Costs for our Services as External Data Protection Officers

Cost transparency is an important issue for us. It means that we only charge services at defined fixed prices. We integrate all cost factors into our pricing structure. Our prices include, in addition to the costs incurred by us for the education and further training of our staff, their access to a constantly updated library, which contains numerous legal texts on data protection.

Performing the obligations of a data protection officer

For the service provided by our external data protection officers we usually work with pricing packages that are based on the number of employees in your company.

Data protection officer

from 499,00 €per month / up to 25 employees
  • Designation of the data protection officer  
  • Annual online audit of the controller or processor  
  • Online training of the employees  
  • Fulfillment of the legal obligations of the data protection officer  
  • To advise and participate in the preparation of the data protection impact assessments  
Our Packages

Designation of the data protection officer

The monthly fee includes the fee for designation of the data protection officer for a company. The designation of the data protection officer is required by law (§ 4f (1) FDPA-OV, as from 25 May 2018 the appointment obligation is regulated by Art. 37 GDPR, § 38 (1) FDPA-NV).

Annual online audit of the controller or processor

According to Art. 32 (1) lit. d GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and, inter alia, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

According to Art. 39 (1) lit. b GDPR, the data protection officer has a duty to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including conducting periodic audits.

Online training of the employees

Art. 39 (1) lit. a and b GDPR require the data protection officer to train the employees of the controller. The online training must be taken annually by each employee of the client. Upon successful completion of the online exam, each employee will receive a data protection certificate valid for one year.

Fulfillment of the legal obligations of the data protection officer

According to Art. 39 (1) GDPR, the data protection officer has at least the following tasks:

aa) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the General Date Protection regulation and to other Union or Member State data protection provisions;

bb) to monitor the compliance with the General Data Protection Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

cc) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Art. 35 GDPR;

dd) to cooperate with the supervisory authority;

ee) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

Furthermore, data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the General Data Protection Regulation, Art. 38 (4) GDPR.

To advise and participate in the preparation of the data protection impact assessments

Art. 35 GDPR regulates the data protection impact assessment. According to this provision, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. When carrying out a data protection impact assessment, the controller in accordance with Art. 35 (2) GDPR shall seek the advice of the data protection officer.

According to Art. 35 (7) GDPR, the data protection impact assessment shall contain at least the following:

aa) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

bb) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

cc) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 of Art. 35 GDPR, and

dd) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

The monthly fee already includes advice and participation in the preparation of a specified number of privacy impact assessments each year. Your data protection officer will provide advice and participate in the preparation of data protection impact assessments. Our template for the implementation of the data protection impact assessment is protected by copyright and will be leased to the controller under the monthly fee.

Assisting the controller or processor

In order to support the controller or processor we work in general with pricing packages that are based on the number of employees in your company.

Assisting in the fulfillment

from 500,00 €per month / up to 25 employees
  • Data Protection Documentation  
  • Contracts on processing on behalf of a controller  
  • Preparation of the records of processing activities   
  • Preparation of the category records   
Our Packages

Data Protection Documentation

We use the data from the data protection audit to create individualized, tailor-made data protection documentation with concepts, guidelines and employee information. The documentation is leased to the controller or the processor. The lease price for the documentation is included in the monthly fee.

Contracts on processing on behalf of a controller

Art. 28 GDPR stipulates that the controller shall conclude a written contract with each processor. Our Data Protection Associates are helping to ensure that your organization concludes the contract with each processor.

The monthly fee already includes preparation for the conclusion of a specified number of contracts per year with different processors. The contracts will be personalized by our Data Protection Associates after the controller or processor provides us with the necessary contents. Our order processing contract is protected by copyright and will be leased to the controller under the monthly fee.

Preparation of the records of processing activities

According to Art. 30 (1) GDPR, each controller and, where applicable, his representative shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

 aa) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

bb) the purposes of the processing;

cc) a description of the categories of data subjects and of the categories of personal data;

dd) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;

ee) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Art. 49 (1) GDPR, the documentation of suitable safeguards;

ff) where possible, the envisaged time limits for erasure of the different categories of data;

gg) where possible, a general description of the technical and organisational security measures referred to in Art. 32 (1) GDPR.

The monthly fee already includes the preparation of a specified number of records of processing activities per year. The records of processing activities are created by our Data Protection Associates after the controller provides us with the necessary contents. Our records of processing activities template is protected by copyright and will be leased to the controller under the monthly fee.

Preparation of the category records

According to Art. 30 (2) GDPR, each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

aa) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; 

bb) the categories of processing carried out on behalf of each controller;

 cc) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Art. 49 (1) GDPR, the documentation of suitable safeguards;

dd) where possible, a general description of the technical and organisational security measures referred to in Art. 32 (1) GDPR.

The monthly fee already includes the preparation of a specified number of category records per year. The category records are created by our Data Protection Associates after the processor has provided us with the necessary contents. Our category records template is protected by copyright and will be leased to the processor under the monthly fee. 

Our external data protection officers take care of your company - supporting from α to Ω.