Question 1

What is an external data protection officer?

Accepted Answer

An external data protection officer is an independent expert who supports companies in fulfilling all the requirements of the General Data Protection Regulation (GDPR) and other data protection laws - without disrupting internal processes. Unlike internal data protection officers, who are permanently integrated into the company, the external service provider is commissioned to provide objective and independent advice. Its core tasks include

Legally compliant advice and training: He regularly informs management and employees about current data protection requirements and conducts training sessions to raise awareness of data protection.

Integration into company processes: He develops and implements data protection-compliant guidelines that are seamlessly integrated into existing processes so that ongoing operations are not impaired.

Monitoring and optimisation: He monitors compliance with data protection standards and adapts processes to new legal requirements.

Cooperation with lawyers: Close cooperation with specialised lawyers ensures that all measures are not only practical, but also legally sound.

This external support enables companies to concentrate fully on their core business while all data protection aspects are handled professionally and with legal certainty. This comprehensive and industry-specific advice is particularly advantageous for companies that operate internationally and have to fulfil complex data protection requirements.

Question 2

Which companies are required to appoint a data protection officer?

Accepted Answer

According to the requirements of the GDPR and specified by the BDSG, companies must appoint a data protection officer (DPO) if at least 20 individuals regularly process personal data in an automated manner, such as with a PC, tablet, or smartphone. This is often the case in the IT or HR department but can also apply to other departments within your company. The obligation to appoint a DPO is independent of the number of individuals involved when the company processes particularly sensitive personal data, such as health data or data regarding political opinions. Additionally, if the core activity of the company's operations involves the collection, processing, usage, or transmission of personal data, a DPO must be appointed. Companies must also appoint a DPO when processing requires a data protection impact assessment under Article 35 of the GDPR (e.g., in the case of video surveillance).

Important: Even if your company is not required to appoint a DPO, you must still comply with all provisions of the GDPR.

Question 3

Why is an external data protection officer often better than an internal data protection officer?

Accepted Answer

By engaging an external data protection officer from MKM, your company gains access to experts in data protection with years of professional experience. All of our consultants are attorneys and business lawyers with a strong affinity for IT and technical topics, as well as a wealth of experience across various industries, sectors, and projects. MKM places great emphasis on the ongoing education and training of its consultants. With an external data protection officer, you won’t need to worry about training and development—unlike with an internal data protection officer. Internal data protection officers often spend only 10-15% of their working time on this crucial role, which leaves insufficient time to address the myriad of topics and issues that arise in operational data protection.

Question 4

What does an external data protection officer cost?

Accepted Answer

Often, the costs are less than you might think. The fees for your external data protection officer depend on your company's specific requirements and the extent of our services. While it's difficult to provide a flat rate due to the numerous factors involved, a general guideline is that our clients typically pay a monthly consulting fee ranging from €300 to €800. This means you won't have to allocate an employee's time for this role, nor invest in their training and continuing education to ensure they have the necessary qualifications and expertise. Additionally, you won't need to equip them with the required technology and authority.

Question 5

Which companies need an external data protection officer?

Accepted Answer

According to the GDPR, companies must appoint a data protection officer (DPO) if at least 20 employees regularly process personal data in an automated manner, such as using a PC, tablet, or smartphone. This is often the case in IT or HR departments, but it can also affect other departments within your organization. The obligation to appoint a DPO is independent of the number of employees if the company processes particularly sensitive personal data, such as health data or data concerning political opinions. Additionally, a DPO must be appointed when processing activities require a data protection impact assessment under Article 35 of the GDPR.

It’s important to note that even if your company is not required to appoint a DPO, you still must comply with the provisions of the GDPR. Therefore, it is often wise not to skimp on the moderate costs of hiring an external DPO and to voluntarily appoint one. This way, challenges and responsibilities are addressed by the external DPO rather than falling on your shoulders.

Unsure if your company needs an external data protection officer? Please reach out to us; we’re here to help!

Question 6

What competencies must an external data protection officer have?

Accepted Answer

Ideally, an external data protection officer (DPO) should be a trained lawyer with a strong affinity for technology and IT-related issues. They should be certified in data protection and engage in continuous education to provide competent and legally sound advice to their clients. An experienced DPO possesses extensive knowledge and expertise gained from numerous data protection projects across various industries.

Therefore, it is essential to rely on a reputable and established consulting firm. At MKM, we have been active in the field of data protection since 2004, long before the advent of the GDPR! Our consulting approaches, interview techniques, and solutions are homegrown developments that have matured over the years and are continuously improved and updated. All our consultants are certified and committed to ongoing training and specialization.

We are accustomed to advising both medium-sized enterprises and large corporations on complex data structures. Our global network enables us to provide legally compliant advice in almost any country in the world. With our data protection solutions, you can finally check this crucial aspect off your compliance management list.

Question 7

How is a data protection officer appointed?

Accepted Answer

Formally, the GDPR does not stipulate specific requirements regarding the manner of appointing a data protection officer (DPO). In theory, an oral appointment suffices. However, it is highly recommended to document the appointment in writing for reasons of evidence and accountability. Additionally, we advise formally outlining the responsibilities of the DPO in writing.

The authority of a DPO must be communicated to the relevant authorities (Article 37, paragraph 7 of the GDPR). Both internally and externally, the authority and contact details of the DPO must be made publicly available, for example, on the intranet and the company’s website.

Question 8

Can an internal data protection officer be dismissed?

Accepted Answer

An internal data protection officer can be dismissed under certain conditions, but there must be valid reasons that would also justify an immediate termination in an employment relationship. If an internal data protection officer is dismissed, termination within one year is prohibited unless there is a significant reason.

With an external data protection officer, you don’t have to worry about this issue; you can terminate the collaboration at any time in accordance with the contract. If you are uncertain whether to appoint an internal or external data protection officer, please feel free to reach out to us. We are here to assist you!

Question 9

Is a data protection officer liable for breaches?

Accepted Answer

An external data protection officer is liable for their advice. This means that in the event of incorrect advice under data protection law, they must take responsibility. Reputable consultants take out liability insurance for this purpose. At MKM, this amounts to EUR 10 million. However, the data protection officer is not liable for any failure by the company to implement its advice. This liability always remains with the company and its executive bodies. With an external data protection officer, you therefore receive advice at the highest level.

Question 10

Am I allowed to appoint myself as the data protection officer as the managing director?

Accepted Answer

An independent fulfillment of duties as a data protection officer is only ensured when conflicts of interest are excluded. A conflict of interest arises, for example, when the internal data protection officer is in a managerial position (e.g., as a member of the executive board) or leads the IT or HR department. Employees who determine or commission data processing processes in these departments cannot also be appointed as the data protection officer. Furthermore, relatives of the company's executives are excluded from this role. The data protection officer should hold an independent position within the company to effectively perform their tasks in the interest of data protection.

Question 11

Time commitment: Does the internal data protection officer have enough time for their core responsibilities?

Accepted Answer

The time required for the role of an internal data protection officer cannot be generalized. It depends on various factors, including the size of the company, the volume of processed data, and the IT infrastructure. An internal data protection officer will require significant time during the onboarding phase. They must conduct a comprehensive assessment, establish and review the processing directory, and develop necessary additions. During this phase, the employee may only be able to engage in their core responsibilities to a limited extent.

The costs for an external data protection officer are moderate—therefore, consider whether it might be more advantageous to appoint an external DPO instead of an internal one.

Question 12

Internal vs. External Data Protection Officer: Who Assumes Liability?

Accepted Answer

An employed internal Data Protection Officer (DPO) is only liable for intent and gross negligence. This means that the main risk of data protection violations due to consulting errors falls on the board or managing director of the company, which can be quite costly. In the event of a data protection breach, you could face fines of up to 20 million euros or up to four percent of the global annual revenue!

There is no employment relationship between an external DPO and the client. Therefore, an external DPO does not benefit from the same liability protections.

Even in cases of slight negligence, an external DPO is liable to the company within the framework of legal provisions. This means you don't have to worry—an external DPO provides you with backup and sufficient protection against liability risks!

External
Data Protection Officer

Expert Data Protection: Keep It Simple and Safe!

Darum lohnt sich ein Externer Datenschutzbeauftragter

Our services as an external data protection officer

Our services as an external data protection officer summarized:

Costs

Benefits

Legal Tech Tools

Data Protection Management System

E-Learning
Employee training

Data protection compliant website

Your path to secure data protection

Quote

Contract

Assessment

Documentation

Regular support and training of employees

Rooted locally - Connected globally

FAQ about the Data Protection Officer

External Data Protection Officer