Professional data protection consulting helps organisations systematically meet the complex legal requirements of data protection law.  

The focus is on ensuring the lawful processing of personal data. In addition, the consultation helps to implement other obligations under the GDPR, such as the correct documentation of processing activities or the comprehensibility and completeness of data protection notices.  

The consulting is always individual, needs-oriented, and takes into account the practical processes and day-to-day business of the organisation.  

Note: This information is for general purposes only and does not replace individual legal advice.  

With the growing scale and increasing complexity of automated data processing, the requirements for its lawful design are also increasing.  

In addition, data subjects must be informed transparently about the processing of their data; their rights—such as the right to information, erasure, or objection—must be fully respected.  

Violations are subject to severe penalties under the GDPR, including fines and potential claims for damages by affected individuals.  

Sound data protection advice helps organisations ensure that their data processing is lawful and that they comply with all data protection obligations—effectively avoiding legal risks and economic consequences.  

Note: This information does not constitute individual legal advice.  

The aim of professional data protection consulting is to support organisations in ensuring the legality of their data processing.

This is usually achieved by introducing an effective data protection management system that establishes binding processes and standards for the processing of personal data for all employees.

This is supplemented by practical advice on specific individual issues—for example, on the compliant design of everyday data processing or on handling requests from data subjects, such as requests for information and deletion in accordance with the GDPR.

Note: This information does not replace individual legal advice.

The appointment of an external Data Protection Officer is not necessarily linked to data protection consulting.

On the one hand, the appointment may not be required by law—for example, if a non-public organisation employs fewer than 20 people who are constantly involved in the processing of personal data (see § 38 para. 1 BDSG).

On the other hand, the function of Data Protection Officer can also be performed by a suitable person within the organisation.

However, upon request, data protection consulting can also include the assumption of the role of external Data Protection Officer – even if there is no legal obligation to do so.

Note: This information is for general information purposes only and does not replace individual legal advice.

Without or with insufficient data protection advice, there is a risk that personal data will be processed unlawfully or that other requirements of the GDPR will not be properly fulfilled. This can have serious consequences:

• In such cases, supervisory authorities may issue orders or processing bans,
• impose fines of up to 20 million euros or up to 4% of global annual turnover (Art. 83 GDPR),
• and there is a risk of lasting damage to reputation, particularly in terms of customer and partner trust.

Professional data protection consulting helps to identify such risks at an early stage, minimize them effectively, and ensure long-term compliance with data protection regulations.

Note: This presentation does not replace individual legal advice.

According to the General Data Protection Regulation (GDPR), an internal or external Data Protection Officer must be appointed under certain conditions.  

This is particularly the case:  

• for public authorities (see Art. 37 para. 1 a) GDPR, § 5 BDSG),  
• or if, in the case of non-public bodies, the processing of personal data is part of their core activities and involves extensive processing of special categories of personal data (e.g., health data) (Art. 37 para. 1 b–c) GDPR).  

In addition, a national regulation pursuant to § 38 para. 1 BDSG applies in Germany: Every non-public body must appoint a Data Protection Officer if at least 20 persons are permanently entrusted with the automated processing of personal data – this already includes regular access to an email system.  

Note: This information does not constitute individual legal advice.

Appointing an external Data Protection Officer offers several advantages:  

• Thanks to his professional specialization in data protection and information security, he has in-depth knowledge and up-to-date expertise.  
• His work advising numerous organisations creates synergies that directly benefit the organisations he supports.  
• External Data Protection Officers are subject to contractual liability, which can help reduce risks associated with fines and claims for damages.  
• Unlike internal Data Protection Officers, external service providers are not subject to special protection against dismissal under labor law. The underlying consulting contract can be terminated in accordance with the contractually agreed notice periods.  

Note: This information does not replace individual legal advice.  

An external, outsourced Data Protection Officer relieves the organisation by taking on the legally defined role of Data Protection Officer without permanently tying up internal human resources.  

In particular, this eliminates:  

• Costs for training and further education that would be necessary for internal appointments  
• the need for workstations and operational resources,  
• and the organisational effort for substitution arrangements, as these are usually covered by the external service provider.  

Thanks to their specialist knowledge and practical experience, an external Data Protection Officer can advise the organisation efficiently and on a risk-based basis without placing unnecessary demands on internal resources.  

Note: This information is for general guidance only and does not replace individual legal advice.

An external Data Protection Officer supports the organisation they serve in avoiding data breaches through a risk-aware and effective approach, thereby preventing fines, damage to reputation, and legal disputes.  

If a reputable and experienced external service provider is commissioned, the organisation can also benefit from the trust placed in it by supervisory authorities, consumer protection associations, trade unions, and works councils.  

The professional use of an external Data Protection Officer can also send a positive signal with regard to customer relationships and cooperation with business partners – especially with regard to compliance with high data protection standards.  

Note: This information is for general guidance only and does not replace individual legal advice.  

In accordance with Art. 39 GDPR, an internal or external Data Protection Officer performs advisory, educational, and supervisory tasks in particular.  

Their main activities include:  

• participating in the design and implementation of IT systems in accordance with data protection regulations,  
• raising awareness and training employees,  
• monitoring compliance with data protection laws and internal guidelines and processes.  

In addition, the Data Protection Officer must be consulted in an advisory capacity as part of a data protection impact assessment (DPIA) in accordance with Art. 35 para. 2 GDPR.  

Furthermore, he or she acts as a point of contact for data subjects (e.g., in the event of requests for information or deletion) and for supervisory authorities.  

Note: This information does not replace individual legal advice.  

A Data Protection Officer may take on additional tasks, provided that this does not result in a conflict of interest with his or her statutory control and monitoring duties (see Art. 38 para. 6 GDPR).  

An advisory role is generally unproblematic, for example in the following areas:  

• Information and awareness raising,  
• Documentation of processing activities,  
• Risk assessments (e.g., data protection impact assessments),  
• Contract processing and joint responsibility,  
• Consent management, deletion concepts, and data subject rights.  

In practice, a Data Protection Officer is also often tasked with conducting training and audits.  

However, fundamental decisions on data protection strategy—such as the introduction or amendment of guidelines—should be reserved for the organisation’s management in order to maintain the independence of the Data Protection Officer.  

Note: This information does not constitute individual legal advice.  

 An external Data Protection Officer for public authorities fulfills the same legal tasks as an internal data protection officer—for example, in accordance with Art. 39 GDPR and the provisions of the BDSG or the respective state data protection laws.  

However, additional qualifications are required for work in the public sector:  

• in-depth knowledge of administrative law,  
• familiarity with the relevant provisions of federal, state, and local law,  
• as well as extensive experience with official structures, departmental tasks, and specific technical procedures.  

Even though public authorities are not usually subject to fines (§ 43 para. 3 BDSG), consistent compliance with data protection requirements is of central importance – for example, to protect the rights of data subjects and to ensure lawful administrative processes.  

Note: This information is for general guidance only and does not replace individual legal advice.  

Non-profit organisations and NGOs are subject to the same data protection requirements as other organisations. Data protection laws—in particular the GDPR and the BDSG—do not provide for any privileges or exceptions in this respect.  

The processing of donor data often poses a particular challenge, especially with regard to transparency, purpose limitation, and data security.  

Given the often limited human and financial resources available, it is important to organize the tasks of the Data Protection Officer efficiently and prioritize them in a practical manner.  

We offer customized support models and special conditions for non-profit organisations and NGOs as part of our activities as an external Data Protection Officer.  

Note: This information is for general information purposes only and does not replace individual legal advice.  

A Data Protection Officer takes on a legally defined set of tasks, which includes, in particular, advisory, informational, and monitoring duties (see Art. 39 GDPR).  

The operational implementation of data protection measures is usually carried out by the respective departments of the organisation.  

Depending on the risk involved in the processing activities, the effort required to perform these tasks can vary greatly:  

• For standard processing without any particular risks, the role can be fulfilled with a manageable amount of effort.  

• Sensitive or extensive processing activities require particularly careful examination and documentation.  

The costs of appointing an external Data Protection Officer must therefore be calculated on a case-by-case basis. In many cases, it is more cost-effective to hire an external service provider than to appoint and train a suitable person internally.  

Note: This information is for general guidance only and does not constitute individual legal advice.  

The EU representative pursuant to Art. 27 GDPR is defined in the Regulation itself as:
“a natural or legal person in the Union who is designated by the controller or processor in writing pursuant to Article 27 GDPR to represent the controller or processor in relation to the obligations imposed on them by this Regulation.” (cf. Article 4 No. 17 GDPR)

The EU representative performs representative tasks for the organisation within the European Union. They also provide support in complying with the requirements of the GDPR, in particular in contact with supervisory authorities and data subjects.

Note: This information is for general information purposes only and does not replace individual legal advice.

A non-European organisation requires an EU representative in accordance with Art. 27 GDPR if it does not have a branch within the EU but nevertheless:

• offers goods or services to persons in the EU, whether for payment or free of charge,
• or observes the behavior of persons within the EU—in particular through measures such as tracking, profiling, or web analysis.

In these cases, the market location principle applies, which means that the organisation falls within the scope of the GDPR.

Note: This information is for general guidance only and does not constitute individual legal advice.

The EU representative pursuant to Art. 27 GDPR acts as a central point of contact for data protection issues in Europe – both for employees of the non-European organisation and for European and national supervisory authorities as well as for data subjects whose personal data is processed.

In addition, the representative supports the organisation in fulfilling its data protection obligations. This includes in particular:

• receiving and forwarding requests from data subjects (e.g., requests for information or erasure)
• communicating with supervisory authorities,
• and providing the record of processing activities upon request.

Note: This information does not replace individual legal advice.

European data protection law aims to ensure a uniform level of protection for personal data within the EU and thus to take into account the protection of this data as enshrined in fundamental rights. In order to ensure this protection in an increasingly digitalized world, the General Data Protection Regulation (GDPR) introduces the so-called market location principle.  

This means that non-European organisations may also process personal data of EU citizens—provided that they offer their products or services in the EU or observe the behavior of data subjects within the EU. In these cases, however, the processing falls within the scope of the GDPR. Accordingly, affected companies may have to appoint a representative in the EU (Art. 27 GDPR).  

Note: This information does not constitute individual legal advice.