External Data Protection Officer


Under certain circumstances, companies shall designate a data protection officer. The best known is probably the obligation to designate a data protection officer in the event that ten or more persons are constantly engaged in the automated processing of personal data. In any case, it should be checked whether a company requires a data protection officer, which must finally be reported to the competent supervisory authority.

The task of an (external) data protection officer according to the legal model is mainly characterised by monitoring and verifying compliance with certain requirements. MORGENSTERN’s consultants advise clients as external data protection officers and perform the following tasks in particular:

Depending on the type of personal data processed by a company, technical requirements for a data protection officer can be categorised as different. In particular, medium-sized and large companies often have to deal with complex IT infrastructures, extensive contractual structures and risky software applications. Hence, these tasks can no longer be performed by one’s own employee. Such companies should, therefore, rely on an attorney specialised in privacy law to identify and solve legally complex issues. If no attorney is available in your own company, the designation of an external data protection officer is necessary.