+49 (0) 89 45242970101 contact@sp-partners.de

Outsourcing of Data Protection Officer

Outsourcing of Data Protection Officer – We offer outsourcing solutions for the data protection officer. For the establishment of a data protection organization, we assume the following tasks:

  • Appointment as data protection officer
  • As data protection officer, we monitor the compliance with the DS-GVO and other legal requirements, including the requirements of further privacy policy guidelines of the company.
  • As data protection officer, we advise and inform the management regarding existing data protection obligations and are responsible for communication with supervisory authorities.
  • Selected processes are checked randomly, risk-oriented and at appropriate intervals for their data protection compliance.
  • As data protection officer we take over our tasks without instructions and using the necessary specialist knowledge. We report directly to the management.


You wish a free offer for your outsourcing of the data protection officer. We are happy to help. Send your request directly to the S & P team Privacy-Compliance, Email: a.schulz@sp-partners.de. Also take a look on our additional outsourcing services for MLRO and Internal Audit.


Outsourcing of Data Protection Officer


S+P Team Data Protection

S+P Team Data Protection provides proactive outsourcing solutions in Germany.

Achim Schulz has been advising medium-sized companies and banks for 22 years. His areas of expertise include CRR institutes, acquirers, fintech, capital management companies, leasing and factoring companies and medium-sized companies.

He advises companies on the implementation of risk management and compliance systems.


Alexander Schneider has been working for banks, financial service providers, insurance companies and medium-sized companies for more than 20 years.

As a compliance and money laundering officer, Mr. Schneider advises companies on the implementation of data protection compliance standards.


Lawyer Alexander Suck is an experienced expert with a focus on corporate and criminal law. Together with his lawyer team, he advises medium-sized companies on the implementation of data protection obligations. He develops risk mitigation strategies for compliance and AML officers.


Miriam Boglino is a legal advisor to fund companies in London. She advises medium-sized companies on the development of pan-European compliance management systems.


Ensuring adequate data protection

To ensure sufficient compliance in data protection, the following 12 compliance obligations must be implemented:

  1. Awareness: Management must become familiar with the new privacy regulations.
  2. Data Protection Officer: Companies must appoint a Data Protection Officer, if required by law, to publish the order and report it to the Data Protection Inspectorate from 25 May 2018.
  3. Directory of processing activities: Companies must identify and document which personal data they process, where the personal data originate and to whom they are shared.
  4. Legal basis: For all processing of personal data, the legal permission standards must be identified and documented in a company.
  5. Information Security, Privacy by Design, Privacy by Default, Privacy Impact Assessment: Businesses need to extend their existing information security with data privacy risk management and adhere to the principles of privacy by design and privacy by default.
  6. Affected rights: Companies must train and operate procedures for the lawful handling of data subjects.
  7. Request for information: Companies must ensure that they can provide information requests from interested parties in full within the prescribed timeframe.
  8. Contract processing: Companies must have completed the prescribed contracts for order processing and regularly check the data protection compliant service provision.
  9. Privacy Statements: Companies must review existing privacy statements and update them when necessary.
  10. Consent: Companies must organize how they formulate, obtain and archive consents in compliance with data protection.
  11. Data Leakage: Companies must ensure that they have appropriate mechanisms to detect, handle and report data leakage within the 72-hour deadline.
  12. Employee Training: Companies must train their own employees to be able to fulfill their privacy obligations. These training courses must be documented.


Why does the data protection officer need to be outsourced in most cases?

By a member of an organ of the responsible person or order processor, for example the managing director of a GmbH, the office of the data protection officer can not be exercised, because then it is lacking in the necessary for the exercise of the control function independence.

According to item 97 DS-GVO the data protection officer should perform his duties and tasks in complete independence. It can be deduced from this that the Office of the Data Protection Officer as a whole has extensive powers of representation for the person responsible or the processor, for example in the case of power of attorney or power of attorney i. S. v. § 54 HGB, or incompatible with the duties of various senior employees.

Its position and function would make it incompatible if the data protection officer had to supervise his own activity. Such overlapping of interests impairs the required complete independence.


§38 German Federal Data Protection Act regulates tasks and duties for the data protection officer

The following tasks apply to the Data Protection Officer at non-public offices:

Supplementary to Article 37 (1) (b) and (c) of Regulation (EU) 2016/679, the controller and the processor designate a data protection officer or a data protection officer, as a rule, where they normally employ at least ten persons for the automated processing of personal data.
The controller or the processor will carry out processing operations subject to a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679 or process personal data commercially for the purpose of transmission, anonymous transmission or for market or opinion research purposes; they have to designate a data protection officer or a data protection officer irrespective of the number of persons involved in processing.
6 (4), (5) second sentence and (6) shall apply, but § 6 (4) shall apply only if the appointment of a data protection officer is obligatory.

Pin It on Pinterest