External data protection officer

Take advantage of our expert knowledge and designate one of our lawyers as your external data protection officer.

An external data protection officer as central contact point

In many organizations, the external data protection officer is the first point of contact for data protection issues. Due to the considerable risks of fines and damages under the General Data Protection Regulation (GDPR), it is therefore essential that he has the necessary reliability and qualification. Only an external data protection officer who performs his duties and tasks conscientiously and in accordance with requirements will increase the level of data protection throughout the entire organization. The designation as an external data protection officer is therefore a responsible task and should only be entrusted to an experienced service provider.

Scheja & Partner as external data protection officer of your organization

The data protection law firm Scheja & Partner qualifies for the function as an external data protection officer by the following distinguishing characteristics:

  • Qualification and specialization: At Scheja & Partner, only attorneys at law provide data protection advice as external data protection officer. All of our lawyers are specialized in data protection law and are certified by recognized organizations. They therefore have comprehensive knowledge in this complex field of law.

  • Wide experience and good reputation: Since 2000, we have been advising national and international business concerns and companies from a wide range of industrial sectors as well as public authorities. In most cases, we have been designated as external data protection officer. Thanks to our many years of expertise, we can guarantee our clients legally compliant and practicable advice. This is one of the reasons why we enjoy a serious reputation not only with our clients but also with the supervisory authorities.

  • Current developments at a glance: Even though some time has passed since the applicability of the GDPR, legal uncertainties still exist in its interpretation and implementation. Regularly published supervisory authority statements and court decisions help to eliminate uncertainties and make data processing legally compliant. As external data protection officer, we continuously monitor legal developments and point out to our clients any need for action.

  • Serious fees: It is important to us to be able to offer our clients the data protection advice they need. In the initial personal consultation, we therefore always determine the specific need for advice and the tasks that are to be assigned to us as an external data protection officer in addition to our legal obligations. Following this, we will present various models for future cooperation at serious fees without any obligation.

Our duties and tasks as external data protection officer

    Our field of activity includes a variety of duties and tasks: We

  • advise on all data protection issues of your daily business and act as a direct contact for the decision makers of your organization.
  • monitor compliance with the GDPR and the relevant other data protection laws and ensure that processing complies with data protection regulations.
  • help you to introduce an effective data protection management and advise you on how to assign responsibilities and competencies in the most sensible way.
  • support you in meeting the accountability requirement that legally compliant data processing must be actively demonstrated.
  • train your employees in the handling of personal data and provide training content with practical relevance to your organization.
  • act as the contact point for the supervisory authorities and the data subjects on issues relating to data processing.
  • offer a reporting hotline if there is a suspicion of a data breach.

Our consulting approach as your external data protection officer

Our goal is an efficient and solution-oriented cooperation. We

  • find the right answers even to complex questions.
  • guarantee practice-oriented advice and keep an eye on legal developments for you.
  • see ourselves as problem solvers and not as problem makers.
  • enable sensitive data processing through special measures to protect the data subjects.
  • consider your core business in our consulting and are careful not to overstrain the resources of your employees.
  • support you as your external data protection officer on a long-term and always trustworthy basis.

Designation as external data protection officer: frequently asked questions

In the following, we have answered the most frequently asked questions in connection with the designation of a service provider as external data protection officer:

According to the General Data Protection Regulation (GDPR), an internal or external data protection officer is only to be designated under certain conditions, in particular if the data controller is a public body or – in the case of non-public bodies – the processing of personal data includes the extensive processing of particularly sensitive data. In addition, every non-public body in Germany must designate a data protection officer if at least 20 employees are permanently processing personal data.

The designation of an external data protection officer has several advantages: Due to his professional focus, he is specialized in data protection and data security. Since an external service provider advises a large number of organizations, they benefit from considerable synergy effects. Because an external data protection officer is liable for misadvise, his designation mitigates the risks of fines and claims for damages. Furthermore, the dismissal protection under labor law regularly applies to him only to a limited extent.

An external data protection officer relieves internal personnel resources by taking over the function of the data protection officer. In this way, considerable training and further training costs, which would have to be incurred for an internal data protection officer, are avoided. Thanks to his specialist knowledge and experience, an external service provider can provide efficient and risk-based advice, thus avoiding unnecessary involvement of internal resources. Moreover, he does not need a permanent workplace together with company equipment and can appoint a deputy from within his company.

An external data protection officer protects the advised organization from data protection violations, which can lead to damage to its image and fines, due to his risk-approved and effective approach. If a renowned and experienced external service provider is commissioned, the advised organization benefits from his good reputation with supervisory authorities, consumer protection associations, trade unions and works councils. This good reputation of a professional external data protection officer can also have a positive effect on customer relations and cooperation with business partners.

An internal or external data protection officer has in particular an advisory and informing function. In this respect, he contributes to the design and application of IT systems in conformity with data protection regulations and sensitizes the responsible employees accordingly. In addition, he monitors compliance with data protection laws and corresponding internal guidelines. The data protection officer must be consulted in the event of a so-called data protection impact assessment. He also acts as a contact point for data subjects and the supervisory authorities.

A data protection officer may carry out additional tasks, provided these do not lead to a conflict of interest with his statutory duties. An internal or external data protection officer can for instance be appointed to support the development of concepts such as information, documentation, risk assessment, data processing on behalf of a controller, joint controllership, consent, deletion and processing of data subjects' rights. In practice, a data protection officer is often entrusted with the performance of trainings and audits.

A data protection officer fulfils a catalogue of tasks prescribed by law. This includes in particular consulting, information and monitoring activities. However, an internal or external data protection officer does not guarantee the operational implementation of data protection measures. This is the task of the respective departments. As long as there are no particular data protection risks to be considered, the function of the data protection officer can be performed with manageable effort. However, the internal data protection officer also has to spend considerable additional time on training and further education.