We advise and support the internal data protection officer in all questions of data protection and IT security. Our team is digitally involved in the daily work of the internal solution and can take the lead on complex topics - successful cooperation is guaranteed.
Bauen Sie intern Kompetenzen auf, aber vertrauen Sie nicht ausschließlich auf diese sondern nutzen uns als smarte Ergänzung - digital wie auch analog - um Ihre To achieve goals.
Die Zusammenarbeit mit heyData bringt Ihnen erhebliche Kompetenzvorteile, denn wir verfügen nicht nur über langjährige Erfahrung, sondern schaffen auch praxisnahe Lösungen aufgrund unseres gesammelten Hintergrunds.
If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.)
According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.
As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.
The regular contract term is 24 months.
The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.
Die Datenschutzgrundverordnung (DSGVO) und das neue Bundesdatenschutzgesetz (BDSG-neu) hat den Kreis der Unternehmen erweitert, die einen Datenschutzbeauftragten berufen müssen. Gehört Ihr Unternehmen zu dieser Gruppe, müssen Sie sich zwischen einem internen oder einem externen Datenschutzbeauftragten entscheiden. Ein interner Datenschutzbeauftragter ist meistens die favorisierte Lösung, aber beleuchtet man den Punkt des Datenschutzes näher, ist oft der externe Datenschützer die weitaus bessere Wahl.
heydata is your partner when it comes to internal or external data protection. Contact us!
As a interner Datenschutzbeauftragter wird der angestellte Mitarbeiter bezeichnet, der innerhalb der Unternehmung zur Sicherung des Datenschutzes benannt wurde. Der Datenschützer hat nach der Benennung die Aufgabe, alle Anforderungen und Pflichten des Datenschutzes zu erfüllen. Die notwendige Fachkenntnis ist durch Schulungen, Fortbildung und Zertifikate abzusichern.
The internal data protection officer has the following powers:
- the internal data protection officer is under extended protection against dismissal
- Further claims can be made (advanced training, equipment ...)
- The internal data protection officer can act without instructions
- Approx. 20% of the working time is devoted to data protection
The internal data protection officer must not be named from the group of management, senior staff or IT management, as conflicts of interest are to be avoided. If an employee is commissioned with the processing of personal data and this represents the core business, this employee is also not to be named.
The internal data protection officer must be able to demonstrate professional qualifications and, in particular, expertise in the field of data protection law and data protection practice. He must be able to perform all tasks within the meaning of the GDPR.
The professional competence of an internal data protection officer is usually built up after the appointment and consolidated through practice and training. These cost-intensive and time-consuming measures must be borne by the company in order to meet all the requirements of the General Data Protection Regulation.
The internal designation of a data protection officer should be documented in writing. Since the internal data protection officer now has to be the contact person, he is to be published as the internal data protection officer and reported to the supervisory authority.
HeyData is often confronted with this question and our data protection experts will be happy to provide you with technically competent information.
The advantages of an internal data protection officer:
An internally appointed data protection officer has the advantage that he already knows the workforce, processes and data flows from day-to-day business. In particular, the collection and processing of personal data and the associated processes are known. For this reason, he does not have to familiarize himself with the company, but is available promptly for his work as a data protection officer. An internal data protection officer is also familiar with the workforce and can benefit from this relationship.
The disadvantages of an internal data protection officer:
In many cases, an internal data protection officer must first build up his knowledge of data protection and underpin this with ongoing training. These costs are to be borne by the company. At the same time, these further training measures are very time-consuming and the internal data protection officer cannot completely fulfill his core business. The regular acquisition of specialist literature is also borne by the company. Since the internal data protection officer is subject to extended protection against dismissal, he cannot be terminated in due time (like an external data protection officer). The internal data protection officer can come into contact with conflicts of interest if individual employees or entire departments fail to comply with his data protection instructions and recommendations. Since this has to be reported to the management, it can have a heavy impact on the internal working atmosphere. Since the internal data protection officer has a staff position below the management, tensions can also arise here if data protection measures are to be implemented. Although he does benefit from the extended protection against dismissal, the working atmosphere can suffer here too. The internal data protection officer can only be held liable with limited employee liability. This only comes into play in the event of gross negligence or intent. In the event of non-serious negligence, the internal data protection officer is therefore not liable. In contrast to the external data protection officer, an internal data protection officer does not help to minimize risk.
If you weigh up the advantages and disadvantages against each other, an internal data protection officer is often more costly and risky. HeyData will be happy to assist you with this consideration!
The internal data protection officer enjoys special protection. By completing his data protection tasks, he may not be terminated, recalled or disadvantaged. On the company side, you want to be sure about this question and should pay attention to the following points:
A dismissal is not finally regulated in the General Data Protection Regulation. The fact is that the internal data protection officer may not be dismissed if he is fulfilling his data protection tasks. Likewise, discrimination is fundamentally inadmissible.
In day-to-day business, the internal data protection officer can freely resign from his office. In this case, too, termination by the employee is not permitted for one year. At the same time, this protection against dismissal also applies during an internal trial period. In the event of unauthorized termination as a data protection officer, the existing employment contract must be adjusted with regard to data protection obligations and powers.
A dismissal is generally difficult to manage, since the internal data protection officer has to carry out his duties as a data protection officer independently. This position is deliberately strengthened by the legislature and offers the company little target, since a worse position is to be avoided. The company data protection officer occupies a staff position that also monitors the management and this potential for conflict is legally safeguarded by the legislature.
Dismissal can only be considered if there are important reasons. Conditions must be met here that justify termination without observing a notice period. In these cases, the employment relationship is no longer reasonable. These can be personnel-related, behavior-related or operational-related reasons, which must be precisely defined. In practice this would be z. B. Threats of violence, theft, unexcused absenteeism or refusal to work.
An internal data protection officer cannot be replaced by an external data protection officer, even if this would have been the better choice in retrospect, organizationally or financially. Risk minimization or higher professionalism by an external data protection officer does not constitute a reason for dismissal.
As you can see, the appointment of an internal data protection officer is an important decision that should not be made too quickly. Talk to the professionals at heyData and get professional advice on this decision!