External Data Protection Officer (eDPO)

An external data protection officer also enables small corporations, startups and medium-sized companies to meet their data protection obligations. In the Federal Republic of Germany, companies must appoint a data protection officer, i.e. someone must be named as the person responsible for data protection issues. Small and medium-sized companies in particular lack the necessary expertise and personnel capacity to entrust someone with this task in accordance with data protection regulations. External data protection officers can help here at significantly lower costs.

ISO27001 and EU GDPR documentation and data protection audit

The external data protection officer can provide the following services:

  • Data protection advice to management
  • Creation of data protection documentation
  • Creating a data protection folder
  • Instructing employees in data protection-compliant working methods
  • Responding to data protection information requests
  • Communication with data protection supervisory authorities
  • Creating data protection notices
  • Creation of the internal procedure directory
  • Creation of the public procedure directory
  • Creation of the register of processing activities
  • Creating data protection declarations

What does an external data protection officer do?

A data protection officer (DPO) looks after the data protection documentation contained in the data protection folder and supports the management in complying with data protection regulations. A DPO is not a lawyer for data protection law but a data protection expert. The company needs a suitable employee who can deal with data protection issues full-time. Here, an external data protection officer can relieve the company.

As an external service provider, the external DPO makes his expertise available to the company. Since he usually looks after several companies, he can keep the documentation up to date more efficiently. The data protection advice he provides is not legal advice. Nevertheless, the DPO can first clarify legal problems and document them in accordance with the rules. Thanks to his expertise, the external DPO can also optimally inform a lawyer involved. This enables the specialist lawyer to examine the case relatively quickly and in a goal-oriented manner from several legal perspectives (NIS 2.0, GDPR, Data Protection Act 2018).

The external data protection expert (DPO) also advises the company’s departments so that products, services and projects as well as internal processes can be designed in accordance with data protection regulations.

Duties of a data protection officer

A data protection officer takes on the following central tasks:

  • Communication with the authorities
  • Measures in the event of data breaches
  • Carrying out employee training
  • Data protection documentation

What documents does a DPO create?

A DPO should create and maintain a data protection folder. It contains several central documents that are checked during an audit by the state data protection supervisory authority. The most important documents include, among others:

  • Data protection
  • Procedural directories
  • Evidence of employee training
  • Templates for various data protection matters
  • Instructions for handling personal data
  • Documents for order data processing by suppliers

Why is an external data protection officer cheaper than an internal DPO?

The duties of a data protection officer do not normally take up 40 hours a week. However, the problem arises when selecting the employee to take on this task. Especially in small companies, many employees are busy processing data.

A data protection officer should not normally process data within the company. This means that he is not allowed to work in accounting, IT or sales. A lot of personal data is typically processed in these areas of the company. In addition, the selected DPO must also have the necessary specialist knowledge. This means that this employee should be regularly released for further training. This causes unproductive wage costs, high course fees and travel costs. This can be saved by hiring an external data protection officer.

Why is an external data protection officer better suited as a DPO?

The external DPO does not work in the company and therefore does not process data from the company’s customers. The data protection expert maintains the data protection documentation and provides various texts so that the company can work as data protection-compliant as possible. However, the company’s management is responsible for ensuring that all information is provided to the DPO completely and truthfully. In addition, the managing director is also obliged to give instructions to his employees so that they act in accordance with data protection regulations. The managing director cannot outsource his data protection responsibility to an employee or external service provider.