External Data Protection Officer

We undertake the task of the external data protection commissioner for mid-sized companies from 200 to 20.000 employees from different branches.

At the beginning of the acquisition of the function of the external data protection officer for a company an actual quantity recording will be performed on data protection. The actual recording determines whether the company has an adequate level of data protection, and whether all legal requirements have been implemented regarding the data protection and IT security at a reasonable level based on the European Data Protection Regulation (short “GDPR”). After completion of the recording on data protection, we create an analysis report with recommendations on data protection measures for the controller.

After completion of the actual recording our law office takes further care of the company by visiting the company, usage of our data protection hotline and on-going implementation of the statutory requirements in the company. We also carry the necessary data protection training at the company. Towards the end of the contract year, we create an annual report with recommendations for the following year for the management of the company. For inquiries or inspections of the supervisory authorities, we help companies to prove the fullfilment of statutory obligations and requirements.


The services of the law firm include in particular the assumption of the function of the external data protection officer for companies (associations etc.) will be counted among:

  • Position of the external company data protection officer for industrial companies, medium-sized companies, trade, banks and insurance companies (DS-GVO)
  • Support for the internal company data protection officer (GDPR)
  • Position of the external company data protection officer for church institutions, foundations, etc. (KDG, DSG-EKD)
  • Support for the church company data protection officers (KDG, DSG-EKD)
  • Creation of an action plan for the implementation of the DS-GVO, KDG, DSG-EKD according to liability risk
  • Annual planning meeting on data protection with the management, commercial management or vicar general
  • Carrying out an as-is analysis or an audit on data protection
  • Dealing with the topic of “mobile working” in compliance with data protection regulations (agreement on mobile working, work instructions on mobile working)
  • Creation of a visitor form with questions about a pandemic
  • Creation of works/service agreement/company policy for a pandemic situation
  • Preparation of the documents to fulfill the information obligations
  • Creation and conclusion of agreements on order processing
  • Fulfillment of the requirements for international data transmission and corporate data processing (HR systems, ERP systems, etc.)
  • Data protection and IT security for cloud applications
  • Data protection in hospitals, medical practices, medical care centers and pharmacies
  • Data protection in social institutions (addiction counseling, family counseling, child and youth welfare, care facilities, dormitories, day-care centers, etc.)
  • Recording of the existing files and IT processes and creation of the necessary lists of processing activities (data mapping)
  • Carrying out the necessary data protection impact assessments (MS Office 365, video surveillance, electronic personnel files, applicant management)
  • Review of the technical and organizational measures (IT security measures)
  • Implementation of the requirements for employee data protection (electronic personnel file/file in paper form, applicant management)
  • Review of the company website (privacy policy, imprint, cookie warning, tracking tools)
  • Creation and negotiation of company agreements (email/ internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel file, etc.)
  • Creation of training documents and implementation of data protection training (general face-to-face training, special training for managers, HR, IT, marketing, sales, public relations and works council)
  • Creation of training documents on data protection as e-learning
  • Creation of training videos on data protection and IT security
  • Establish a data breach resolution process
  • Implementation of the requirements of the rights of data subjects (information, deletion, correction, etc.)
  • Creation of consents, in particular for film recordings and photographs
  • Data protection in public relations, press, marketing and sales
  • Data protection in social media (Social Media Guideline, implementation of the ECJ’s Facebook judgment, WhatsApp)
  • Regulation of the legal conditions for video surveillance (IT security, product assessment, company agreement, AV contract, pictogram)
  • Compliance with the legal requirements for access control and time recording
  • Advice on the use of drones
  • Assessment of new IT systems (system data protection)
  • Workshops on data protection issues (data protection forum)
  • Creation of work and organizational instructions (mobile work, systems for video conferences, dealing with social media, etc.)