The GDPR regulates in Art. 37 ff everything about the data protection officer, whose Order mandatory for many companies is. The data protection officer may be an employee of the data controller (internal data protection officer) or an external service provider (external data protection officer), Art. 37 VI GDPR.
But how exactly does an external data protection officer actually work and why is he so recommendable? You can find out all about it here.
Tasks of an (external) data protection officer
Regardless of whether internal or external data protection officer: both fulfill the same tasks in terms of the GDPR. A data protection officer serves the effective self-monitoring of the controller or processor in complying with data protection regulations. His or her sphere of activity lies within the organization of the controller or processor.
A data protection officer must have the expertise and reliability required to perform his/her duties, Art. 37 V in conjunction with. Art. 39 I lit. a DSGVO. This means that the data protection officer should have social and organizational skills in addition to basic IT skills and general legal and specific data protection knowledge. In addition, familiarity with the tasks, structures and functionalities of the company is necessary.
In his or her activity as data protection officer, the person is then directly subordinate to the highest management level, Art. 38 III 3 GDPR. The data protection officer must be involved at an early stage in all processes that could affect data protection (Art. 38 I GDPR) and may not be disadvantaged because of his/her task as data protection officer (Art. 38 III 2 GDPR).
The main task of the data protection officer is to ensure that the regulations of data protection law are complied with, Art. 39 I lit. b DSGVO. He fulfills this task mainly in the form of supervision. Since the data protection officer is contractually linked to the controller (employment or other service contract), he must also take the controller's interests into account. He or she may also perform other tasks within the company, as long as this does not lead to a conflict of interests, Art. 38 VI GDPR.
A data protection officer not only advises the person responsible and other employees in the company, but also trains them. He or she also cooperates with the relevant data protection authority. In addition, data subjects can contact the data privacy officer with their data privacy concerns.
Mode of operation of an external data protection officer
The external data protection officer is commissioned by the controller or processor (who must appoint a data protection officer) under a service contract. He or she assumes all of the above-mentioned tasks that a data protection officer must assume, but without assuming any other tasks within the company.
An external data protection officer specializes in the field of data protection, is certified in it and usually looks after several companies at the same time, which gives him a lot of practical experience and a high level of networking. He is also always up to date in his field.
The contact details of an external data protection officer are stored in the company's data privacy statement in the same way as for any other data protection officer. In this way, data protection authorities and data subjects can contact the data protection officer directly without the company incurring any additional expense.
Advantages of an external data protection officer
Companies are free to choose whether to appoint an internal or external data protection officer.
If an internal employee is selected, a high level of training is required. In addition, the employee must receive regular training, which results in additional costs and less manpower for the actual tasks. Because of this expense, the position is usually very unpopular among employees. In addition, it is often difficult for internal staff to maintain an overview of the entire company and thus be able to perform their duties effectively.
If, on the other hand, you choose an external consultant, you can rely on their certified expertise and do not have to worry about further training. In addition, the fixed fee makes it easy to estimate the additional expense and keep it within reasonable limits. The external data protection officer usually has a better overview and maintains neutrality.
What is the better alternative for a company must be decided on a case-by-case basis. However, choosing an external data protection officer is the most straightforward solution, giving the company the best staffing with minimal effort.
If you are thinking about appointing an external data protection officer, we will be happy to help you.