As external data protection officers, we support you in an advising capacity. Our collaboration is designed for the long term, whereby we get to know your company better and better in an iterative process. As a result, we not only optimize your data protection management, but can also provide quick and pragmatic help in the event of data protection mishaps.
Advice on all issues relating to data protection
Training and awareness
Creation of consent forms
Preparation of records of processing activities (ROPA)
Data protection impact assessments
Assistance with requests for information and other inquiries
Communication with authorities, contractors, etc.
Responsibilities of the data protection officer
Informing and advising the controller and the employees who carry out processing operations regarding their obligations under the GDPR and other relevant data protection regulations.
Monitoring compliance with data protection regulations and internal processes, including assignment of responsibilities, awareness and training.
Data protection impact assessment
Advice in connection with the data protection impact assessment and monitoring of its implementation for processing activities that may pose a particularly high risk to data subjects.
Cooperation with supervisory authorities
Cooperation with the supervisory authority, including acting as a point of contact for the supervisory authority on data processing related issues.
When is there an obligation to appoint an external data protection officer?
The obligation to appoint a data protection officer exists if
at least 20 persons are permanently involved in the automated processing of personal data,
personal data are processed commercially for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research
the core activity of the controller or processor consists in carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects
the core activity consists in the processing of special categories of personal data or concerning criminal activities or criminal convictions.
Why is an external data protection officer useful even without the obligation to appoint one?
Violations of data protection law can quickly lead to high costs due to the various sanction measures of the GDPR. In addition, data protection mishaps require immediate action (within 72 hours) in order to respond in a timely manner and - in addition to any damage caused by the mishap - to avoid a fine. With professional advice, you can not only minimize the risks, but also have a designated contact person at your side who knows you and your processing operations and can also provide immediate advice and support in difficult situations.
To be precise, the following financial risks may arise:
For instance, in the case of violations
against the principles of processing (e.g. processing of personal data without a legal basis or a breach of the principle of data minimization),
the data subject rights of the GDPR (e.g., the correct information of the data subjects or the right of access) or
in the case of a transfer to a third country where there were no appropriate safeguards to ensure an adequate level of data protection (e.g., the use of IT services from providers in the U.S.)
a fine of up to €20m or 4% of global turnover may be imposed.
For instance, in the case of violations
against the security of processing (e.g., improperly secured facilities for processing personal data).
in the event of violations of the notification and information obligations in the event of data protection mishaps
improper implementation of privacy-by-design and privacy-by-default requirements (e.g., incorrect data protection default settings)
when using processors (e.g., the conclusion of processing contracts with IT service providers)
a fine of up to €10m or 2% of global turnover may be imposed.
Compensation for damages
In addition to fines, there is also the risk of having to pay damages:
Compensation for material and non-material damage to persons affected by the processing activity.
Compensation from competitors due to infringements of competition law.
The amount depends on the individual case. Although it seems unlikely that damages in the scope of (theoretically possible) fines will have to be paid, there may well be a relevant cost risk here, particularly for small and medium-sized enterprises.
You don't have any experience with the topic of data protection yet? A typical schedule of our consulting services looks like this:
Appointment as DPO
First, you appoint us as your data protection officers. In doing so, we tailor our offer to your needs.
Creation / testing of the ROPA
The first step is to create the register of processing activities (ROPA) in order to obtain a structured overview of the processes that require the processing of personal data.
Identification of fields of action
Based on the ROPA, fields of action can then be identified and prioritized.
Adapt and document processes
Processes and procedures are adapted in a data protection-friendly manner. In doing so, we make sure to leverage as many synergies as possible with existing processes and responsibilities to enable effective and economical implementation.
Information requirements, consent forms, etc. are created or revised in line with data protection requirements. Thereby, we are guided by your processes and needs.