External Data Protection Officer

Simply put: The EU GDPR with the additional German Federal Privacy Act requires an internal or external data protection officer to be appointed by every company in Germany with twenty employees or more. In some cases, companies might be required to hire a data protection officer at an earlier point – and regardless of the number of employees – for example, if the company processes data that is more sensitive such as health data.

The data protection officer helps you comply with the legal requirements in data protection. Under the EU GDPR, companies are required to prove their data protection compliance not just sporadically, but structurally. The external data protection officer provides advice on data protection issues and lets you know whether your practices comply with applicable data protection laws. The data protection officer also provides tips and recommendations on how you can implement current data protection requirements in your company’s operations.

The EU GDPR states that companies should above all address the following issues:

1. Creating a privacy policy
2. Documenting the procedures that process personal data (the so-called “directory of processing activities”)
3. Contractual relationships with third-party service providers (keyword: “outsourced processing agreement”)
4. Compliance with the minimum standards in IT security
5. Educating and training employees

Our Privacy Kit addresses all of these items and is designed for companies with about 20 employees. Our Compliance Kit is designed to meet the needs of larger companies.

As a rule, the data protection officer is consulted whenever IT systems are introduced that are critical to data protection, or if data is lost in an attack. Another one of the data protection officer’s responsibilities is to train the employees who do the data processing. Companies receive additional support as well: The data protection officer is the contact person for questions related to data protection and gives the company the tools it needs so it can structure and integrate the data protection issues into in-house procedures.

A data protection officer should be appointed if the company is required to do so by law (usually, if the company employs twenty people or more who have access to personal data). Irrespective of the legal obligation, companies also often appoint data protection officers for other reasons, when they realize they are in need of professional advice in the area of data protection requirements. This is the case, for example, for companies that process sensitive healthcare data or for companies that process data on behalf of their customers.

Each option has its advantages and disadvantages which should be individually tailored to your business. Pursuant to the law, both internal and external data protection officers are mandated to take care of a company’s data protection needs while operating as independent and neutral agents. Data protection requirements have become increasingly complex in recent years. Small and medium-sized companies therefore often rely on external data protection officers who specialize in this area.

In theory, the training to become a data protection officer usually takes a week, depending on the provider. However, in our experience, the ability to practically apply what was learned requires several years of experience in the field. The International Association of Privacy Professionals (IAPP) offers an ISO-accredited data protection training course.

A form to appoint a data protection officer

If you would like to appoint us as your data protection officer, we will send you a form, which you can use as documentation for the data protection supervisory authority, to prove that you have appointed us.

With our Privacy Kit, we offer small companies with up to 20 employees a solution that includes the appointment of a data protection officer. It costs €32.50 per month plus VAT and is billed annually. The Privacy Kit includes web-based data protection management software, which you can use to cost-effectively address data protection issues. Moreover, we are also available to answer any questions you might have.
Additional information about the Privacy Kit can be found here.

As for medium-sized companies equipped with an internal or external data protection officer, we are offering them support with our Compliance Kit, which provides data protection management software based on ISO standards.
Additional information about the Compliance Kit can be found here.

If you would like to receive a detailed offer, you can also request a non-binding cost estimate. Just fill out the form to quickly and easily determine the cost of an external data protection officer for your company.