Data protection is one of the central issues in companies today. If you, as a company, employ at least 20 employees who are constantly involved in the automated processing of personal data, you must appoint a data protection officer in Germany to ensure compliance with all data protection provisions.
The exact regulation of when a data protection officer is required externally or internally can be found in Section 38 (1) of the Federal Data Protection Act (BDSG):
In addition to Article 37 paragraph 1 letters b and c of Regulation (EU) 2016/679, the controller and the processor appoint a data protection officer or a data protection officer, insofar as they usually employ at least 20 people continuously with the automated processing of personal data. Do the controller or the processor carry out processing that is subject to a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679, or do they process personal data commercially for the purpose of transmission, anonymized transmission or for the purposes of market or opinion research, you have to appoint a data protection officer regardless of the number of persons involved in the processing.
Significant distinctions, among other things, serve as a decision-making basis for a data protection officer externally or internally. An internal data protection officer is usually an employee who is trained to become a data protection officer and regularly undergoes further training. With an external data protection officer, the services are booked with an external specialist provider who takes care of data protection outside of the corporate structure.
In general, the data protection officer has the task of ensuring, externally or internally, that all legal provisions regarding data protection such as the GDPR or BDSG are complied with. He monitors and controls the processes. He implements all data protection requirements and is available as an advisor to the management level, the works council and employees as well as external partners such as suppliers and customers. He is also the point of contact for the supervisory authority. In addition, a data protection officer must continuously ensure information and general clarification about data protection obligations in the company, externally or internally.
In the course of data protection, many companies are faced with the question of whether they should appoint a data protection officer externally or internally. Both solutions have advantages and disadvantages:
An internal data protection officer has the advantage that he is familiar with the company and has precise insight into the structures and processes. He can ensure direct communication. However, there is a risk of operational blindness. In contrast, an external data protection officer has the advantage that it is usually a neutral person who provides a service for the company. This rules out any operational blindness.
While the external data protection officer has all the necessary qualifications as an advantage, a data protection officer must undergo further training internally and on an ongoing basis. However, trust in one’s own employee is usually higher.
In terms of liability, the external data protection officer has an advantage, because liability risks are also assumed when the task is handed over. In the case of an internal order, these remain with the company itself.
When asked about a data protection officer externally or internally, one’s own employee claims comprehensive protection against dismissal. The cooperation with an external data protection officer in accordance with the contractual conditions can usually be terminated at short notice. However, long-term cooperation pays off when it comes to data protection. Renowned providers rely on trusting cooperation and a long, fruitful business relationship.
A critical look should also be directed to the handling of data protection tasks. The internal employee will usually work in a further core area and take care of data protection at the same time. The advantage of the external data protection officer here is his main activity and thus full concentration on his core area.
When choosing a data protection officer who acts externally or internally, key factors are important, such as the industry but also the size of the company and the initial situation. Anyone who is confronted with many data protection challenges on a daily basis should appoint an internal data protection officer.
In combination with an intuitive data protection management software like the one from Priverion, some of the supposed disadvantages, such as the time required and legal security, can be turned into advantages.
Our data protection management software provides you with a comprehensive solution for efficient data protection. Standardized documents and templates such as ROPA, TOM and AV contracts already significantly reduce the workload and increase the quality of data protection. This will provide long-term legal security. Often, internal data protection officers only act at the focal points, as there is hardly any time. The tool ensures that preventive measures can be implemented and that capacities for core work are freed up again. Since the entire documentation is complete and partly automated, there is more clarity and transparency.
The data protection management software as SaaS solutions brings you two modules: the core module and the extension with the efficiency module.
If you need an all-round carefree package for getting started, data protection and compliance with all legal regulations and regular documentation, the core module is the perfect choice. It supports internal data protection officers in all activities related to data protection compliance, simplifies maintenance and administration through the clear presentation in a directory.
The core module comprises:
• Directory of processing activities (ROPA)
• Management of data processors
• TOM management
• Incident Management
• Risk management (data flow based)
• Reports and data flow visualization
• Requests for information
• Reviews and audits
• Multi-law function (according to legal person)
With the “performance modules” component, you get even more performance and reduce repetitive tasks through automation and secure access to all library elements.
The performance modules include:
• Data Processor Library
• ROPA library
• Policy Library
• TOM library
• Retention and Deletion Library
• Policy tree
• Employee training
• Merger, acquisition and exclusion functions
• Azure Active Directory B2C
• Data protection portal
If you decide on an internal data protection officer, provide him with our software solution for faster, more secure and more efficient data protection. We at Priverion would be happy to advise you personally. Contact us now without obligation.