SACO Software and Consulting GmbH

IT Systems

IT Services

Solutions

openAPPone

APPone

Career

About SACO

IT infrastructures

Security

Home office connection

IT consulting

IT system audit

GDPR services

Managed services

Cloud services

Document management

Mail & Groupware

VoIP

Conference system

About SACO

Contact

Imprint

AGB

Contact

SACO

Software and Consulting GmbH

Mühlgasse 5

97840 Hafenlohr | Germany

Phone: +49 (0)9391 90890-0

Requests:

General: info@saco.info

Distribution: vertrieb@saco.info

Backoffice: backoffice@saco.info

We are here for you:

Mo - Th 08:00 - 17:00

Fr 08:00 - 15:00

DATA PROTECTION (GDPR). The facts.

The new General Data Protection Regulation (GDPR - or "DSGVO" in Germany) applies and there is a Europe-wide obligation to appoint a company data protection officer (Art. 35ff. GDPR). This is binding if a company carries out an activity that requires special checks from the perspective of data protection law.

In addition, every company can appoint a data protection officer on a voluntary basis.

The GDPR obliges all public and non-public bodies that process personal data (e.g. name, age, date of birth, address, criminal record, genetic data, account number) to automatically appoint an expert data protection officer.

WHAT IS A DPO?

A data protection officer (DPO) works within an organisation (company) to ensure compliance with data protection. The person may be an employee of the organisation or appointed as an external data protection officer. The task and activity of a data protection officer in Germany is regulated in the Federal data protection act [BDSG] as well as in the corresponding provisions of state law. An essential task is to check and monitor the proper use of data processing programs.

WHAT DOES A DPO DO?

The data protection officer in a company works on the compliance with the data protection provisions (but has no right to issue instructions). In particular, the DPO shall monitor the proper use of the computers and computer programs. A key focus is that only authorised persons can carry out processing limited to the purpose and that the owner of the data can exercise their right of self-determination to information, correction, blocking and deletion. In addition, they are responsible for training employees to make them aware of data protection issues.

The Data Protection Officer is not bound by instructions and is independent of superiors. Only those who have the necessary expertise (certification) and reliability may be appointed as data protection officers.

FACTS AT A GLANCE:

The obligation to appoint a data protection officer applies to

» All public bodies

» All non-public bodies - companies with more than nine employees that process personal data automatically

If none of these points apply, however, the company is not exempt from compliance with data protection law, but must also ensure compliance with the Federal data protection act. Data subjects must be given the opportunity to contact the data protection officer at any time (§ 4f (5) cl. 2 of the Federal data protection act).

EXTERNAL OR INTERNAL DPO?

External DPO:

+ Certified, already existing and immediately applicable expertise

+ Risk minimisation for the company

+ Clear cost structure through contractually fixed prices

+ No commitment of company resources

+ Uses 100% of their resources for data protection

+ Costs for further training are covered by SACO

- Familiarisation period with the operating procedures necessary,

neutral

+ Approach with an eye for detail

+ Removal or termination of the appointment

possible at any time

+ Expertise from other companies

+ Neutral position in the company, both externally (e.g. vis-à-vis

authorities) and within the company (e.g. vis-à-vis employees)

+ No conflicts of interest

+ Works council has no right of co-determination with the external

DPO

Internal DPO:

- Time-intensive and costly further training measures to obtain the

professional qualification and time off for the duration of the

training

- Liability within the scope of limited employee liability. The

managing director is liable in full (incl. their private assets)

- Non-transparent costs for literature, office, work absences, further

training incl. costs for overnight stays and subsistence

- Internal DPOs can no longer fully perform their main job

- Barely use their resources for data protection

- All costs for further education and training are borne by the

employer

+ Operating procedures are more or less known

- Operational blindness of the int. DPO often prevails

- Dismissal only for important reasons (§ 626 BGB [German civil

code], § 4f para. 3). Also one year of protection against dismissal

after withdrawal

- Often no expertise and no possibilities for comparison