

This should take the form of a compliance management system (concretisation of the duties from §43 GmbH Act by judgement), which takes organisational precautions (e.g. work instructions, guidelines) that prevent the commission of legal violations by the company or its employees and regulates the intervention in the event of violations.

Delegating monitoring to dedicated personnel, such as the compliance manager, means the managing director at least retains organisational and system responsibility. Although they are less liable if they use qualified personnel, they must still bear the organisation's responsibility for monitoring.

Liability standard for compliance violations

Not every monetary loss is grounds for liability, especially since the economic expediency of a company is not subject to judicial review. In general, the so-called "business judgement rule" applies: a breach of duty does not exist if the managing director, when making an entrepreneurial decision, could reasonably assume to act for the benefit of the company on the basis of adequate information.

However, the limit is exceeded if, from the point of view of a conscientious businessman, the risk of damage is unavoidable and there are no reasonable business reasons for taking it. In particular, the limit of justification for liability is exceeded if knowledge and principles of experience recognised in the respective industry are violated. An unjustifiable risk is taken, for example, if an unsecured loan was granted to financially weak contractual partners.

The managing director always bears the burden of proof for compliance with the duties of care or that he is not at fault. It can be deduced from this that there should generally be consistent and comprehensible bases for decision-making for the managing director and that the individual decisions are documented. Managing directors should therefore be aware of all relevant risks in their organisation and initiate measures to prevent or mitigate risks. An effective risk management is therefore the basis for effective compliance management.

Dealing with compliance violations in the company

In the event of compliance breaches, a company should take the following steps:

  1. Recording and verification: Gather all relevant information and check if there is a violation.
  2. Conducting an internal investigation: Conduct an internal investigation to determine the circumstances of the breach and assess whether further action is required.
  3. Elimination of grievances: Eliminate the grievances that led to the violation and ensure that they are avoided in the future.
  4. Communication with authorities: Communicate with the relevant authorities if there is a violation of applicable law.
  5. Notification of the parties concerned: Notify the parties concerned if their rights or interests are affected.
  6. Prevention of future violations: Revise your compliance management system and ensure that it prevents future breaches.

It is important that breaches are quickly recorded and investigated to ensure that the company can respond appropriately and prevent recurrence. It is also important to communicate openly and transparently to maintain and improve trust in the company.

Schedule a meeting with Robin Data

We would be happy to show you in a personal online appointment how you can implement your requirements with Robin Data ComplianceOS®. Get an insight into the structure and scope of functions and ask your questions from the user's point of view.

Definition: What is a compliance management system?

A compliance management system (CMS) is a framework that an organisation uses to ensure that it complies with applicable law and industry-specific or normative regulations. It includes monitoring processes, the review and revision of compliance measuresto ensure that the company meets ethical and legal obligations. A CMS also includes rules and procedures for monitoring and reporting compliance violations and the handling of these violations. The aim is to minimise risks to the company and its reputation and to maintain and strengthen trust in the company.

ISO 19600 as a standard for the compliance management system

ISO 19600 sets out general requirements for the compliance management system (CMS). These include:

  • Integration of the CMS into the company's business concept
  • Checking the relevance of applicable laws and regulations
  • Monitoring compliance with the regulations
  • Review and revision of the CMS on a regular basis
  • Responsibility for compliance at all levels of the company
  • Monitoring and reporting of compliance violations
  • Training employees on compliance issues
  • Review of the effectiveness of the CMS and continuous improvement.

ISO 19600 serves as a guide for the design and implementation of a CMS. It helps companies minimise compliance risks and meet their obligations to legislation and regulation.

Standard elements of a CMS

Standard elements of a Compliance Management System (CMS) can be the following:

  • Review and revision of legal and regulatory requirements
  • Review and revise company policies and procedures
  • Training and awareness-raising of employees with regard to compliance
  • Monitoring and review of business practices
  • Procedures for monitoring and reporting compliance violations
  • Procedures for review and revision of the CMS
  • Monitoring and reviewing the effectiveness of the CMS
  • Regular review and revision of compliance risks.

These elements can be individually adapted to the needs and requirements of the company, but they form the basis for a successful CMS. It is important that the CMS is regularly reviewed and adapted to ensure that it meets the current needs and requirements of the company.

Digital Compliance: Software-based Compliance Management

Advantages of a software-based compliance management system (CMS) can be:

  • Centralisation and standardisation of compliance processes and information
  • Automated monitoring and review of business practices
  • Better monitoring and review of compliance risks
  • More efficient monitoring and review of compliance violations
  • Availability of updated legal and regulatory requirements in real time
  • Automated monitoring and review of compliance trainings
  • Support in monitoring and reviewing the effectiveness of the CMS.

A software-based CMS can also make it easier to build and maintain a successful CMS by simplifying the monitoring and review of compliance processes and information. However, it is important to note that a software-based CMS is only as effective as it is configured and used. It is important that the CMS is regularly reviewed and adapted to ensure that it meets the current needs and requirements of the organisation.


Effective compliance management is not only the basis for business continuity and success. It is also anchored in law and leads the managing director out of liability in a structured manner, provided that the organisational measures are taken and anchored in process. Delegation to qualified personnel can additionally relieve the managing director of liability. Furthermore, compliance managers benefit from software-supported implementation.

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

The activity report according to the GDPR

Templates, whitepapers and implementation of the activity report according to the GDPR. Create the activity report automatically in just a few steps.

Erasure concept according to the GDPR

Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.

Record of processing activities

List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.