An external data protection officer with a legal background is always the better and safer solution for companies that are obliged to appoint a data protection officer. The costs for an external data protection officer are moderate and lower than you might think.
Since May 2018, the European Union’s General Data Protection Regulation (GDPR) has regulated by law the uniform EU-wide handling of personal data and the free movement of data to protect consumers. Users have the right to determine how their data is used. This is accompanied by a large number of obligations and a high level of effort for companies.
External data protection: Relief for your company
An external data protection officer can significantly relieve the day-to-day workload in terms of data protection in your company. With expert knowledge, an external Data Protection Officer (DPO) contributes to the comprehensive protection of processed data and a data protection-compliant flow of business processes.
Duties of the external data protection officer
An external data protection officer advises the management on all applicable data,
- monitors compliance with the regulations
- reviews documents,
- optimizes processes,
- develops strategies for the protection of personal data
- cooperates with the supervisory authorities
- is the point of contact for data subjects and employees on all questions
- data protection issues, and
- prepares data protection impact assessments upon request.
According to the GDPR, it is possible for companies to appoint an internal data protection officer. However, the tasks are so varied and complex that an external data protection officer with extensive professional experience from many projects is often the better and safer choice for your company.
External data protection: We support you
We at MKM Datenschutz GmbH will act as the external data protection officer for your company. This leaves you the time to concentrate on your core tasks.
You benefit from our many years of experience and our legal expertise. This means that you are always up to date and informed about future developments in the field of data protection. Thanks to our experienced and certified consultants, we can offer you data protection management that meets every challenge.
At your request, we will establish a data privacy management system in your company that is tailored to your compliance organization and business processes. In doing so, we find suitable and legally compliant solutions for you.
Costs for an external data protection officer
The costs for your external data protection officer depend on the requirements of your company and the extent to which you want us to work for you. We are therefore unable to give you a fixed price at this point. However, as a rough estimate, we can say that the monthly consulting fee for our customers ranges between 300 and 800 euros as a rule.
The costs for an external data protection officer are vanishingly low compared to the possible fines for GDPR violations. There are high penalties of up to 20 million euros or up to four percent of your annual global turnover!
Therefore, play it safe and trust our experts in external data protection. To be able to calculate the costs for your external data protection officer, we need various information from you. For example, the industry in which your company operates on the market, as well as the locations of your company, the number of employees and the number of service providers used to process personal data for you are crucial.
These factors are critical:
We also need to assess how sensitive the data you process is. A hospital, for example, requires significantly higher data protection measures than a company in the mechanical engineering sector. Furthermore, for the calculation we need information about which partners are involved in your business processes and how the IT infrastructure is structured at your company locations.
External date protection officer: Your advantages
At MKM Data Protection, we offer you the all-round carefree package as an external data protection officer. We provide you with comprehensive support and develop customized solutions. With us, you receive a comprehensive data protection management as a complete solution. In addition, we offer need-based training and other measures to raise the awareness of your employees.
As a customer, you benefit from a highly specialized and dedicated consulting team. We have been active in the field of data protection not just since the GDPR, but since 2004:
- All our consultants are lawyers and business lawyers with a high affinity for IT and technology topics.
- Our consulting approaches, interview techniques and solutions are proprietary developments that have evolved over the years and are constantly being improved and updated.
- Our consultants are certified and always up-to-date in data protection matters.
- We work for numerous medium-sized companies and large corporations with complex data structures in a variety of industries – in Germany, in Europe and throughout the world through our network of colleagues from a wide range of nations.
Our data protection consultants support you in establishing pragmatic and efficient processes in your company and ensure compliance with data protection law. In the event of audits, we will assist you in an advisory capacity and represent you in dealings with authorities and courts.
External data protection officer for your company
You want to play it safe when it comes to data protection and would like to appoint an external DPO for your company? It’s quite simple:
- Offer: We will be happy to provide you with an individual offer for an external DPO after a discussion.
- Conclusion of contract: Carefully review our offer at your convenience. In case of any uncertainties or queries, we will of course be happy to assist you. We will then draw up a draft contract for the assignment of an external data protection consultant.
- Inventory: Your external data protection officer reviews the GDPR-relevant processes and documents of your company. Right at this stage, we can identify weak points in the area of data protection in order to eliminate them.
- Documentation of the results: In a detailed overview, your external data protection officer summarizes the results of the inventory and prepares recommendations for action.
- Regular support and training for your employees: Your external data protection officer advises you on all emerging data protection issues in your company and supports you in monitoring for compliance, develops data protection strategies and cooperates with the supervisory authorities as required. In addition, your external data protection officer trains and sensitizes your employees in the handling of personal data and is the point of contact for data subjects.
Added value for your company
As a client of MKM Datenschutz, you also benefit from the cooperation with our commercial law firm in Nuremberg and Berlin. On top of that you will receive:
- All-round carefree package of external data protection officers: We do more than the law requires and relieve you of work.
- Data protection consulting and legal advice from a single source: With us, you also receive legal advice in addition to data protection consulting, as we work closely with the lawyers at MKM + PARTNER – for example, on the drafting of contracts or in relation to other legal issues that also affect data protection.
- Data protection expertise from different industries and sectors: Our consultants have extensive experience from different industries and areas. Your company will also benefit from this!
- Europe-wide representation – international consulting: We are represented throughout Europe and, with our partner network, also advise globally active companies on data protection issues.
Get a free consultation and request your no-obligation quote on hiring your external data protection officer.
Internal or external data protection officer: What you need to watch out for!
The GDPR leaves it up to you whether you appoint an internal data protection officer or an external DPO. We will explain to you what you need to be aware of:
Caution: conflict of interest with internal data protection officers!
An internal data protection officer has the advantage of knowing the workflows and processes in your company. However, not every employee can take on the tasks of an internal data protection officer.
Independent performance of duties as a data privacy officer can only be ensured if a conflict of interest can be excluded. A conflict of interest exists, for example, if the internal data privacy officer works at management level (e.g., as a member of the Managing Director) or heads the IT or HR department. Employees who determine or commission data processing processes in these departments cannot be appointed DPO either. Furthermore, members of the corporate management are excluded from the function.
Qualifications: Can an internal data protection officer do the job?
Let us now look at the professional competencies of a DPO. An internal data protection officer must be professionally qualified for his or her role. This includes sufficient competencies in the relevant business area and the ability to record processing operations.
An internal DPO must have sufficient expertise in the areas of data protection law and data protection practice. According to Art. 39 GDPR, he must have the ability to perform his exercises. If an internal DPO does not meet these requirements, he or she may be dismissed by the data protection supervisory authority.
The law does not specify how the data protection officer should acquire specialist knowledge. There is a wide range of training courses available for this purpose. However, you should not ignore the high cost of training and continuing education for an internal data privacy officer. You should also not underestimate the time required. Costs for technical literature and appropriate workplace equipment must also be taken into account. In comparison, the costs for an external data protection officer are significantly lower.
Please keep in mind that an internal data protection officer must have specialist knowledge and regularly refresh it. Does your employee have enough time for this?
Sie haben Fragen oder benötigen Hilfe?
Wir helfen und beraten Sie nach Ihren Bedürfnissen
Time commitment: Does an internal data protection officer have enough time for his core tasks?
The time required for the work of an internal data privacy officer cannot be generalized. Among other things, it depends on the size of the company, the volume of data processed and the IT structure. An internal data privacy officer needs a lot of time even in the initial introductory phase. He or she must conduct an extensive inventory, compile and review the processing directory, and prepare supplements. During this phase, the employee will probably only be able to perform his or her core activities to a limited extent.
The costs for an external data protection officer are moderate – so compare whether it would not be more profitable to appoint an external DPO instead of an internal data protection officer.
Attention: Special protection against dismissal of an internal DPO!
Internal data privacy officers are subject to special protection against termination. They may only be dismissed for cause. This is roughly comparable with a works council member.
Under certain circumstances, internal data privacy officers may be dismissed. However, there must be a compelling reason for this, which would also justify termination without notice in an employment relationship. An external data privacy officer is not permanently tied to your company. Isn’t that the better way to go when it comes to data protection?
Internal vs. external data protection officer: Who is liable?
An employed internal DPO is liable only in cases of intent and gross negligence. The main risk in the event of data privacy violations due to consulting errors therefore lies with the Board of Directors or the Managing Director of the company. And that can be expensive. In the event of a data privacy breach, you could face fines of up to 20 million euros or up to four percent of global annual sales! There is no employment relationship between an external data privacy officer and the client. This means that an external data protection officer does not enjoy any advantages in terms of liability protection.
Even in the case of minor negligence, an external DPO is liable to the company as defined by law. With an external data privacy officer, you do not have to worry about liability issues.
External data protection officer: Advantages at a glance
With MKM Datenschutz GmbH as external data protection officer, you are on the safe side – without risk, with professional expertise of the consultants and at transparent costs. Trust us and our numerous satisfied customers.
Our external data protection officers are experienced and certified lawyers,
- bring experience from various industries and projects,
- take part in regular training courses,
- advise medium-sized companies and corporate groups,
- work on a national and international level,
- are liable for their consulting activities and
- are not permanently tied to one company.
All of our experts for external data protection are experienced in advising medium-sized companies and corporate groups with complex data structures. Does your company have an international presence? Contact us. Our global network enables us to provide legally compliant advice in almost every country in the world. Benefit from our expertise, we support you as an external data protection officer.
Let us advise you free of charge and request your non-binding offer for the assignment of your external data protection officer.
Sie haben Fragen oder benötigen Hilfe?
Wir helfen und beraten Sie nach Ihren Bedürfnissen
Frequently asked questions on this topic
According to the GDPR, companies must appoint a data protection officer if at least 20 employees regularly process personal data automatically, e.g. using a PC, tablet or smartphone. This is often the case in the IT or HR department, but can also affect all other departments of your company. The obligation to designate is independent of the number of employees if the company processes particularly sensitive personal data. This is the case, for example, with health data or data on political attitudes. Or if the core task of the company’s activity is the collection, processing, use or transfer of personal data. Companies must also appoint a DPO if processing operations requiring a data protection impact assessment pursuant to Article 35 of the GDPR are carried out. Note that if your company is not required to appoint a DPO, you must still comply with the requirements of the GDPR. Therefore, it often makes sense not to save on the moderate costs for an external data protection officer and to voluntarily appoint an external DPO. Challenges and tasks are then assigned to the external DPO and are not yours to deal with. Are you unsure whether your company needs an external DPO? Please contact us, we will be happy to help you further
Ideally, an external data privacy officer is a trained lawyer and also has an affinity for technology and IT issues. He or she should be certified in the area of data privacy and undergo regular training. Only in this way can he or she, as a service provider, advise his or her customers competently and with legal certainty.
An experienced data protection officer has extensive know-how and expertise from numerous data protection projects in different industries. Therefore, you should rely on an experienced and established consulting company. We at MKM have been active in data protection since 2004 and not just since the adoption of the GDPR! Our consulting approaches, interview techniques and solutions are in-house developments that have matured over the years. We are constantly improving and updating them. All of our consultants are certified and are obliged to undergo regular training and specialization. We are accustomed to advising medium-sized companies and corporate groups on complex data structures. Our global network enables us to provide legally compliant advice in almost every country in the world. Through our data protection solutions, you can finally put a check mark on this area of your compliance management.
Formally, there are no requirements in the GDPR regarding the form of appointment of a data protection officer. Theoretically, a verbal appointment is sufficient. However, the written appointment of a data protection officer is more than advisable for evidence and accountability reasons. In addition, we recommend that the exercises of the data protection officer be set out in writing. The responsibility of a DPO must be communicated to the relevant authorities (Article 37(7) GDPR). Within and outside the company, the responsibility and contact details of the data protection officer must be published, e.g., on the intranet and website.