Data Protection

Information Security

External Data Protection Officer
External Information Security Officer
Penetration Testing

Contributions from
Holzhofer Consulting
self test
Test yourself:
Is your company obliged to appoint a data protection officer?
  • Are more than 9 persons (employees and freelancers) processing personal data with IT systems? Notice that e-mail addresses, phone numbers and personal related IP addresses is personal data too.
  • Are more than 19 persons (employees and freelancers) processing personal data with IT systems or any other means (paper, voice recorders, ...) personal data?
  • Are special categories of personal data processed? Special categories shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.
  • Are you assessing the personality, abilities, performance or behavior of your employees or other persons?
  • Are you processing personal for market and opinion research ?
  • Do you transfer personal data (even anonymized) for commercial purposes to external third parties?
  • Are you obliged on contractual agreement for data processing pursuant to section 11 BDSG to appoint a data protection officer?
  • You like to avoid the formal notification of the supervisor authority for data protection about your automated data processing operations?

If you answered one or more questions with YES it is most likely that you are obliged to appoint a data protection officer. We appreciate to advise you in a non-binding face-toface meeting if there is an obligation for an appointment of a data protection officer.

If a data protection officer pursuant to the Federal Data Protection Act (BDSG) is not appointed or not in the prescribed time or in the prescribed manner, fines up to 50,000 Euro can be imposed. The fine should exceed the financial benefit to the perpetrator derived from the administrative offence. Therefore in some cases the fines could be considerably higher.

A common error in appointing a data protection officer is the existence of a conflicting interest. Additionally the data protection officer has to report directly to the managing director. Therefore managing directors are excluded for the function as data protection officer. However many other functions having conflicting interests with data protection requirements are contradictory with the function of the data protection officer. These conflicts can be avoided by appointing an external data protection officer.
Certifications of our experts
Foto Martin Holzhofer External Data Protection Officer „Data protection and information security are crucial for every company. Save costs in these challenging areas by an external data protection officer and information security expert. We are pleased to help.“

Martin Holzhofer,
Holzhofer Consulting GmbH
Tel. Holzhofer Consulting GmbH