Data Protection

Information Security

External Data Protection Officer
External Information Security Officer
Penetration Testing

Contributions from
Holzhofer Consulting
self test
Test yourself:
Is your company obliged to designate a data protection officer?
  • Are more than 19 persons (employees and freelancers) processing personal data with IT systems? Notice that e-mail addresses, phone numbers and personal related IP addresses is personal data too.
  • Are more than 19 persons (employees and freelancers) processing personal data with IT systems or any other means (paper, voice recorders, ...) personal data?
  • Are special categories of personal data pursuant to Art. 9 GDPR processed? Special categories shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health, sex life and sexual orientatiton.
  • Are you assessing the personality, abilities, performance or behavior of your employees or other persons?
  • Are you processing personal for market and opinion research ?
  • Do you transfer personal data (even anonymized) for commercial purposes to external third parties?
  • Are you obliged on contractual agreement for data processing pursuant to Art. 28 GDPR to designate a data protection officer?
  • Does your core activity consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale??

If you answered one or more questions with YES it is most likely that you are obliged to designate a data protection officer. We appreciate to advise you in a non-binding face-toface meeting if there is an obligation for an appointment of a data protection officer.

If a data protection officer pursuant to Art. 37 GDPR or section 38 FDPA is not designated or not in the prescribed time or in the prescribed manner, fines up to 10 million EUR or 2 % of the total worldwide turnover of the previous year can be imposed.

A common error in appointing a data protection officer is the existence of a conflicting interest. Additionally the data protection officer has to report directly to the managing director. Therefore managing directors are excluded for the function as data protection officer. However many other functions having conflicting interests with data protection requirements are contradictory with the function of the data protection officer. These conflicts can be avoided by appointing an external data protection officer.
Certifications of our experts
  • Data Protection Officer (TÜV)
  • Data Protection Auditor DSA-TÜV
  • Certified Data Protection Officer (udiszert)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk and Information Systems Control (CRISC)
  • BSI ISO/IEC 27001:2005 Lead Auditor
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • ITIL Foundation Certified
Foto Martin Holzhofer External Data Protection Officer „Data protection and information security are crucial for every company. Save costs in these challenging areas by an external data protection officer and information security expert. We are pleased to help.“

Martin Holzhofer,
Holzhofer Consulting GmbH
Tel. Holzhofer Consulting GmbH