Background

Data Protection Officer

  1. Home
  2. Data Protection Officer
Services
Data Protection Officer

The external data protection officer

Recently, it has become increasingly common to see an entry "Data Protection Officer" or "Our Data Protection Officer" or similar entries on the Internet, e.g. on the legal notice page of a website. These entries either include the name of an employee and an email address beginning with "datenschutz@", or often a lawyer or an employee of a special service company is also mentioned.

Many people are probably still wondering two things:

1) "Why do we see this more and more often?" and

2) "Do I need this too?" We are happy to answer these two questions in more detail here.

Data protection - more important today than ever.

References to a data protection officer can be found in many places today. In addition to the aforementioned entries on websites, such entries can now also be found in the "small print" of many contracts, in many forms in which personal data is to be entered and in some business correspondence. Even in telephone announcements, especially from call centers with qualified customer contacts and automated tape announcements, a voice can be heard more and more frequently saying something like, "You can find details of our data protection officer on the Internet on our website under data protection".

The reason for this significant increase is the entry into force of the GDPR in 2016 and its application throughout the European Union in May 2018.

The GDPR regulates the obligation to protect personal data and what must be observed when storing and processing personal data. It also stipulates that every company must publish who is responsible for data protection within the company.

Data protection was already regulated by law before the GDPR. What is new about the GDPR is above all that the regulations are standardized throughout the EU and that violations are sometimes subject to draconian penalties. The regulation also makes it much easier to hold companies directly accountable and creates transparency for customers and consumers, enabling them to act quickly.

Everyone and every company that collects and/or processes personal data is affected by the regulations.

Data protection has become much more important as companies' systems are becoming ever more powerful and increasingly networked.

In addition, the use of artificial intelligence poses a further threat to the privacy rights of every individual in society.

The GDPR stipulates that data of individuals, mostly customers, may not be collected and processed without justification. Each person must be informed of any processing of their personal data and must have the opportunity to effectively object to the collection and/or processing. The unjustified merging of data is no longer permitted.

For example, the aim is to prevent employers, insurance companies, credit institutions, service providers or other institutions from gaining an all-encompassing picture of every interested party in order to minimize their own risks, even if this would violate the protection of privacy. For example, it is simply none of the future employer's business whether an employee plays computer games until two in the morning and sometimes arrives at work tired as a result.

Data protection officer

Every company is obliged to appoint a data protection officer. This person is responsible within the company for implementing the data protection requirements by advising and sensitizing employees on the one hand, and by carrying out checks and taking specific measures on the other.

He or she is appointed externally. Consumers and other persons can contact him or her if, for example, they wish to obtain information about the data stored about them or if they wish to request the deletion of their personal data.

If there is a breach of the requirements of the GDPR, it is the duty of the data protection officer to proactively report, document and publish the breach and also to reduce the impact and eliminate the causes. Specifically, the data protection officer may be obliged to close the data leak within 72 hours of becoming aware of public access to personal data and, if necessary, to interrupt business operations to do so.

Depending on the extent of the damage, affected persons must be proactively informed about the accidental accessibility of their personal data.

The data protection officers in the companies are the first point of contact for the state data protection officers in the event of damage. It can therefore happen that the operator of a small online retailer is informed by the state data protection officer at the weekend that a leak in the database has led to a number of customer data, such as email addresses, being freely accessible on the internet. The data protection officer of the online retailer must then act immediately, take countermeasures and inform affected customers.

CLICK HERE AND REQUEST

External data protection officer

The tasks of the data protection officer are very complex and entail a high level of responsibility. Due to the obligation to have certain deficiencies rectified within 72 hours, a data protection officer must be permanently available.

A data protection officer must always be aware of the latest threats, know the current risks in detail and always be able to take appropriate countermeasures quickly in the event of a problem. In smaller companies in particular, it is almost impossible for one employee to do this alone.

The GDPR regulation does not stipulate that the data protection officer must be an employee of the company, but deliberately allows these core competencies to be brought in from outside.

An external data protection officer has the same tasks and is subject to the same requirements as an internal data protection officer. They represent the company vis-à-vis the state data protection officer, initiate suitable measures to contain damage in the event of a breach and close any gaps that are discovered.

The advantage of an external data protection officer, especially for small companies, lies on the one hand in their greater experience and very good networking. If, for example, he discovers at customer A that the circulating e-mail with an alleged application from an unknown person has actually led to the e-mail addresses of the other customers being accessible on the Internet for hours without effective protection, he can immediately avert this damage to customer B and others in good time.

External data protection officers receive an appropriate fee from the company for their services. In return, companies save on the salary and training costs for an internal employee. At the same time, they benefit from the increased experience.

We are happy to help

As an experienced engineer and lawyer, Donato Muro will be happy to support you with all questions relating to the topic of "external data protection officers". He has an overview of what is important in your company, where the main risks lie and what you need to pay particular attention to.

General Data Protection Regulation - Federal Data Protection Act - Texts and explanations. This information brochure is intended to provide an overview of the provisions of the GDPR and the BDSG. In addition to the legal texts and the recitals to the GDPR, it contains explanations of individual topics and undefined legal terms.