Data Protection

Information Security

External Data Protection Officer
External Information Security Officer
Penetration Testing

Contributions from
Holzhofer Consulting
self test
External Data Protection Officer

Companies that are obliged to appoint a data protection officer have two choices: Let an internal employee to be educated and appointing him/her as a data protection officer or to engage an external data protection officer.

Costs and Efficiency
Aside from one-time and ongoing costs for education, membership fees, legal literature new internal data protection officers don't have the professional experience and a well sorted collection of templates and procedures for the typical documents and policies.

According to experience particularly data protection officers acting in part-time are prone that other projects are given more priority resulting in less to zero time for data protection tasks. It is not uncommon that we meet new clients having had an internal data protecting officer for years, however not having the very basic aspects of an appropriate level of data protection. This is not only due to lack of time. In many cases the internal data protection officer has a shortage of motivation, if he/she didn't really volunteer for this job. In addition often enough the data protection officer has retired and no one know the current status of data protection. Already spent investments then incur at least partially again.

Skills and Capabilities
During our initial audits we typically find a multitude of technical errors in the implementation which can be fined by the supervisor authorities. An external data protection officer has the required skills and professional experience as well as good relationships to the supervisor authorities. Companies need to ask themselves seriously if an internal employee is able to build up the required skills in data privacy laws and information security with a 3 or 5-day training only.

An external data protection officer should have access to proven documentation templates for the typical use cases, policies and raw processes and should offer web based trainings. For compensating peaks in workload, holidays and periods of sickness the data protection officer should have access to additional manpower.

Dismissal Protection
Internal data protection officers belong to the privileged function owners. A revocation of an internal data protection officer can only be performed upon termination without notice. After the recall the dismissal protection is valid for one year for proper notice of termination. The extended dismissal protection is effective independently if the revocation based on voluntary or on termination without notice.

Conflicting Interests
Data protection officers have to be free of conflicting interests with their other duties and functions. Managing directors are excluded for the function as data protection officer. However many other functions having conflicting interests with data protection requirements are contradictory with the function of the data protection officer. These conflicts can be avoided by appointing an external data protection officer.

Our Service Offering
We provide experienced external data protection officers with all the here named advantages. Our service offerings as external data protection officer or coach for your internal data protection officer:

  • Conduction of initial audits to identify your level of data protection: We audit your data processing operations, management of authorizations and access permissions, sub contractor data processings, technical and organizational controls
  • Training and advice on documentation of processing activities in accordance with Art. 30 GDPR
  • Preparation of data protection information in accordance with Art. 13 GDPR and declarations of consent in accordance with Art. 7 GDPR
  • Training, advice and moderation of risk analyses for the rights and freedoms of data subjects
  • Advice on the implementation of processes to implement the rights of the data subjects
  • Establishment of a process for the detection, handling and reporting of data breaches
  • Advice on the execution of data protection impact assessments
  • Creation of data protection manuals
  • Policies and guidelines for data protection and information security
  • Policies for using Internet and e-mail and other company resources
  • For you anonymous requests for information from the supervisor authorities
  • Development and evaluation of technical and organizational controls pursuant to Art. 30 GDPR
  • Professional auditing of external data processors according Art. 28 GDPR
  • Preparation and review of contracts for order processing on behalf of a processor according to Art. 28 GDRP and joint controller contracts according to Art. 26 GDPR
  • Data protection trainings for employees and special target audiences as web based or classroom trainings
  • Continuous support: internal audits, reporting, project consulting

Depending on the company size and type and extent of processed data we are provide different offerings for our data protection services. We appreciate preparing a suitable offer for your company.
Certifications of our experts
  • Data Protection Officer (TÜV)
  • Data Protection Auditor DSA-TÜV
  • Certified Data Protection Officer (udiszert)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk and Information Systems Control (CRISC)
  • BSI ISO/IEC 27001:2005 Lead Auditor
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • ITIL Foundation Certified
Foto Martin Holzhofer External Data Protection Officer „Data protection and information security are crucial for every company. Save costs in these challenging areas by an external data protection officer and information security expert. We are pleased to help.“

Martin Holzhofer,
Holzhofer Consulting GmbH
Tel. Holzhofer Consulting GmbH