According to Art. 37 GDPR, all companies whose core activity consists of processing personal data must have a data protection officer. This means that a data protection officer is required if business areas mainly consist of data processing and are crucial for the company's strategy.
Section 38 of the BDSG also stipulates that a data protection officer must be appointed if at least 20 employees are regularly and permanently involved in the automated processing of personal data. This includes, for example, the use of programmes such as Outlook or Excel.
The external data protection officer helps companies to implement and maintain compliance with data protection regulations. He or she monitors the company's handling of personal data in accordance with data protection law and also takes into account the data protection concerns of employees. He or she also sets data protection objectives and determines the need for action and the timetable for ensuring compliance with data protection laws.
The main tasks of the external DPO are to ensure compliance with data protection laws and regulations, to create and maintain procedural overviews, to ensure that employee and customer data is processed in compliance with data protection regulations, to conduct pre-approval reviews of IT applications and to advise on data protection issues in the various departments. He or she develops data protection-compliant processes, drafts guidelines and company agreements, and reviews system security. In addition, external DPOs are the point of contact for all data protection issues and prepare an annual data protection report. The tasks of an external DPO are primarily defined by the German Federal Data Protection Act (BDSG) and the European General Data Protection Regulation (GDPR).
Costs vary greatly depending on the size of the business, the sector and the amount of work required. We will provide you with a personalised and transparent quotation tailored to your needs.
External DPOs are also often cheaper than in-house DPOs, as in-house DPOs have to take into account non-wage labour and training costs.
The external DPO can be a particularly valuable solution for companies. He or she brings a wealth of knowledge and experience and can focus on data protection without being distracted by other business issues. The external DPO can provide objective and independent reviews and analysis, and assist in the development of a comprehensive data protection strategy.
In addition, external DPOs can provide the necessary support to manage changes resulting from existing and new data protection regulations. They can provide training and ensure that all employees are up to date with the latest data protection practices and legislation.
The choice between an internal and an external Data Protection Officer (DPO) depends on a number of factors, including the size of the organisation, the complexity of the data to be processed and the internal resources available. For example, if an organisation requires support across multiple sites and at a group level, the appointment of a group DPO may be considered. Whatever the choice, it is essential that the DPO has the necessary qualifications to fulfil his or her role. In the fast-moving digital world, data protection is a central pillar of any successful organisation. External DPOs can be an important resource in ensuring that organisations comply with data protection regulations while remaining innovative and competitive.