The unpleasant part of the truth is: Good data protection incurs costs. Bad data protection costs more. Weighing up the costs and benefits is not a matter of gut feeling. Rather, the legislator requires public bodies and companies to implement a number of requirements that must be met regardless of the size of the company. Even without the obligation to appoint a data protection officer, it can make sense to seek outside advice.
Are you unsure whether you need external help? In a free initial telephone consultation, we will evaluate the possible need. To make an appointment, simply use our form on this page or call us right away.
The practice and legal basis of the appointment and work of the company data protection officer (DPO) are the subject of this page.
The requirements of the legislator for the data protection officer
- Expert knowledge and professional qualification in the fields of data protection law and practice.
- Ability to perform the following tasks:
- Informing and advising the controller and processor.
- Monitoring compliance with data protection regulations
- Raising awareness and training of employees
- Advising in connection with any data protection impact assessment that may be required
- Point of contact for the competent data protection authority
In short, the data protection officer needs both good legal knowledge and knowledge of the organization and technical implementation of processing operations in the company.
Regardless of whether an internal or external data protection officer is appointed, the company or public body must ensure that
“…the data protection officer is properly involved at an early stage in all matters relating to the protection of personal data.
The controller and processor shall assist the data protection officer in the performance of his or her duties under Article 39 by providing the resources and access to personal data and processing operations necessary for the performance of those duties and the resources necessary to maintain his or her expertise.”
(Art. 38 GDPR)
Costs are therefore incurred not only for the direct activities of the data protection officer in the company, but in addition for
- Research at 16 state authorities plus one federal authority
- Review of current rulings on data protection and data security issues
- Further training in technical issues relating to data security and data protection
- Resources for technical literature
These accompanying costs are often underestimated by those responsible. It is a mistake to consider only the direct costs of working hours without taking into account the follow-up costs for training and continuing education of the employee and the necessary research work.
Advantage of external data privacy officers
External data protection officers, especially those who work in a well-coordinated team, can distribute these accompanying cost blocks among several clients and within the team. A clear plus on the cost side in favor of the responsible party.
What does that mean in concrete terms?
We offer three flat rates for medium-sized companies, depending on the volume of work required by the external data protection officer:
Affordable data protection
- Small companies with low effort: €199 per month with 20 consulting and training hours per year
- Small and medium-sized companies with low effort: 275,- € monthly with 30 consulting and training hours per year
- Medium-sized companies with low to medium effort or small companies with a high amount of sensitive data: 399,- € monthly with 54 consulting and training hours per year
Prices net, plus statutory sales tax
The expense is primarily based on two factors:
- Proportion of sensitive personal data in the company, i.e. data concerning Art. 9 or 10 DSGVO (health, religion, political attitudes, sexuality, delinquency, etc.)
- Quality of the current status of the mandatory documentation when taking over the mandate. Possibly higher costs are to be expected, especially in the first year of the takeover.
The number of employees is secondary to the two factors mentioned for medium-sized companies and primarily influences the need for training.
In certain cases, it may make sense to appoint an internal data protection officer within the company. For example, in companies with a high potential for inquiries from data subjects. In these cases, too, we can support the internal DPO; we would be happy to inform you about the possibilities in this regard.