External data protection officer

If a company has appointed its own employee as data protection officer, this is referred to as an internal data protection officer. However, it is also possible to entrust an appropriately competent and reliable service provider with the function of data protection officer. In these cases, one speaks of an external data protection officer.

Internal Data Protection Officer

The appointment of an internal data protection officer is often difficult, as the number of persons in companies who have the appropriate expertise and reliability on the one hand and are not subject to a conflict of interest on the other hand often tends towards zero. If you are able to appoint a suitable person as internal data protection officer, this has advantages and disadvantages.

Advantages and disadvantages of an internal data protection officer

Probably the biggest advantage of appointing an internal data protection officer is that he or she is usually familiar with the internal procedures and processing of personal data from his or her previous work. He or she therefore does not have to familiarise himself or herself with the sometimes complex corporate structures and processes. Since an internal data protection officer does not usually have to work full-time in order to fulfil his function, the internal data protection officer can also continue to perform his previous duties. This is another advantage. It is important, however, that he or she has sufficient time available for his or her activities as data protection officer. In order to ensure this, a corresponding amendment should be made to the previous employment contract in which the data protection officer is released from his previous activities to the necessary extent. But be careful: If the supervisory authority notices that your data protection officer has only been appointed pro forma and does not have sufficient time to fulfil his or her function and duties, you can expect a strong reaction from the supervisory authority, which may even lead to the imposition of a fine on the responsible company.

Disadvantages of an internal data protection officer

The biggest disadvantage of appointing an internal data protection officer is that the internal data protection officer is always interested in keeping his or her job. This presupposes that the company does not suffer any disadvantages. And thus, subliminally, he is always in a conflict of interest, even if, according to general criteria, his function as data protection officer is not in a function-related conflict of interest with his line activity. In addition, most internal data protection officers fear repression after being dismissed if they perform their job conscientiously. As a result, data protection in the company can suffer massively and areas of attack are not eliminated in good time. The ties to colleagues that have grown over the years can also torpedo the necessary neutrality of the internal data protection officer. Another disadvantage is that the internal data protection officer is often overburdened to perform his or her duties as data protection officer in addition to his or her actual line work. Even if a corresponding provision has been agreed in the employment contract and he has been given sufficient time, the internal data protection officer is usually confronted with the situation that everyone is once again demanding 100 % from him. There are quite a few internal data protection officers who therefore throw in the towel after one year. Since internal data protection officers only know their own company and often have little exchange with colleagues, it is not possible to develop the know-how of an external data protection officer who looks after several companies at the same time and gains a wide range of experience. In some Member States, such as Germany, internal data protection officers also enjoy special protection against dismissal. As long as the internal data protection officer is appointed, ordinary dismissal is completely excluded in Germany according to the general principles of labour law. After that, there is usually at least one year of further protection against dismissal. In Germany, the regulation is found in Section 38 (2) in conjunction with Section 6 (4) of the Federal Data Protection Act (BDSG).

External data protection officer

The alternative to appointing an internal data protection officer is to appoint an external data protection officer. The GDPR explicitly allows the appointment of an external person as data protection officer (Art. 37 (6)). One always speaks of an external data protection officer if the data protection officer is not employed by the company, but performs the function as a service provider. The basis is therefore a service contract in which the concrete tasks and duties are again expressly agreed. The contract also contains provisions on remuneration, notice period and availability.

Disadvantages of an external data protection officer

The disadvantages of appointing an external data protection officer are usually that he or she still has to get to know the company structures, whereas an internal employee who is appointed as data protection officer has usually already known the company well for many years and therefore knows about the specific data protection issues. Another disadvantage is that external data protection officers usually look after several companies and are therefore not always available at 100%. However, the advantages usually outweigh the disadvantages.

Advantages of an external data protection officer

The advantages of an external data protection officer are that he or she can usually maintain genuine independence. Since he or she is not tied into an additional line activity, as is the case with internal data protection officers who only have a certain amount of time available for their activities as data protection officers and otherwise have to attend to other tasks, the external data protection officer can freely allocate his or her time without having to take other company interests into consideration. The greatest advantage of hiring an external data protection officer, however, is that the external data protection officer usually works for several companies at the same time and can bring the experience he or she gains in other companies to bear on his or her work in your company. The qualification and experience usually also mean that he or she is in a better position to accompany the implementation of data protection requirements in companies. And last but not least, you can also hold an external data protection officer liable if he or she does not adequately fulfil his or her duties, which is not so easy with an internal data protection officer for reasons of labour law.

Recall

The biggest advantage, however, is that an external data protection officer is not subject to legal protection against dismissal, as is often the case with internal data protection officers due to national legislation.