Jack of all trades: The External Group Data Protection Officer

One of the
innovations of the GDPR for corporations, corporate groups and groups of
undertakings is the introduction of a so-called group data protection officer.
This is regulated in Art. 37 II GDPR which states:

 "A group of companies may appoint a joint data protection officer provided that the data protection officer can be easily reached from any location."

Since the
transfer of personal data within a group of companies is part of its everyday
operations, a common data protection officer can provide relief by creating
consistent data protection rules and concepts and acting as a single point of contact
for the entire group. The concept of a group of undertakings is defined in Art.
4 No. 19 GDPR as a group of companies in which there is a ruling company and
dependent companies.

As another
requirement, the standard mentions easy accessibility of the group data
protection officer meaning that all employees, but also the local supervisory
authorities and those affected can easily reach him and communicate. Especially
within global enterprises that have subsidiaries and branches in many different
countries, the different languages ​​can be a significant communication
barrier. However, no-one can be expected to speak, in addition to the required
data protection qualification, every language of every branch in each country.
Here is the recourse to a common language, especially English a possible
solution. Additionally, data protection coordinators in each individual company
can act as a link between the local regulatory authorities and the group data privacy
officer.

However, it
is often difficult to find a suitable and qualified person who has both the
necessary (international) qualifications and is familiar with the way in which
companies operate. Thus, an external group data protection officer can present
an adequate solution.

What are the tasks of a group data protection officer?

In
principle, the tasks which a group data protection officer must fulfill are
based on the same requirements as any other data protection officer, which is
standardized in Art. 39 GDPR. Namely:

  • to
    advise and inform the responsible persons regarding the implementation of the
    GDPR in the group
  • to
    enable compliance with the GDPR and foster a data protection culture within the
    organization
  • to
    maintain policies and procedures on data protection
  • the
    monitoring of the provisions of the GDPR within the group, which also includes
    sensitizing employees with regard to the basic data protection requirements and
    requirements, as well as their training
  • the
    group data protection officer advises on the privacy impact assessment
  • support
    data incident responses and notification procedures for data breaches
  • he
    or she works with the regulators and is their first point of contact

An external
group data protection officer usually has experience with various groups of
companies and has been involved with various data protection challenges, so
that he can quickly adapt a solution for another group.

Two challenges for a group data protection officer

The
difference to a data protection officer, who is only responsible for a single
company, is the complexity of the (international) data flows of personal data
and the organizational structure of the group. For example, it often happens
that there is no single contact person in a group who has an overall view of a
particular process, which may be relevant when drawing up the list of
processing activities.

Another
challenge is that although the GDPR is uniform throughout the EU, there are
national specifications and differences in the individual member states of the
EU that need to be taken into account. For this purpose, consulting
professionals with local legal expertise for individual issues may be a
possible solution.

Nevertheless,
the designation of a group data protection officer can be a considerable relief
for the group. Important for this is the development of a suitable data
protection organization within the group, the support on the part of the
company management and sufficient financial and personnel resources for the
group data protection officer. Especially an external data protection officer
can be a pragmatic, professional and timely solution, which is often cheaper
than setting up your own data protection department within the group.

Über den Autor

Sprechen Sie unser Sales-Team an

Erfahren Sie, wie DataGuard Ihnen helfen kann.

Finden Sie heraus, wie unsere Datenschutz-, Informationssicherheits- und Compliance-Lösung Vertrauen stärkt, Risiken minimiert und Umsatz steigert.

  • bis heute 100% Erfolgsquote bei ISO 27001 Audits
  • 40% Reduzierung bei Gesamtbetriebskosten (TCO)
  • Eine skalierbare und einfach zu verstehende Web-Plattform
  • Praktisch umsetzbare Handlungsempfehlungen unserer Experten

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Fordern Sie noch heute Ihr Angebot an

Ihre Vorteile im Überblick

  • Benennung eines externen Datenschutzbeauftragten
  • Audit Ihrer Datenverarbeitungsvorgänge
  • Unterstützung rund um AV-Verträge, VVT, TOM, Schulung, u.v.m.
  • Personalisierte Betreuung durch Ihren Ansprechpartner 
  • Skalierbar für KMU und Konzerne
  • 100+ Experten aus den Bereichen Recht, Wirtschaft & IT

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Vereinfachung Ihrer Compliance-Prozesse

Ihre Vorteile im Überblick

  • Kontinuierliche Unterstützung auf Ihrem Weg zur Zertifizierung nach ISO 27001 und TISAX®️, sowie NIS2 Compliance
  • Profitieren Sie von persönlicher Beratung
  • Bauen Sie ein strukturiertes ISMS mit unserer InfoSec-Plattform auf
  • Automatische Erstellung verpflichtender Dokumente
Certified-Icon

100% Erfolgsquote unserer Kunden bei Audits nach ISO 27001

TISAX® ist eine eingetragene Marke der ENX Association. DataGuard steht in keiner geschäftlichen Verbindung zu ENX. Wir bieten lediglich Beratung und Unterstützung zur Vorbereitung auf das Assessment nach TISAX® an. Die ENX Association übernimmt keine Verantwortung für die auf der DataGuard-Website dargestellten Inhalte.

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Jetzt Angebot anfragen

  • Proaktive statt reaktive Unterstützung
  • Erstellung der wichtigsten Dokumente und Richtlinien
  • Umfassendes Compliance-Management
  • Mitarbeiterschulungen
  • Digitales Compliance-Management-System
  • Beratung durch erfahrene Branchenexperten

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Jetzt Angebot anfragen

  • Einhalten der EU-Whistleblower-Richtlinie
  • Digitales Whistleblowing-System
  • Einfache und schnelle Implementierung
  • Zentrale Datenquelle
  • Sicher und gesetzeskonform
  • Klares und transparentes Reporting

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Jetzt Termin vereinbaren