Data Protection Services at KINAST
External Data Protection Officer
As of May 25th, 2018 the General Data Protection Regulation (GDPR) entered into force. Since then, there has been a Europe-wide obligation for companies to appoint a Data Protection Officer (DPO).
What is an 'external' Data Protection Officer?
Data Protection Officers are the first point of contact for any issues related to a company’s compliance with Data Protection Law. They also ensuring that your company stays up-to date with all of its legal obligations regarding the GDPR and data protection. In this repect, they are also responsible for finding solutions to any issues related to compliance, be they technical or otherwise.
As External Data Protections Officers, we often cooperate with both companies and public authorities and thus contribute to the protection and realization of all fundamental rights. This includes, for example, a potential loss of reputation or extreme financial burdens. Furthermore, External DPOs strengthen the confidence of customers and employees in the data collection and processing of the respective company.
Qualified External Data Protection Officers are there to help organizations mitigate the risks associated with data breaches. This activity must be highly transparent and comprehensible at all times.
Our Consultation Process
Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.
We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.
Document the current data protection status and define further required actions if necessary.
We carry out all necessary measures identified during the data protection audit.
Designation as External data protection officer and on-going consultation starting from day 1.
What are the duties and obligations of an External Data Protection Officer?
The DPO has a broad field of duties. He assumes the role of a mediator, is the contact person for the supervisory authority and is responsible for ensuring that the supervisory authority receives the necessary documents and information to fulfill its powers of investigation, correction, approval and consultation.
In addition, the DPO is also the contact person for data subjects and available as a discussion partner within the company. The data controller remains responsible for compliance with data protection regulations, the DPO merely works towards compliance and has no other decision-making powers.
How do we ensure data protection in your international company or corporation?
To guarantee a stringent execution of our job as your External Data Protection Officer, we’ve developed a concept based on our three-point plan for data protection.
As a first step, we carry out a risk assessment in your company. We carry out the risk assessment either on-site or remotely. Based on the findings, we prepare a report that documents the degree of compliance with data protection standards. Furthermore, the report identifies any vulnerabilities, proposes suitable measures to remedy those vulnerabilities, defines responsibilities and sets a timetable for the implementation of these measures.
In a next step, we implement any measures which we identified within the framework of the risk assessment. Whereby great importance is attached to binding your internal resources as little as possible.
Finally, as an External DPO, we permanently support your company regarding all aspects of data protection. Therefore, we ensure an ongoing compliance with legal standards, the adaptation of procedures to the requirements of new laws and the consideration of current changes in internal processes.
Which qualifications does an External Data Protection Officer need?
The requirements for the External DPO range from specially acquired personal and professional qualifications to comprehensive knowledge of the tasks and services performed by the companies and further general requirements for the exercise of the profession. External DPOs must not only have the necessary qualifications, but must also be able to use them appropriately and identify where solutions need to be implemented that require further professional qualifications.
Pursuant to Art. 37 (5) GDPR only those who possess the necessary expertise and reliability to perform their duties may be appointed as DPO.
According to Art. 38 (6) GDPR such groups of persons are excluded whose activities as DPO may lead to conflicts of interest. This refers in particular to the management, heads of the IT department and other persons in similar positions whose neutrality cannot be guaranteed. This is something to concider when deciding why you should appoint an external DPO.
Why appoint an External Data Protection Officer?
An External Data Protection Officer can be an important addition to any company, helping to develop and optimize operations while ensuring compliance with data protection regulations.
There are a number of benefits to appointing an external DPO, including synergy effects from other companies and IT applications, maintaining contact with the supervisory authority, and an increased level of data protection compliance. This, in turn, can provide your company with stronger safeguards against administrative orders and fines.
Outsourcing data protection can also save costs, allowing employees to concentrate on their core business. Decisions made by an External DPO are always neutral and based solely on applicable law.
The appointment of an External DPO also entails the assumption of liability for the legal conformity of internal processes. This lack of special protection against dismissal means that you remain flexible and can easily detach itself from the contractual obligation without any problems.
What makes KINAST the best choice for an External Data Protection Officer?
Due to the increased fines, the obligation to report to authorities and potential loss of reputation, it is becoming increasingly important for companies to obtain knowledgable and legally correct advice on Data Protection Law. Based on our qualifications and our proven concept, we ensure future proof data protection in your company. As your External DPO we guarantee a long term, sustainable solution and minimize the risk of liability.
Do you need assistance ensuring your company's GDPR compliance?
We know that data protection can be a daunting task, but our experienced lawyers and external data protection officers are here to help. With over 15 years of hands on experience, there isn’t a situation that we haven’t seen! At KINAST, we guarantee that your company is in safe hands. So why not contact us today for a free, no obligation consultation?
Send this page to a colleague?
Frequently asked questions
We understand that many clients still have questions about the services and duties of an External Data Protection Officer. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.
The obligation to appoint a DPO applies if an enterprise carries out an activity of Art. 37 (1) GDPR. These activities require special control regarding data protection. Art. 37 (1) lit. a-c GDPR regulates the conditions under which such special control is necessary.
It is mandatory to appoint a DPO:
- where the processing is carried out by a public authority or body,
- where the core activity of the controller or processor is to carry out processing operations which, by their nature, scale and/or purposes, require extensive, regular and systematic supervision of data subjects, or
- where the core activity of the controller or processor is the processing on a large scale of special categories of data as referred to in Art. 9 GDPR or of personal data relating to criminal convictions and offences as referred to in Art. 10 GDPR.
For example in Germany, according to § 38 Federal Data Protection Act (BDSG), a DPO must be appointed if:
- as a general rule, at least 20 persons are permanently involved in the automated processing of personal data,
- the controller or the processor is subject to a DPIA pursuant to Art. 35 GDPR, or
- personal data are processed for the purpose of transmission, anonymous transmission or for purposes of market and opinion research.
Even if Art. 37 (1) lit. a-c GDPR are not applicable, a DPO may be appointed on a voluntary basis. The provisions of the fourth section of the GDPR also apply to voluntary appointments.
Art. 37 (6) GDPR allows the appointment of an Internal DPO from within the company as well as an External DPO. It is therefore up to the companies to decide whether they wish to appoint an Internal or External DPO, depending on their internal expertise and available resources.
Yes, Art. 37 (2) GDPR explicitly allows the appointment of a DPO for the entire group, provided that the DPO is easily accessible from each establishment. KINAST already provides as External DPO services for a large number of international groups and corporations.
Depending on the size of the company or the type of data processed, even smaller companies that carry out complex data processing operations (and whose activities therefore deserve particularly high attention under data protection law) are legally obliged to appoint a DPO. If you are unsure if your company fits this profile, please reach out to us for more information. We’re happy to a advise!
Yes, according to Art. 83 (4) lit. a GDPR a fine of € 10,000,000 or 2 % of the worldwide achieved annual turnover (whichever is higher) is possible.