Q: Why is an external data protection officer often better than an internal, company data protection officer?

With an external data protection officer from MKM, your company receives experts in data protection with many years of professional experience. All of our consultants are lawyers and business lawyers with a high affinity for IT and technology topics and a wealth of experience from various industries, sectors and projects. MKM attaches great importance to regular training and further education for its consultants. You do not have to worry about the training of an external data protection officer - unlike a company data protection officer. Company data protection officers often only perform this important function for up to 10-15% of their working time. This is time that is often lacking elsewhere and is far from sufficient for the large number of topics and issues for the company data protection officer.

Question 1

What is an external data protection officer?

Accepted Answer

An external data protection officer is an independent expert who supports companies in fulfilling all the requirements of the General Data Protection Regulation (GDPR) and other data protection laws - without disrupting internal processes. Unlike internal data protection officers, who are permanently integrated into the company, the external service provider is commissioned to provide objective and independent advice. Its core tasks include

Legally compliant advice and training: He regularly informs management and employees about current data protection requirements and conducts training sessions to raise awareness of data protection.

Integration into company processes: He develops and implements data protection-compliant guidelines that are seamlessly integrated into existing processes so that ongoing operations are not impaired.

Monitoring and optimisation: He monitors compliance with data protection standards and adapts processes to new legal requirements.

Collaboration with lawyers: Close cooperation with specialised lawyers ensures that all measures are not only practical, but also legally sound.

This external support enables companies to concentrate fully on their core business while all data protection aspects are handled professionally and in a legally compliant manner. This comprehensive and industry-specific advice is particularly beneficial for companies that operate internationally and have to fulfil complex data protection requirements.

Question 2

Which companies must appoint a data protection officer?

Accepted Answer

According to the requirements of the GDPR and specified by the BDSG, companies must appoint a data protection officer if at least 20 people regularly process personal data automatically, e.g. using a PC, tablet or smartphone. This is often the case in the IT or HR department, but can also apply to all other departments in your company. The obligation to appoint a data protection officer is independent of the number of persons if the company processes particularly sensitive personal data. This is the case, for example, with health data or data on political attitudes. Or if the core task of the company's activities lies in the collection, processing, utilisation or transfer of personal data. Companies must also appoint a data protection officer if processing operations are carried out that require a data protection impact assessment in accordance with Art. 35 GDPR (e.g. in the case of video surveillance)

Please note: Even if your company is not obliged to appoint a data protection officer, you must still comply with and fulfil all the requirements of the GDPR.

Question 3

What will an external data protection officer in Berlin cost me?

Accepted Answer

This is often less than you think. The costs for your external data protection officer depend on the requirements of your company and the extent to which we are to work for you. It is not possible to give a generalised price as this depends on a number of factors. As a guide, however, we can say that our clients' monthly consultancy fee is usually between 300 and 800 euros. In return, you do not have to release any of your company's employees for this activity, train and educate them so that the relevant qualifications and expertise can be ensured and proven, and provide them with the necessary technical resources and authorisations.

Question 4

Why is an external data protection officer often better than an internal, company data protection officer?

Accepted Answer

With an external data protection officer, you can ensure that your company is not only optimally positioned in terms of data protection law in Germany, but also internationally. Our certified experts (TÜV, IAPP) are all business lawyers or attorneys and have many years of experience in data protection law, both at national and international level. We advise you on compliance with the GDPR and other relevant data protection regulations worldwide and integrate these requirements efficiently into your business processes.

We also train your employees, monitor the correct application of data protection principles and mediate between the interests of your company and external requirements. This allows you to concentrate on your core business while we ensure data protection security.

Question 5

Which companies need an external data protection officer?

Accepted Answer

According to the GDPR, companies must appoint a data protection officer if at least 20 employees regularly process personal data automatically, e.g. using a PC, tablet or smartphone. This is often the case in the IT or HR department, but can also apply to all other departments in your company. The obligation to appoint a data protection officer is independent of the number of employees if the company processes particularly sensitive personal data. This is the case, for example, with health data or data on political attitudes. Or if the core task of the company's activities lies in the collection, processing, use or transfer of personal data; companies must also appoint a DPO if processing operations are carried out that require a data protection impact assessment in accordance with Art. 35 GDPR. Please note that if your company is not obliged to appoint a data protection officer, you must still comply with the requirements of the GDPR. Therefore, it often makes sense not to save on the moderate costs for an external data protection officer and to voluntarily appoint an external DPO. Challenges and tasks are then addressed to the external DPO and do not lie with you. Are you unsure whether your company needs an external data protection officer? Please contact us, we will be happy to help you.

Question 6

What competences must an external data protection officer have?

Accepted Answer

Ideally, an external data protection officer should be a trained lawyer and at the same time have an affinity for technology and IT topics. They should be certified in the field of data protection and undergo regular further training. As a service provider, this is the only way they can provide their customers with competent and legally compliant advice. an experienced data protection officer has extensive know-how and expertise from numerous data protection projects in various industries. You should therefore rely on an experienced and established consultancy firm. We at MKM have been active in data protection since 2004 and not just since the GDPR! Our consulting approaches, interview techniques and solutions are in-house developments that have matured over the years. We are constantly improving and updating them. All our consultants are certified and obliged to undergo regular further training and specialisation. We are used to advising medium-sized companies and corporate groups on complex data structures. Our global network enables us to provide legally compliant advice in almost every country in the world. With our data protection solutions, you can finally tick the box in this area of your compliance management.

Question 7

How is a data protection officer appointed?

Accepted Answer

There are no formal requirements in the GDPR regarding the form of appointment of a data protection officer. In theory, a verbal appointment is sufficient. However, the written appointment of a data protection officer is highly recommended for reasons of proof and accountability. We also recommend setting out the tasks of the data protection officer in writing. The responsibility of a DPO must be communicated to the relevant authorities (Article 37(7) GDPR). The responsibilities and contact details of the data protection officer must be publicised within and outside the company, e.g. on the intranet and website.

Question 8

Can an internal data protection officer be dismissed?

Accepted Answer

Under certain circumstances, an internal data protection officer can be dismissed. However, there must be good cause for this, which would also justify termination without notice in an employment relationship. If an internal data protection officer is dismissed, termination within one year is not permitted. Unless there is good cause. You do not have to worry about this with an external data protection officer. You can terminate the collaboration at any time in accordance with the contract. Are you unsure whether you should appoint an internal or external data protection officer? Please contact us, we will be happy to help you.

Question 9

Is a data protection officer liable for infringements?

Accepted Answer

An external data protection officer is liable for their advice. This means that in the event of incorrect advice under data protection law, they must take responsibility. Reputable consultants take out liability insurance for this purpose. At MKM, this amounts to EUR 10 million. However, the data protection officer is not liable for any failure by the company to implement its advice. This liability always remains with the company and its executive bodies. With an external data protection officer, you therefore receive advice at the highest level.

Question 10

As a managing director, can I appoint myself as data protection officer?

Accepted Answer

Independent fulfilment of duties as a data protection officer is only ensured if a conflict of interest can be ruled out. A conflict of interest exists, for example, if the internal data protection officer works at management level (e.g. as a member of the management board) or heads the IT or HR department. Employees who determine or commission data processing processes in these departments cannot also be appointed as DPOs. Furthermore, members of the company management are excluded from the function. The DPO should occupy an independent position within the company in order to be able to fulfil his or her tasks effectively in terms of data protection.

Question 11

Time required: Does the internal data protection officer have enough time for their core tasks?

Accepted Answer

The time required to work as an internal data protection officer cannot be standardised. It depends, among other things, on the size of the company, the amount of data processed and the IT structure. An internal data protection officer already needs a lot of time during the familiarisation phase. He or she must carry out a comprehensive inventory, draw up and check the processing directory and draw up additions. During this phase, the employee will probably only be able to carry out their core activities to a limited extent.

The costs for an external data protection officer are moderate - you should therefore compare whether it would not be more profitable to appoint an external DPO instead of an internal data protection officer.

Question 12

May I terminate an internal DPO?

Accepted Answer

Internal data protection officers are subject to special protection against dismissal. They may only be summarily dismissed for good cause. This is roughly comparable to a member of the works council. Under certain circumstances, internal data protection officers can be dismissed. However, there must be valid reasons that would also justify termination without notice in an employment relationship. An external data protection officer is not permanently tied to your company.

Question 13

Internal vs. External Data Protection Officer: Who Bears the Liability?

Accepted Answer

An employed internal DPO is only liable in cases of intent or gross negligence. This means the main risk of data protection violations due to advisory errors lies with the company's board or managing director. And that can be expensive. In the event of a data protection breach, you may face fines of up to 20 million euros or up to four percent of the company’s global annual turnover!

There is no employment relationship between an external Data Protection Officer and the contracting company. As a result, an external DPO does not benefit from the same liability protections.

Even in cases of slight negligence, an external DPO can be held liable to the company under applicable law. That means you don’t have to worry — the external Data Protection Officer has your back and provides reliable protection against liability risks!