Internal or external data protection officer?

An internal data protection officer is an employee who is commissioned by the management within the company to perform the tasks of the data protection officer in accordance with Art. 39 GDPR. If an employee is named as an internal data protection officer, he or she has extended protection against dismissal and the right to further training in order to maintain specialist knowledge. In addition, as an internal data protection officer, the employee may act as a DPO without being subject to instructions.

The work of a data protection officer is often complex and time-consuming, even in smaller organizations. In many cases it therefore makes sense to fill the position of the external DPO as a full-time position with a competent, experienced candidate. When selecting the internal data protection officer, care must be taken that there is no conflict of interest between the “normal activity” and his position as data protection officer . As a rule, you can name any employee for the position of the internal data protection officer, as long as he does not hold a managerial position (e.g. management, IT manager). You can read more about this in our already published blog post. The internal data protection officer must have the necessary specialist knowledge and legal expertise in order to perform the tasks of the data protection officer. In most cases, the employee has to complete further training in which he or she will acquire the necessary specialist knowledge. In addition, time capacities must be available or created.

The designation of the data protection officer should be made in writing with two signatures i.S.d. Section 126 of the German Civil Code (BGB). This serves the general obligation to provide evidence. In order to guarantee confidentiality, the internal data protection officer must have his own office in which he can perform the tasks of the data protection officer. Furthermore, the named data protection officer must be reported to the supervisory authority and announced in the data protection declaration – for example on the website – so that the persons concerned can contact the data protection officer directly.

• The employee already knows the internal processes. (Provided that the position is filled from the existing workforce.)
• He is involved in daily communication.
• The costs remain largely unchanged.

• There is protection against dismissal for the data protection officer.
• The workload and the costs are usually very difficult to calculate.
• In-house it is often difficult to find a suitable qualified person who can meet the legal requirements.

The company can appoint an external data protection officer. This acts as a service provider who specializes in data protection law and takes on the tasks of the data protection officer in accordance with Art. 39 GDPR. The external data protection officer already has the necessary specialist knowledge and professional qualifications. The data protection officer is not subject to instructions and is the responsible contact point for employees and those affected with regard to data protection issues.

When choosing a suitable service provider, the entrepreneur must pay attention to technical and legal expertise.

If the company decides on an external data protection officer, a service contract must be concluded with him, from which the exact costs for the services to be provided emerge. Furthermore, an appointment document must be concluded with the data protection officer. You also have to report it to the responsible supervisory authority. The contact details of the data protection officer are to be published on the website so that those affected can contact the data protection officer.

• An external data protection officer has the necessary specialist knowledge and legal expertise. He takes care of maintaining it independently.
• If you order a DPO from aigner business solutions GmbH, you can fall back on a whole team of data protection specialists. You will of course also be supported by IT specialists and lawyers in optimizing data protection in your company.
• Has an overview of a customary implementation.
• Encountered better acceptance by colleagues and the works council
• We also work with our docu-safe software. This helps to make data protection management simple and clear. The software comes from our own development and of course complies with GDPR requirements.

• An external data protection officer can cause unplanned additional costs.
• Internal employees may feel reluctant to approach the data protection officer with problems.
• The integration of the external data protection officer in existing and new processes does not take place automatically. The company is obliged to involve the service provider in decisions as soon as possible.

In summary, it can be said that the decision for or against an internal or external DPO always depends on the company’s circumstances.

Aigner business solutions GmbH provides external data protection officers and handles data protection projects on a fee basis. We also offer eLearning to raise your employees’ awareness of data protection and IT security. We are therefore happy to answer any further questions you may have.