The external Data Protection Officers accompany you during the successful implementation of legal and internal requirements.CONTACT PERSON
EXTERNAL DATA PROTECTION OFFICER
Our Work in the Name of Data Protection
A data protection officer is responsible for a practically-oriented and law-based organization of data protection. Our external data protection officers advise both enterprises and public authorities. We raise awareness at the top level of the organizational structure.
The competent employees of the relevant departments as well as the entire staff of the organization, who come into contact with personal data or even may have the opportunity to access such data in IT environments, is trained to deal with personal data in accordance with the law.INTERNAL AND EXTERNAL DATA PROTECTION OFFICER COMPARED
Our external data protection officers are responsible for the designing and handling of data protection within your organizational structure. The employees at your head office and branches are going to be advised. We try to ensure a sensitive and trustworthy handling of personal data and to persistently motivate your staff to maintain a high level of data protection.
We also support and advise IT departments, especially in the deployment or planning of the future IT infrastructure. For example, software products that serve the processing of personal information are assessed and know-how provided in order to identify and prevent in advance potential future violations of data protection.OUR APPROACH
PROVISIONS AND LEGISLATION
One of the most important provisions of the General Data Protection Regulation is the mandatory appointment of a data protection officer for public authorities and enterprises active in the European Union’s economic area, provided that this is provided for by the General Regulation, Union law or the law of the Member States.
Companies should now familiarize themselves with the new rules of the General Data Protection Regulation. The adaptation of the data processing procedures requires time!
Legal Obligation to appoint a Data Protection Officer
In the Federal Republic of Germany, §§ 4f, 4g FDPA regulate the appointment and duties of the data protection officer at the moment..CONTINUE
Fines in case of Violation of Data Protection Provisions
If the obligation to appoint a data protection officer is not complied with or enterprises fail to …CONTINUE
WHAT IS STATED IN THE LAW?
Talking about the right data protection officer for your organization requires a review of specific legal regulations. Therefore, we like to provide you in here with an overview of the legal requirements including an informative basis for your decision to work with an internal or external data protection officer.
- 1. Requirements to an external data protection officer
- 2. Standard (minimum) tasks of the data protection officer
- 3. Designation / dismissal of a data protection officer
- 4. Internal or external DPO?
An external data protection officer, as well as the internal one, must be selected in accordance with the requirements set out in Art. 37 (5), 39 GDPR. Having regard to these provisions, he must already at the time of his appointment have the professional qualities and expert knowledge necessary to perform the tasks, whereby the level of knowledge required should be determined by the extent of the data controller’s processing and the protection required for the personal data processed.
Prior practical experience, technical knowledge, completed education and trainings and a proof of special data protection training may be required. IT qualifications should also be expected from the candidate so that he could understand rather technically complex procedures. He should also have a legal understanding (at least a basic one) in order to be able to run through the large number of regulations resulting from both the General Data Protection Regulation, the ePrivacy Regulation and national law, and to be able to apply the judgments related to the respective acts.
The standard tasks of the data protection officer arise from Art. 39 GDPR, whereas the duties can be substantiated or extended by means of the employment or service contract concluded with him.
One of the primary tasks of the external DPO is to work towards compliance by the controller or the processor as well as their employees (by means of information and advice) with all (data protection) regulations, Art. 39 (1) lit. a GDPR. For this purpose, he shall be instructed both in regard to the procedures of the data-processing software programs and the computer technology used. Its subsequent review should be taken under control and conducted by him regularly. In addition, the external data protection officer must ensure that persons handling personal data are made familiar with the data protection regulations and their due diligence obligations. This should be done through regular trainings and (if necessary, repeated) education.
A DPO regularly reviews the technical and organizational measures of the company, provided that this specific task has been contractually assigned to him by the controller or processor. For this purpose, at least access, transfer, input, order and availability controls are to be reviewed. He also carries out regular audits.
In most cases, he also oversees the company’s deployed automated procedures, which he often reviews as part of the data protection impact assessment, to ensure that the data subjects’ rights are adequately protected and data subjects sufficiently informed. This appears to be crucial, especially with regard to the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object as well as for the responding to the information requests.
Furthermore, he often takes care of maintaining the procedure indexes, it should be however noted that there is also no legal obligation for that. Additionally, the DPO could be contracted to develop a data privacy manual with the necessary concepts, guidelines, directives and employee information.
The internal or external data protection officer must also represent the controller or the processor in his relations with the supervisory authority as a contact person. However, it should be pointed out that the external data protection officer does generally have decisions-making competences; it lies solely with the controller and thereby usually with the management of his principal.
A DPO is to be appointed in the cases listed in Art. 37 GDPR and § 38 FDPA-NV. The designation should be made in writing; according to Art. 37 (7) GDPR, it must be published as well as communicated to the supervisory authority (notification obligation). The designation document must contain both the signature of the DPO and that of the management of the controller.
Under § 38 (3) FDPA-NV, the external data protection officer is not subject to the instructions of the management in his field of activity. He can freely operate within the legal limits. For this reason, it should be considered in advance to what extent an internal employee may work as an independent agent: in principle, he may take on further tasks and duties in the company, § 38 (6) sentence 1 FDPA-NV; however, he should not hold any other position that could affect his or her freedom of decision-making (i.e., HR or IT-management, business management, etc.).
According to § 38 (4) FDPA-NV, a dismissal of the DPO is only allowed through mutatis mutandis application of § 626 BGB. His employment relationship may only be terminated, if facts are presented that permit termination without notice for good cause. If the activity is terminated, the dismissal is not permitted within one year followed by the removal from the office, unless there is evidence of a serious reason which would justify a termination of the employment relationship without notice. The question of whether this right to continued employment is transferable to the external data protection officer is not conclusively clarified. The possibility of dismissal for an external person acting in the context of a service relationship could therefore be based either on § 621 BGB or § 627 BGB. Alternatively, an analogous application of § 626 BGB would be conceivable. The latter could make sense and probably come closest to the will of the legislature.
This raises the question of whether the role of the data protection officer should be filled by an internal or external person. While, as already stated, the cooperation with an internal employee may constantly run harmonically due to the personal familiarity as well as the already existing knowledge of the company and the associated structures, there is the danger, as the practice proved, that, on the one hand, simply whole task area is “overlooked” or, on the other hand, the risk is to be taken that the candidate lacks either technical skills or legal skills. However, the most important reasons against the appointment of an internal employee are his liability and the faster dismissibility of the external data protection officer (which probably remains the same, when the GDPR is effective). While the internal DPO is liable to the company only from the point of view of employee liability, the external data protection officer is also liable based on the provisions of §§ 280, 611 BGB and § 823 BGB.
Depending on the aims of the controller or the processor, the better arguments are either in favor of an internal or in favor of an external DPO. A solid argument in favor of the external service provider is that he usually deals with data protection on the full-time job basis.