Skip to main content
Machen Sie jetzt den
DSGVO Quick-Check!

We show
perspectives

Scheja & Partners
as your external Data Protection Officer (DPO)

External Data Protection Officer

We assume the role of Data Protection Officer as part of our legal services. Unlike our IT-oriented competitors, we focus on changing our clients’ processes as little as possible. 

We establish legal guidelines and supporting framework conditions, for example through contracts, guidelines or policies, service or work instructions, personnel or company agreements, which, taken together, guarantee  lawful data processing. This is more helpful and cost-effective for our clients than having to convert their systems and processes. 

Data protection law has become an enormously complex subject. Unfortunately, half-knowledge often leads to a lot of nonsense. It is also always easy for a Data Protection Officer to say “no.” The art lies in offering practical solutions that provide genuine legal certainty and liability relief. 

Take advantage of our expertise and appoint our lawyers as your organisation’s external Data Protection Officer.  

Our data protection management software

In addition to our specialized consulting services, we also offer digital support with specially developed tools such as our PrivacyPilot data protection management software.

Learn more

An external Data Protection Officer
as a central point of contact

In many organisations, the external Data Protection Officer is the first point of contact for data protection issues. Due to the significant fines and damages that can be incurred under the GDPR, it is essential that they have the necessary experience and qualifications. 

The particular challenge for the DPO is that, despite excessive bureaucracy and highly complex IT systems, they must be able to identify practical solutions and effectively support their implementation. Appointing an external Data Protection Officer is therefore a responsible task and should only be entrusted to an experienced service provider. 

What sets us apart 

Qualifications and specialisation

At Scheja & Partners, only lawyers provide consulting services as external Data Protection Officers. All of our consultants specialize in data protection and  information security and have the relevant certifications from recognized organisations.

Extensive experience and good reputation

Since 2005, we have been advising national and international groups, medium-sized companies in almost all sectors, and public authorities as external Data Protection Officers. Thanks to our many years of expertise, we guarantee our clients practical advice. We also enjoy a reputable standing with the supervisory authorities. 

Keeping an eye on current developments

Even though some time has passed since the introduction of the GDPR, there are still legal uncertainties regarding its interpretation and application. Regularly published supervisory authority statements and court rulings help to eliminate uncertainties and ensure that processing of personal data is carried out in compliance with the law. We continuously monitor legal developments and inform our clients of any necessary actions and possible solutions. 

Individual consulting concepts at fair prices

Our clients receive data protection  consulting tailored to their individual needs and the best team of consultants for the job. We do not work with opaque flat rates. All valuable activities are documented by us to the nearest 6 minutes and verified at regular status meetings or at any time upon your separate request. You pay market rates for outstanding data protection experts. .

External DPO

Our duties and responsibilities as an external
Data Protection Officer

Our field of activity encompasses a wide range of duties and tasks: 

    • We advise you on all data protection issues in your day-to-day business and act as a direct point of contact for the decision-makers in your organisation. 
    • We monitor compliance with the GDPR and other relevant data protection  legislation and ensure processing of personal data is carried out in accordance with data protection regulations.  
    • We help you to implement effective data protection management and advise you on how to assign responsibilities and competences in the most appropriate way.
    • We support you in fulfilling your accountability obligations, which require you to actively demonstrate that your processing of personal data is lawful.  
    • We raise awareness and train your employees in the handling of personal data, drawing on practical examples from your organisation.. 
    • We serve as a point of contact for data subjects and supervisory authorities for questions regarding data protection law.
    • We offer a reporting hotline if there is suspicion of a personal data breach.

    Our consulting approach as your external
    Data Protection Officer

    Our goal is efficient and solution-oriented cooperation: 

    • We find the right answers even to complex questions.
    • We always provide practical advice and keep an eye on legal developments for you.  
    • We see ourselves as problem solvers, not problem creators. 
    • We also enable sensitive processing of personal data through special measures to protect the data subjects. 
    • In our consulting services, we always take your core business into account and are careful not to place undue demands on your employees’ resources.
    • We are happy to support you on a long-term and trusting basis.  

    FAQ

    Externe Datenschutzbeauftragte: Welche Kosten sind zu erwarten? (DUPLIKAT)

    A Data Protection Officer takes on a legally defined set of tasks, which includes, in particular, advisory, informational, and monitoring duties (see Art. 39 GDPR).  

    The operational implementation of data protection measures is usually carried out by the respective departments of the organisation.  

    Depending on the risk involved in the processing activities, the effort required to perform these tasks can vary greatly:  

    • For standard processing without any particular risks, the role can be fulfilled with a manageable amount of effort 
    • Sensitive or extensive processing activities require particularly careful examination and documentation.  

    The costs of appointing an external Data Protection Officer must therefore be calculated on a case-by-case basis. In many cases, it is more cost-effective to hire an external service provider than to appoint and train a suitable person internally.  

    Note: This information is for general guidance only and does not constitute individual legal advice.  

    Are there any special considerations for appointing an external Data Protection Officer for non-profit organisations and NGOs?

    Non-profit organisations and NGOs are subject to the same data protection requirements as other organisations. Data protection laws—in particular the GDPR and the BDSG—do not provide for any privileges or exceptions in this respect.  

    The processing of donor data often poses a particular challenge, especially with regard to transparency, purpose limitation, and data security.  

    Given the often limited human and financial resources available, it is important to organize the tasks of the Data Protection Officer efficiently and prioritize them in a practical manner 

    We offer customized support models and special conditions for non-profit organisations and NGOs as part of our activities as an external Data Protection Officer.  

    Note: This information is for general information purposes only and does not replace individual legal advice.  

    What should be taken into account when hiring an external Data Protection Officer for public authorities?

     An external Data Protection Officer for public authorities fulfills the same legal tasks as an internal data protection officer—for example, in accordance with Art. 39 GDPR and the provisions of the BDSG or the respective state data protection laws.  

    However, additional qualifications are required for work in the public sector:  

    • in-depth knowledge of administrative law 
    • familiarity with the relevant provisions of federal, state, and local law 
    • as well as extensive experience with official structures, departmental tasks, and specific technical procedures 

    Even though public authorities are not usually subject to fines (§ 43 para. 3 BDSG), consistent compliance with data protection requirements is of central importance – for example, to protect the rights of data subjects and to ensure lawful administrative processes.  

    Note: This information is for general guidance only and does not replace individual legal advice.  

    Appointment of a Data Protection Officer: What other tasks can be assigned to them?

    A Data Protection Officer may take on additional tasks, provided that this does not result in a conflict of interest with his or her statutory control and monitoring duties (see Art. 38 para. 6 GDPR).  

    An advisory role is generally unproblematic, for example in the following areas:  

    • Information and awareness raising,  
    • Documentation of processing activities,  
    • Risk assessments (e.g., data protection impact assessments),  
    • Contract processing and joint responsibility,  
    • Consent management, deletion concepts, and data subject rights.  

    In practice, a Data Protection Officer is also often tasked with conducting training and audits 

    However, fundamental decisions on data protection strategy—such as the introduction or amendment of guidelines—should be reserved for the organisation’s management in order to maintain the independence of the Data Protection Officer.  

    Note: This information does not constitute individual legal advice.  

    Appointment of a Data Protection Officer: What are their legal responsibilities?

    In accordance with Art. 39 GDPR, an internal or external Data Protection Officer performs advisory, educational, and supervisory tasks in particular.  

    Their main activities include:  

    • participating in the design and implementation of IT systems in accordance with data protection regulations 
    • raising awareness and training employees 
    • monitoring compliance with data protection laws and internal guidelines and processes.  

    In addition, the Data Protection Officer must be consulted in an advisory capacity as part of a data protection impact assessment (DPIA) in accordance with Art. 35 para. 2 GDPR.  

    Furthermore, he or she acts as a point of contact for data subjects (e.g., in the event of requests for information or deletion) and for supervisory authorities 

    Note: This information does not replace individual legal advice.  

    How does an external Data Protection Officer protect your good reputation?

    An external Data Protection Officer supports the organisation they serve in avoiding data breaches through a risk-aware and effective approach, thereby preventing fines, damage to reputation, and legal disputes.  

    If a reputable and experienced external service provider is commissioned, the organisation can also benefit from the trust placed in it by supervisory authorities, consumer protection associations, trade unions, and works councils 

    The professional use of an external Data Protection Officer can also send a positive signal with regard to customer relationships and cooperation with business partners – especially with regard to compliance with high data protection standards.  

    Note: This information is for general guidance only and does not replace individual legal advice.  

     

    Why does an external Data Protection Officer save resources?

    An external, outsourced Data Protection Officer relieves the organisation by taking on the legally defined role of Data Protection Officer without permanently tying up internal human resources.  

    In particular, this eliminates:  

    • Costs for training and further education that would be necessary for internal appointments  
    • the need for workstations and operational resources 
    • and the organisational effort for substitution arrangements, as these are usually covered by the external service provider.  

    Thanks to their specialist knowledge and practical experience, an external Data Protection Officer can advise the organisation efficiently and on a risk-based basis without placing unnecessary demands on internal resources.  

    Note: This information is for general guidance only and does not replace individual legal advice.

    What are the advantages of an external Data Protection Officer?

    Appointing an external Data Protection Officer offers several advantages:  

    • Thanks to his professional specialization in data protection and information security, he has in-depth knowledge and up-to-date expertise.  
    • His work advising numerous organisations creates synergies that directly benefit the organisations he supports.  
    • External Data Protection Officers are subject to contractual liability, which can help reduce risks associated with fines and claims for damages 
    • Unlike internal Data Protection Officers, external service providers are not subject to special protection against dismissal under labor law. The underlying consulting contract can be terminated in accordance with the contractually agreed notice periods 

    Note: This information does not replace individual legal advice.  

    When is an internal or external Data Protection Officer required?

    According to the General Data Protection Regulation (GDPR), an internal or external Data Protection Officer must be appointed under certain conditions.  

    This is particularly the case:  

    • for public authorities (see Art. 37 para. 1 a) GDPR, § 5 BDSG),  
    • or if, in the case of non-public bodies, the processing of personal data is part of their core activities and involves extensive processing of special categories of personal data (e.g., health data) (Art. 37 para. 1 b–c) GDPR).  

    In addition, a national regulation pursuant to § 38 para. 1 BDSG applies in Germany: Every non-public body must appoint a Data Protection Officer if at least 20 persons are permanently entrusted with the automated processing of personal data – this already includes regular access to an email system 

    Note: This information does not constitute individual legal advice.

    Let’s talk.

    Boris Reibach, LL.M.
    Contact me
    View Profile
    Services
    Data Protection

    for Authorities

    International Data Protection

    Data Privacy Framework

    Artificial Intelligence

    Telecommunications Data Protection

    Telemedia & Digital Services

    Health Data Protection

    Financial and Banking Data Protection

    Ecclesiastical Data Protection

    Concepts

    Expertise

    Individuality

    Engagement

    Law Firm

    Team

    Locations

    Career

    Philosophy

    Legal Notice

    Privacy Policies

    Adenauerallee 136
    D-53113 Bonn
    Phone: +49 (0) 228-227 226-0
    Mail: info@scheja-partners.de

    GDPR Quick-Check