FAQ-Kategorie: External DPO

According to the General Data Protection Regulation (GDPR), an internal or external Data Protection Officer must be appointed under certain conditions.  

This is particularly the case:  

• for public authorities (see Art. 37 para. 1 a) GDPR, § 5 BDSG),  
• or if, in the case of non-public bodies, the processing of personal data is part of their core activities and involves extensive processing of special categories of personal data (e.g., health data) (Art. 37 para. 1 b–c) GDPR).  

In addition, a national regulation pursuant to § 38 para. 1 BDSG applies in Germany: Every non-public body must appoint a Data Protection Officer if at least 20 persons are permanently entrusted with the automated processing of personal data – this already includes regular access to an email system.  

Note: This information does not constitute individual legal advice.

Appointing an external Data Protection Officer offers several advantages:  

• Thanks to his professional specialization in data protection and information security, he has in-depth knowledge and up-to-date expertise.  
• His work advising numerous organisations creates synergies that directly benefit the organisations he supports.  
• External Data Protection Officers are subject to contractual liability, which can help reduce risks associated with fines and claims for damages.  
• Unlike internal Data Protection Officers, external service providers are not subject to special protection against dismissal under labor law. The underlying consulting contract can be terminated in accordance with the contractually agreed notice periods.  

Note: This information does not replace individual legal advice.  

An external, outsourced Data Protection Officer relieves the organisation by taking on the legally defined role of Data Protection Officer without permanently tying up internal human resources.  

In particular, this eliminates:  

• Costs for training and further education that would be necessary for internal appointments  
• the need for workstations and operational resources,  
• and the organisational effort for substitution arrangements, as these are usually covered by the external service provider.  

Thanks to their specialist knowledge and practical experience, an external Data Protection Officer can advise the organisation efficiently and on a risk-based basis without placing unnecessary demands on internal resources.  

Note: This information is for general guidance only and does not replace individual legal advice.

An external Data Protection Officer supports the organisation they serve in avoiding data breaches through a risk-aware and effective approach, thereby preventing fines, damage to reputation, and legal disputes.  

If a reputable and experienced external service provider is commissioned, the organisation can also benefit from the trust placed in it by supervisory authorities, consumer protection associations, trade unions, and works councils.  

The professional use of an external Data Protection Officer can also send a positive signal with regard to customer relationships and cooperation with business partners – especially with regard to compliance with high data protection standards.  

Note: This information is for general guidance only and does not replace individual legal advice.  

In accordance with Art. 39 GDPR, an internal or external Data Protection Officer performs advisory, educational, and supervisory tasks in particular.  

Their main activities include:  

• participating in the design and implementation of IT systems in accordance with data protection regulations,  
• raising awareness and training employees,  
• monitoring compliance with data protection laws and internal guidelines and processes.  

In addition, the Data Protection Officer must be consulted in an advisory capacity as part of a data protection impact assessment (DPIA) in accordance with Art. 35 para. 2 GDPR.  

Furthermore, he or she acts as a point of contact for data subjects (e.g., in the event of requests for information or deletion) and for supervisory authorities.  

Note: This information does not replace individual legal advice.  

A Data Protection Officer may take on additional tasks, provided that this does not result in a conflict of interest with his or her statutory control and monitoring duties (see Art. 38 para. 6 GDPR).  

An advisory role is generally unproblematic, for example in the following areas:  

• Information and awareness raising,  
• Documentation of processing activities,  
• Risk assessments (e.g., data protection impact assessments),  
• Contract processing and joint responsibility,  
• Consent management, deletion concepts, and data subject rights.  

In practice, a Data Protection Officer is also often tasked with conducting training and audits.  

However, fundamental decisions on data protection strategy—such as the introduction or amendment of guidelines—should be reserved for the organisation’s management in order to maintain the independence of the Data Protection Officer.  

Note: This information does not constitute individual legal advice.  

 An external Data Protection Officer for public authorities fulfills the same legal tasks as an internal data protection officer—for example, in accordance with Art. 39 GDPR and the provisions of the BDSG or the respective state data protection laws.  

However, additional qualifications are required for work in the public sector:  

• in-depth knowledge of administrative law,  
• familiarity with the relevant provisions of federal, state, and local law,  
• as well as extensive experience with official structures, departmental tasks, and specific technical procedures.  

Even though public authorities are not usually subject to fines (§ 43 para. 3 BDSG), consistent compliance with data protection requirements is of central importance – for example, to protect the rights of data subjects and to ensure lawful administrative processes.  

Note: This information is for general guidance only and does not replace individual legal advice.  

Non-profit organisations and NGOs are subject to the same data protection requirements as other organisations. Data protection laws—in particular the GDPR and the BDSG—do not provide for any privileges or exceptions in this respect.  

The processing of donor data often poses a particular challenge, especially with regard to transparency, purpose limitation, and data security.  

Given the often limited human and financial resources available, it is important to organize the tasks of the Data Protection Officer efficiently and prioritize them in a practical manner.  

We offer customized support models and special conditions for non-profit organisations and NGOs as part of our activities as an external Data Protection Officer.  

Note: This information is for general information purposes only and does not replace individual legal advice.  

A Data Protection Officer takes on a legally defined set of tasks, which includes, in particular, advisory, informational, and monitoring duties (see Art. 39 GDPR).  

The operational implementation of data protection measures is usually carried out by the respective departments of the organisation.  

Depending on the risk involved in the processing activities, the effort required to perform these tasks can vary greatly:  

• For standard processing without any particular risks, the role can be fulfilled with a manageable amount of effort.  

• Sensitive or extensive processing activities require particularly careful examination and documentation.  

The costs of appointing an external Data Protection Officer must therefore be calculated on a case-by-case basis. In many cases, it is more cost-effective to hire an external service provider than to appoint and train a suitable person internally.  

Note: This information is for general guidance only and does not constitute individual legal advice.