External data protection officer

Numerous companies have appointed employees of ePrivacy GmbH as external data protection officers. GDPR requests the appointment of a data protection officer throughout Europe. We would be pleased to advise you whether you need to appoint a data protection officer.

What is a data protection officer?

A data protection officer is appointed by a company to ensure its compliance with the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), GDPR and other relevant legislation. His or her responsibilities include monitoring the proper use of information technology and providing information and training to the company's employees. He or she is not obligated to follow instructions issued by others in carrying out his or her tasks. 

In the complex and fast changing field of regulatory requirements about the digital processing of data, company managements, employees and clients need a reliable and competent guidance: Data protection officers (DPO) accompany firms in the digital transformation and balance the needs and rights of the persons affected and the company’s interests to ensures that the interests of everyone involved are met.

Under certain conditions, a company will be required to appoint a data protection officer where, for example:

  • Personal data is processed on an automated basis,
  • More than nine individuals are involved in the processing of this data,
  • The a presumption is favor of the existence of certain risks,
  • Procedures are used which are subject to so-called "prior vetting",
  • Personal data is disseminated to third parties, or
  • Data is collected on a fully automated basis.

Should a company be subject to an obligation to appoint a data protection officer, it must do so within no more than a month of the commencement of its operations; should it fail to do so, it will be guilty of having committed an administrative offense. 

A data protection officer may be appointed from among the company's employees, or the company may appoint an "external data protection officer". To fulfill this responsible and demanding function, a large cutting-edge knowledge is indispensable. Depending of the size of a company, it thus can be advantageous to outsource this task to specialists, who combine always up-to-date knowledge about privacy legislation, IT systems, applications, processes and organizations, and complete all relevant tasks reliably and efficiently. Besides, the expenses of an external DPO can be calculated clearly, as the monthly sum remains constant and no further costs for training or the acquisition of specialist literature arise.

Under what circumstances will the appointment of an external data protection officer from ePrivacy GmbH be advantageous to your company?

  • You have a digital business model in place and are in need of an expert on data protection who is always up-to-date with regard to current case law and is familiar with the sector in which you operate.
  • The size of your company does not permit you to appoint a full-time data protection officer, although this would actually be necessary in light of the significance of data protection considerations for your business model.
  • The data protection officer should preferably not be an employee of your company in the interests of avoiding potential conflicts of interest, rather should bring an independent, external perspective to the table.
  • You require continuous assistance from a data protection officer who is well versed in both technical and legal matters for the further development of your products.
  • You place particular value on legal certainty.

Services provided by external data protection officers from ePrivacy

As an external data protection officer, ePrivacy supports you in achieving a high level of data protection as a competitive edge and to help you realize your planned business models as far as possible. We develop an individual consultation concept suited to your needs, your company’s size, your products and your processes, to advise you long-term in all privacy-related issues. ePrivacy is always reachable via e-mail or telephone and helps you in a quick and unbureaucratic way. We usually answer your requests within two working days, if necessary, even more quickly.

As an external data protection officer, ePrivacy supports you for the following tasks as a function of its concrete assignment:

1.    Start: privacy check

  • Analysis of the current state – risk and deficiencies
  • Determination of the company’s privacy goals (if needed)
  • GDPR check via standardized questionnaire
  • Determination of necessary adjustments
  • Recommendations beyond legal requirement (if applicable)
  • Implementation proposals for required and additional adjustments

2.    Collaboration in compiling the following mandatory documentations 

  • Data protection concept
  • Record of processing activities
  • Company agreement on privacy compliant handling of personal data
  • Data protection statement / privacy policy
  • Data protection impact assessment (if required)
  • Data processing agreements
  • Technical and organizational measures
  • Written commitment for employees
  • Annual report
  • Internal guidelines about the use of the internet, social media, e-mail etc. (if required)

3.    Contact person regarding privacy issues for

  • Management
  • Employees
  • Customers
  • Service providers (if applicable)
  • Data protection authorities
  • etc.

4.    Regular employee information and training (if needed)

5.    Collaboration in fulfilment of the rights of persons affected

  • Securing the rights of persons affected: Right to information, right to erasure, right to data portability and further rights of persons affected
  • Answering inquiries of persons affected
  • Securing the accomplishment of the required action

6.    Attending to product changes from the perspective of data protection

  • Technology development (privacy by design)
  • Default privacy settings (privacy by default)

7.    Risk management and data security 

  • Checking of the technical and organizational measures (if required)
  • Process for the handling of privacy incidents (e.g. reporting to the regulatory authorities)
  • Reaction on privacy incidents

8.    Regular exchange with the management

  • Quarterly phone conference (if needed)
  • At least yearly meetings
  • Newsletter with important privacy information

Do you have questions or recommendations for us?

We are glad to receive your comments.