Data Protection Services at KINAST

Data Custodian

Rather than seeing data as something to be extracted and exploited, companies should recognise the responsibility to protect personal information and use it only with customers‘ consent. This means acting as a ‚data custodian‘ rather than an owner of data.

Top 5 Law Firm in Germany

What is a Data Custodian?

A Data Custodian is a special type of job that involves the collection, storage, and use of data sets. Essentially, the role deals with the actual core activities of data transfer and storage, rather than what data goes into the system and why.

As a member of a data governance team, the Data Custodian can be complemented by another role, that of a Data Manager or Data Steward. In this case, the Data Steward is more likely to be responsible for identifying the specific data sets that the organization wants to store and defining the scope of said data sets. In some cases, the Data Steward and the Data Custodian may also be the same person.

IT structure and data workflows

Many Data Custodians are essentially database administrators. They are concerned with the “how”, rather than the “why” of data storage. For example, they build or restructure relational database systems, work with middleware to support centralized data warehouses, and provide schemes and workflows that show the structure of the database. They are the IT people on the data governance team and the ones who are asked how to implement a data warehouse business plan.

As companies use more and more types of data to develop business intelligence and analytics solutions, it becomes increasingly important to define the role of a Data Custodian and Data Steward.

KINASt Data Custodian Services

Our Consultation Process

Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.

We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.

Document the current data protection status and define further required actions if necessary.

We carry out all necessary measures identified during the data protection audit.

Designation as External data protection officer and on-going consultation starting from day 1.

Why is KINAST the best choice to act as your Data Custodian?

Due to the increased fines, the obligation to report to authorities and potential loss of reputation, it is becoming increasingly important for companies to obtain knowledgable and legally correct advice on Data Protection Law. Based on our qualifications and our proven concept, we ensure future proof data protection in your company. As your External DPO we guarantee a long term, sustainable solution and minimize the risk of liability.


We are an experienced team of lawyers with many years of experience and knowledge in data protection law, data security and as DPOs.

Practical experience

Due to many years of practical experience we know companies "from the inside". In colloquial terms, you should be able to "live what we advise".

IT affinity

Regardless of existing or new IT systems, our attorneys have a profound technical understanding and advise you accordingly.

Cost transparency

We work on the basis of fixed hourly contingents, keeping pricing simple and managable.

Guaranteed legality

We are not only outstanding data protector officers, but also experienced lawyers.

Individual solutions

We do not work "off the peg", but offer tailor-made concepts, specifically for your business.

Efficient organisation und communication

Our soluitions lay high priority on open communication, transparent project management and defined goals.

Drafting of legal documents

We draft guidelines, work instructions, operating and service agreements, declarations of consent and commitment, lists of procedures and contracts on a daily business.

Personality and continuity

We do not provide you with just any resource, but with the right colleague for you – permanently and without unpleasant changes.

Data Custodian Services - KINAST Attorneys at Law
GDPR Compliant Data Custodian Services
KINAST Lawyers - Data Custodian Services

Save time, resources and money

The role of a Data Custodian is very specific and, together with knowledge of data protection law, also requires a certain IT affinity. Our lawyers and specialist data protection officers have both of these qualities and are here to help. With over 15 years of hands on experience, we’ve seen every situation possible! At KINAST, we guarantee that your company is in safe hands.

Send this page to a colleague?


Frequently asked questions

We understand that many clients still have questions about using external Data Custodian. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.

A Data Controller is the “body” who is generally seen as responsible for the data processing activity. In general, this is the company itself. The Data Custodian manages the actual data and therefore fulfills a role within a company. This role manages servers, backups, networks, etc.

It is mandatory to appoint a DPO:

  • where the processing is carried out by a public authority or body,
  • where the core activity of the controller or processor is to carry out processing operations which, by their nature, scale and/or purposes, require extensive, regular and systematic supervision of data subjects, or
  • where the core activity of the controller or processor is the processing on a large scale of special categories of data as referred to in Art. 9 GDPR or of personal data relating to criminal convictions and offences as referred to in Art. 10 GDPR.
    For example in Germany, according to § 38 Federal Data Protection Act (BDSG), a DPO must be appointed if:
  • as a general rule, at least 20 persons are permanently involved in the automated processing of personal data,
  • the controller or the processor is subject to a DPIA pursuant to Art. 35 GDPR, or
  • personal data are processed for the purpose of transmission, anonymous transmission or for purposes of market and opinion research.

The data governance team is typically responsible for approving budgets, setting governance goals and priorities, building data governance models, and selecting the technologies and communication options to be adopted.

Information security is based on three main aspects of data security, frequently referred to as the CIA: namely confidentiality, integrity, and availability.

Often industry experts in security and data governance texts will divide ownership up into three different subsets: ownership, stewardship and custodianship.


Ask us for a quote

Please provide our team with a few details about your company. This makes it easier for us to assign the correct expert for your needs

Let's talk

Simply leave your details here and one of our lawyers or data protection experts will get back to you as soon as possible.

Media enquiries

Simply leave your details here and one of our marketing team will get back to you soon.

Partnership enquiries

Simply leave your details here and one of our marketing team will get back to you soon.