This is some text inside of a div block.

External data protection officer

The specialized and experienced data protection officers and consultants in our team support you in all questions of data protection and of course data security. We are always at your disposal not only to comply with all the provisions relating to the General Data Protection Regulation (GDPR), but also to explain company-specific questions.

We take care of you!

We have been the partner for national, international and medium-sized companies for years. Our team of lawyers and IT consultants individually addresses the needs and characteristics of your company and implements suitable, practical and legally compliant data protection concepts for you from start to finish.

A personal contact person is always available to ensure data protection compliance at all levels.

Your advantages with heyData

Well-founded legal and technical know-how of our team
Sector-specific data protection - Health, Pharma, Biotech, Insurtech, Fintech etc.
Minimization of liability risks for management
Uniform costs, no extra fees, long-term cooperation
No commitment of internal resources & avoidance of conflicts of interest
more flexible contractual terms compared to internal data protection officers
Expertise on current topics such as personalized customer contact, outsourcing, CRM, home office, etc.
We are available at short notice and flexibly 24/7 - representations are secured

Do you want to find out more? We are happy to help!

The tasks of an external data protection officer

  • Development of common data protection goals, definition of the need for action and preparation of a schedule to achieve legal conformity
  • Carrying out risk analyzes and audits at regular intervals or for external partners
  • Advice on the development of a data protection management system (DSMS)
  • Regular checks as part of a DSMS
  • Advice on the creation and implementation of a data protection concept
  • Review of reportable incidents
  • Implementation and assurance of "Privacy by Design" and "Privacy by Default"
  • Preparation of the notification documents
  • Creation and review of the entire documentation such as records of processing activities (VVT), data protection impact assessments (DPIA), technical and organizational measures (TOM), Deletion and archiving concepts
  • Review of data protection information, privacy statements, guidelines and company agreements
  • Advice on the drafting of contract processing agreements (AVV) with external service providers as well as on ensuring compliance with necessary control obligations
  • Supervision of the correct application of the data processing programs
  • Support in answering questions from the data subject (e.g. right to erasure or right to information)
  • Advice on all questions of employee data protection and monitoring of its legally compliant implementation (management of personnel files, on / offboarding, applicant management, Internet use by employees)
  • Organization and implementation of training¹ as well as informing employees about the handling of personal data in compliance with data protection regulations
  • Monitoring of the data protection status in the company
  • Certification support
  • Answering inquiries from the supervisory authorities
  • Advice to management and the relevant specialist department
  • Preparation of an annual report on data protection

Choose heyData and benefit from your personal and professional contact, who ensures data protection compliance at all levels and at the highest level.


Do I need a data protection officer?
What are personal data?
How does heyData work?
How long is the contract term?
What is done in the data protection audit?
Do I need a data protection officer?

If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.) 

What are personal data?

According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.

How does heyData work?

As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.

How long is the contract term?

The regular contract term is 24 months.

What is done in the data protection audit?

The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.

The external data protection officer

The tasks

The costs

What distinguishes him?

An external data protection officer is unproblematic, secure and attractively priced for you. The data protection officer is the person who advises you on corporate data protection. A external data protection officer is an option for you, for example, if you do not want to or cannot map the complex subject of data protection and the necessary qualifications yourself in terms of time and finances.

Outsourcing data protection guarantees your company the best possible advice on the current legal situation. He will be happy to give you practical examples of data protection and discuss their implementation with you. Information obligations are taken on professionally and give you the freedom for your day-to-day business. An external data protection officer will examine your company.

At the beginning of the activity, he will take stock and evaluate your company in terms of data protection (data protection audit). The external data protection officer monitors and advises on all data protection requirements and is the contact person for any necessary data protection impact assessment. The advantage is obvious: the external data protection officer protects you from internal conflicts of interest and thus guarantees unbiased work. Standardized procedures and documents complete the overall picture. Internal employee training courses sensitize your employees and provide them with comprehensive information on data protection.

The external data protection officer shows the workforce that he is also the point of contact for them. The external data protection officer translates this complex topic for your employees from official German. The external data protection officer should be understood as a new, external employee.

In terms of costs, the external data protection officer is usually the cheaper option. An internally appointed data protection officer has to be trained costly and cannot go about his day-to-day business in full. Termination of an internal data protection officer is not permitted, even for a period after he has been dismissed.

An external data protection officer can be withdrawn from his or her mandate at any time. An external data protection officer saves you professional training, ancillary wage costs and internal training. The costs of an external data protection officer depend on the company's consulting needs. Your company's industry is a good indicator of this.

A distinction is made between sectors with a large or small need for action. Workshops or craft businesses have a different relationship to personal data than call centers or doctors. Here it is important to find the right package for you and to get practical advice. A wide variety of price categories are listed on the Internet for an external data protection officer. Keep an eye out for reputable prices and always compare the service offered with the specified price tag.

An external data protection officer should always have the appropriate qualifications. This is confirmed, for example, by TÜV, DEKRA or similar certificates. Does your appointed data protection officer specialize in your industry? If so, great! An external data protection officer must understand your company. Industry specialization is therefore an important factor that should not be underestimated. An external data protection officer also bears the liability risk for his advice.

Appropriate insurance cover must therefore be available for the advisory service. An external data protection officer always has a serious appearance and impresses with internal and external visibility. Pay attention to specified reference customers and check existing Internet reviews. Is your external data protection officer a member of data protection associations? This shows his commitment and interest in this topic and encourages him to engage in a close exchange with other data protection officers, from which you can benefit. An external data protection officer is a classic service provider. And that is how it should appear in your company.

Employee training on the subject of data protection should not be a tiresome compulsory event for employees. Rather, the quality of the training is decisive here. Make sure that there is broad acceptance among the workforce here. The external data protection officer should remain available to you during your business hours. Accessibility is the basis for a trusting cooperation. The external data protection officer must convey within the company that data protection plays an important role in day-to-day business. Customers and partners are increasingly paying attention to data protection-compliant cooperation.

The external data protection officer will ensure that data protection is actively lived within your company and that this attitude is actively communicated to the outside world. By using an external data protection officer, a change management project is set in motion in your company. This means that some structures will change in terms of data protection. This process requires internal acceptance and the full support of the management. The external data protection officer will initiate this process in a data protection inventory. The analysis (risk analysis, data protection action plan, compliance) is discussed with management and implemented with the workforce. The external data protection officer will, as far as possible, carry out these technical and organizational tasks without disrupting day-to-day business.