An external data protection officer with a legal background is always the better and safer solution for companies that are obliged to appoint a data protection officer. The costs for an external data protection officer are moderate and lower than you might think.
Since May 2018, the European Union’s General Data Protection Regulation (GDPR) has regulated by law the uniform EU-wide handling of personal data and the free movement of data to protect consumers. Users have the right to determine how their data is used. This is accompanied by a large number of obligations and a high level of effort for companies.
External data protection: Relief for your company
An external data protection officer can significantly relieve the day-to-day workload in terms of data protection in your company. With expert knowledge, an external Data Protection Officer (DPO) contributes to the comprehensive protection of processed data and a data protection-compliant flow of business processes.
Duties of the external data protection officer
An external data protection officer advises the management on all applicable data
- monitors compliance with the regulations
- reviews documents,
- optimizes processes,
- develops strategies for the protection of personal data
- cooperates with the supervisory authorities
- is the point of contact for data subjects and employees on all questions
- data protection issues, and
- prepares data protection impact assessments upon request.
According to the GDPR, it is possible for companies to appoint an internal data protection officer. However, the tasks are so varied and complex that an external data protection officer with extensive professional experience from many projects is often the better and safer choice for your company.
External data protection: We support you
We at MKM Datenschutz GmbH will act as the external data protection officer for your company. This leaves you the time to concentrate on your core tasks.
You benefit from our many years of experience and our legal expertise. This means that you are always up to date and informed about future developments in the field of data protection. Thanks to our experienced and certified consultants, we can offer you data protection management that meets every challenge.
At your request, we will establish a data privacy management system in your company that is tailored to your compliance organization and business processes. In doing so, we find suitable and legally compliant solutions for you.
Costs for an external data protection officer
The costs for your external data protection officer depend on the requirements of your company and the extent to which you want us to work for you. We are therefore unable to give you a fixed price at this point. However, as a rough estimate, we can say that the monthly consulting fee for our customers ranges between 300 and 800 euros as a rule.
The costs for an external data protection officer are vanishingly low compared to the possible fines for GDPR violations. There are high penalties of up to 20 million euros or up to four percent of your annual global turnover!
Therefore, play it safe and trust our experts in external data protection. To be able to calculate the costs for your external data protection officer, we need various information from you. For example, the industry in which your company operates on the market, as well as the locations of your company, the number of employees and the number of service providers used to process personal data for you are crucial.
These factors are critical:
We also need to assess how sensitive the data you process is. A hospital, for example, requires significantly higher data protection measures than a company in the mechanical engineering sector. Furthermore, for the calculation we need information about which partners are involved in your business processes and how the IT infrastructure is structured at your company locations.
External data protection officer: Your advantages
At MKM Data Protection, we offer you the all-round carefree package as an external data protection officer. We provide you with comprehensive support and develop customized solutions. With us, you receive a comprehensive data protection management as a complete solution. In addition, we offer need-based training and other measures to raise the awareness of your employees.
As a customer, you benefit from a highly specialized and dedicated consulting team. We have been active in the field of data protection not just since the GDPR, but since 2004:
- All our consultants are lawyers and business lawyers with a high affinity for IT and technology topics.
- Our consulting approaches, interview techniques and solutions are proprietary developments that have evolved over the years and are constantly being improved and updated.
- Our consultants are certified and always up-to-date in data protection matters.
- We work for numerous medium-sized companies and large corporations with complex data structures in a variety of industries – in Germany, in Europe and throughout the world through our network of colleagues from a wide range of nations.
Our data protection consultants support you in establishing pragmatic and efficient processes in your company and ensure compliance with data protection law. In the event of audits, we will assist you in an advisory capacity and represent you in dealings with authorities and courts.
External data protection officer for your company
You want to play it safe when it comes to data protection and would like to appoint an external DPO for your company? It’s quite simple:
- Offer: We will be happy to provide you with an individual offer for an external DPO after a discussion.
- Conclusion of contract: Carefully review our offer at your convenience. In case of any uncertainties or queries, we will of course be happy to assist you. We will then draw up a draft contract for the assignment of an external data protection consultant.
- Inventory: Your external data protection officer reviews the GDPR-relevant processes and documents of your company. Right at this stage, we can identify weak points in the area of data protection in order to eliminate them.
- Documentation of the results: In a detailed overview, your external data protection officer summarizes the results of the inventory and prepares recommendations for action.
- Regular support and training for your employees: Your external data protection officer advises you on all emerging data protection issues in your company and supports you in monitoring for compliance, develops data protection strategies and cooperates with the supervisory authorities as required. In addition, your external data protection officer trains and sensitizes your employees in the handling of personal data and is the point of contact for data subjects.
Added value for your company
As a client of MKM Datenschutz, you also benefit from the cooperation with our commercial law firm in Nuremberg and Berlin. On top of that you will receive:
- All-round carefree package of external data protection officers: We do more than the law requires and relieve you of work.
- Data protection consulting and legal advice from a single source: With us, you also receive legal advice in addition to data protection consulting, as we work closely with the lawyers at MKM + PARTNER – for example, on the drafting of contracts or in relation to other legal issues that also affect data protection.
- Data protection expertise from different industries and sectors: Our consultants have extensive experience from different industries and areas. Your company will also benefit from this!
- Europe-wide representation – international consulting: We are represented throughout Europe and, with our partner network, also advise globally active companies on data protection issues.
Get a free consultation and request your no-obligation quote on hiring your external data protection officer.
Internal or external data protection officer: What you need to watch out for!
The GDPR leaves it up to you whether you appoint an internal data protection officer or an external DPO. We will explain to you what you need to be aware of:
Caution: conflict of interest with internal data protection officers!
An internal data protection officer has the advantage of knowing the workflows and processes in your company. However, not every employee can take on the tasks of an internal data protection officer.
Independent performance of duties as a data privacy officer can only be ensured if a conflict of interest can be excluded. A conflict of interest exists, for example, if the internal data privacy officer works at management level (e.g., as a member of the Managing Director) or heads the IT or HR department. Employees who determine or commission data processing processes in these departments cannot be appointed DPO either. Furthermore, members of the corporate management are excluded from the function.
Qualifications: Can an internal data protection officer do the job?
Let us now look at the professional competencies of a DPO. An internal data protection officer must be professionally qualified for his or her role. This includes sufficient competencies in the relevant business area and the ability to record processing operations.
An internal DPO must have sufficient expertise in the areas of data protection law and data protection practice. According to Art. 39 GDPR, he must have the ability to perform his exercises. If an internal DPO does not meet these requirements, he or she may be dismissed by the data protection supervisory authority.
The law does not specify how the data protection officer should acquire specialist knowledge. There is a wide range of training courses available for this purpose. However, you should not ignore the high cost of training and continuing education for an internal data privacy officer. You should also not underestimate the time required. Costs for technical literature and appropriate workplace equipment must also be taken into account. In comparison, the costs for an external data protection officer are significantly lower.
Please keep in mind that an internal data protection officer must have specialist knowledge and regularly refresh it. Does your employee have enough time for this?
Time commitment: Does an internal data protection officer have enough time for his core tasks?
The time required for the work of an internal data privacy officer cannot be generalized. Among other things, it depends on the size of the company, the volume of data processed and the IT structure. An internal data privacy officer needs a lot of time even in the initial introductory phase. He or she must conduct an extensive inventory, compile and review the processing directory, and prepare supplements. During this phase, the employee will probably only be able to perform his or her core activities to a limited extent.
The costs for an external data protection officer are moderate – so compare whether it would not be more profitable to appoint an external DPO instead of an internal data protection officer.
Attention: Special protection against dismissal of an internal DPO!
Internal data privacy officers are subject to special protection against termination. They may only be dismissed for cause. This is roughly comparable with a works council member.
Under certain circumstances, internal data privacy officers may be dismissed. However, there must be a compelling reason for this, which would also justify termination without notice in an employment relationship. An external data privacy officer is not permanently tied to your company. Isn’t that the better way to go when it comes to data protection?
Internal vs. external data protection officer: Who is liable?
An employed internal DPO is liable only in cases of intent and gross negligence. The main risk in the event of data privacy violations due to consulting errors therefore lies with the Board of Directors or the Managing Director of the company. And that can be expensive. In the event of a data privacy breach, you could face fines of up to 20 million euros or up to four percent of global annual sales! There is no employment relationship between an external data privacy officer and the client. This means that an external data protection officer does not enjoy any advantages in terms of liability protection.
Even in the case of minor negligence, an external DPO is liable to the company as defined by law. With an external data privacy officer, you do not have to worry about liability issues.
External data protection officer: Advantages at a glance
With MKM Datenschutz GmbH as external data protection officer, you are on the safe side – without risk, with professional expertise of the consultants and at transparent costs. Trust us and our numerous satisfied customers.
Our external data protection officers are experienced and certified lawyers,
- bring experience from various industries and projects,
- take part in regular training courses,
- advise medium-sized companies and corporate groups,
- work on a national and international level,
- are liable for their consulting activities and
- are not permanently tied to one company.
All of our experts for external data protection are experienced in advising medium-sized companies and corporate groups with complex data structures. Does your company have an international presence? Contact us. Our global network enables us to provide legally compliant advice in almost every country in the world. Benefit from our expertise, we support you as an external data protection officer.
Let us advise you free of charge and request your non-binding offer for the assignment of your external data protection officer.
Frequently asked questions on this topic
Laut DSGVO müssen Unternehmen einen Datenschutzbeauftragten benennen, wenn mindestens 20 Mitarbeitende regelmäßig personenbezogene Daten automatisiert, z. B. mit PC, Tablet oder Smartphone, verarbeiten. Das ist häufig in der IT- oder Personalabteilung der Fall, kann jedoch auch alle anderen Abteilungen Ihres Unternehmens betreffen. Die Verpflichtung zur Benennung ist unabhängig von der Zahl der Mitarbeitenden, wenn das Unternehmen besonders sensible personenbezogene Daten verarbeitet. Das ist z B. bei Gesundheitsdaten oder Daten zu politischen Einstellungen der Fall. Oder wenn die Kernaufgabe der Unternehmenstätigkeit in der Erhebung, Verarbeitung, Nutzung oder Übermittlung personenbezogener Daten liegt.Auch müssen Unternehmen einen DSB benennen, wenn Verarbeitungen vorgenommen werden, die einer Datenschutz-Folgenabschätzung nach Art. 35 DSGVO bedürfen. Achtung, wenn Ihr Unternehmen nicht zur Benennung eines Datenschutzbeauftragten verpflichtet ist, müssen Sie die Vorgaben der DSGVO dennoch einhalten. Daher ist es häufig sinnvoll, nicht an den moderaten Kosten für einen externen Datenschutzbeauftragten zu sparen und freiwillig einen externen DSB zu benennen. Herausforderungen und Aufgaben sind dann an den externen DSB adressiert und liegen nicht bei Ihnen. Sie sind unsicher, ob Ihr Unternehmen einen externen Datenschutzbeauftragten braucht? Bitte sprechen Sie uns an, wir helfen Ihnen gerne weiter
Im Idealfall ist ein externer Datenschutzbeauftragter ausgebildeter Jurist und hat gleichzeitig eine Affinität für Technik- und IT-Themen. Er sollte im Bereich Datenschutz zertifiziert sein und sich regelmäßig fortbilden. Nur so kann er als Dienstleister seine Kunden kompetent und rechtssicher beraten.
Ein erfahrener Datenschutzbeauftragter verfügt über umfangreiches Knowhow und Expertise aus zahlreichen Datenschutzprojekten in unterschiedlichen Branchen. Daher sollten Sie sich auf ein erfahrenes und etabliertes Beratungsunternehmen verlassen. Wir von MKM sind im Datenschutz bereits seit 2004 aktiv und nicht erst seit der DSGVO! Unsere Beratungsansätze, Interviewtechniken und Lösungen sind über die Jahre gereifte Eigenentwicklungen. Diese verbessern und aktualisieren wir permanent. Alle unsere Beraterinnen und Berater sind zertifiziert und verpflichtet, sich regelmäßig fortzubilden und zu spezialisieren. Wir sind es gewohnt, Mittelständler und Konzerne in komplexen Datenstrukturen zu beraten. Unser weltweites Netzwerk ermöglicht uns eine rechtssichere Beratung in fast jedem Land dieser Welt. Durch unsere Lösungen im Datenschutz können Sie an diesen Bereich Ihres Compliance-Managements endlich einen Haken setzen.
Formal gibt es in der DSGVO keine Vorgaben über die Form der Bestellung eines Datenschutzbeauftragten. Theoretisch genügt die mündliche Ernennung. Jedoch ist die schriftliche Benennung eines Datenschutzbeauftragten aus Beweis- und Rechenschaftsgründen mehr als empfehlenswert. Zudem raten wir, die Aufgaben des Datenschutzbeauftragten schriftlich zu fixieren.Die Zuständigkeit eines DSB muss den entsprechenden Behörden mitgeteilt werden (Artikel 37 Absatz 7 DSGVO). Innerhalb und außerhalb des Unternehmens müssen die Zuständigkeit und Kontaktdaten des Datenschutzbeauftragten veröffentlicht werden, z. B. im Intranet und auf der Internetseite.
Kann ein interner Datenschutzbeauftragter abberufen werden?
Unter bestimmten Voraussetzungen kann ein interner Datenschutzbeauftragter abberufen werden. Hierfür müssen allerdings triftige Gründe vorliegen, die auch in einem Arbeitsverhältnis eine fristlose Kündigung rechtfertigen würden.
Wird ein interner Datenschutzbeauftragter abberufen, so ist eine Kündigung innerhalb eines Jahres unzulässig. Es sei denn, es gibt einen wichtigen Grund. Bei einem externen Datenschutzbeauftragten müssen Sie sich darüber keine Sorgen machen. Sie können die Zusammenarbeit jederzeit vertragsgemäß beenden.
Sie sind unsicher, ob Sie einen internen oder externen Datenschutzbeauftragten benennen sollen? Bitte sprechen Sie uns an, wir helfen Ihnen gerne weiter [Link]
Ein interner angestellter Datenschutzbeauftragter haftet nur, wenn er vorsätzlich und mit grober Fahrlässigkeit handelt. In allen anderen Fällen haften Sie als Vorstand oder Geschäftsführer. Und das kann teuer werden. Bei einem Datenschutzverstoß drohen Ihnen Bußgelder von bis zu 20 Millionen Euro oder bis zu vier Prozent des weltweiten Jahresumsatzes!
Ein externer Datenschutzbeauftragter hingegen haftet bei einem durch ihn verursachten Verstoß gegen die DSGVO in gesetzlichem Umfang für seine Tätigkeit. Mit einem externen Datenschutzbeauftragten sind Sie auch bei Haftungsfragen auf der sicheren Seite.
Gehen Sie auf Nummer sicher und lassen Sie sich jetzt kostenlos beraten.
External data protection: consulting locations
Behind MKM Data Protection is a team of dedicated experts who work closely together to provide you with the best possible support.
Starting from our two locations in Nuremberg and Berlin, our data protection consultants serve clients throughout Germany and Europe:
MKM Datenschutz GmbH
Äußere Sulzbacher Straße 118
90491 Nürnberg
Phone: +49 911 990 860 0
Mail: info@mkm-datenschutz.de
MKM Unternehmensgruppe
Spreeufer 5
10178 Berlin
Phone: +49 30 4036 4060
Mail: info@mkm-datenschutz.de
External data protection: References
We are the data protection specialists for medium-sized companies and corporations with complex data structures in Germany, Europe and non-European countries.
Here you will find an excerpt of selected customers:
Data protection: Training programs
Would you like to train or sensitize your employees in data protection and the handling of personal data? We offer special training programs tailored to your needs, using practical examples from everyday work in your company to illustrate the issues involved in data privacy applications.
Ideally, training can be combined with general data protection consulting for your company. Following an analysis of the data flows and discussions with those responsible, we can precisely address the specific requirements of your company in the training courses.
We offer our training courses for various industries, such as:
- Banks
- Finance
- Taxes
- Pharmaceuticals
- Personnel
- Craft
- Software developers
- Marketing
- Doctors
- IT service provider
- Data destruction
- Production
- Mail order