The German Association for Data Protection has set itself the task of advising companies in all aspects of data protection and providing external data protection officers. We develop concepts to implement the data security and protection of personal data in medium-sized companies and corporations.
External Data Protection Officer
Our expertise in the fields of the German and European data protection law allows us to support companies from different industries as external data protection officers. Our employees help you to implement the requirements of the data protection regulations and the Charta of Fundamental Rights.
We help our clients to ensure compliance with data protection regulations and the supranational requirements of the European Union. We believe that data protection is to be considered a specific part of the quality management.
Compliance with data protection requirements creates trust. Data security is observed, in particular, by one’s own employees. Companies may clearly distinguish themselves from competitors by actively adhering to data protection.Find out more
Data Protection Cloud Solutions
The German Association for Data Protection has developed several cloud solutions for an economic and efficient implementation of the General Data Protection Regulation (GDPR). User friendly, legally compliant and efficient.
Our DGD Material
Here you can find our informative flyers, illustrating our work as external data protection officers as well as data protection auditors and our data protection cloud solutions.Download Section
The Data Protection Manual
For our clients we elaborate an individual data protection documentation. This data protection manual covers various legal requirements and concepts, which we adjust to your organization. Our individual consultation and a just-in-time realization and implementation of the GDPR represent a well aligned process.
Documentation is everything!
Here you can find and look into the first page of each chapter in our bilingual data protection manual.To the insight
External Data Protection Officer
According to Art. 37 GDPR, both controller and processor may be required by law to designate a data protection officer. Under Art. 37 (1) lit. a-c GDPR, the appointment obligation exists in any case where a public body is involved in the processing (except for courts acting within the limits of their judicial capacity) or the focus of the operation of the controller or the processor lies on activities that involve extensive regular and systematic monitoring of data subjects, taking into account nature, extent and/or purpose of the processing. Furthermore, the obligation exists, if large scales of special categories of data within the meaning of Art. 9 GDPR or data relating to criminal convictions and offences (Art. 10 GDPR) are processed.
The new German regulation on the DPO goes beyond the above, whereby the particularly high level of data protection in Germany is to be maintained: in the case of automated data processing in accordance with § 38 (1) sentence 1 FDPR-NV, the obligation to appoint the DPO arises already, if at least ten people are regularly occupied with the processing of personal data. In practice this limit is quickly exceeded, which is why it is advisable to make early considerations about finding a suitable person.
Irrespective of the number of employees, the controller is subject to designation, as far as automated processing is concerned, which is subject to a data protection impact assessment, or personal data processed commercially for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research (§ 38 (1) sentence 2 FDPA-NV). However, even without appointing a DPO it must be insured that all data protection regulations are adhered to.
Art. 37 (6) GDPR stipulates that instead of an internal employee of the company an external data protection officer may be appointed. In any case, a DPO shall be designated in accordance with Art. 37 (5) GDPR on the basis of his professional qualities, his data protection expertise and his personal experience in data protection practice. Furthermore, he must be able to fulfill the obligations set out in Art. 39 GDPR. These prerequisites may basically be fulfilled by both a well-trained internal employee and an external person. However, there are differences between the two groups: while an internal DPO usually already has a good understanding of operational processes, which may be useful for the cooperation with the employees and possibly a works council, the external data protection officer often specializes in data protection law, keeps himself up-to-date about the latest developments and distances himself from the company to the certain extent, which is why he can perform his duties objectively.
If the data protection officer is not appointed contrary to the existing legal obligation, it may, according to Art. 83 (4) lit. a GDPR, result in a fine of up to € 10,000,000 or 2% of the worldwide annual turnover, whereby the choice of the alternative depends on whichever amount is higher.