Compare the advantages and disadvantages of an internal/external data protection officer
The appointment of a data protection officer is required by law, although every company is free to appoint an internal or external data protection officer. This initially causes additional work and costs and is therefore in direct conflict with the company's goal of working as cost-efficiently as possible. It is therefore necessary for every company to check whether the appointment of an internal or external data protection officer is the right solution. Both options have their advantages and must therefore be compared individually and in detail for each company:
| The internal data protection officer | The external data protection officer | ||
|---|---|---|---|
 | Confidence bonus The management has often known the internal data protection officer for many years. This results in a trustworthy working relationship (or not). | | Geringeres unternehmerisches Risiko The external data protection officer also assumes the entrepreneurial risk with his task. This gives you the security of knowing that you have outsourced all issues that could jeopardize your company's existence. |
| No additional labor costs If the internal data protection officer can take on the tasks of the data protection officer in addition to their current duties, the company will not incur any additional wage costs. | | Legal certainty without delay By appointing an external data protection officer, you immediately have the legal certainty you need for your company. |
 | Entrepreneurial risk By taking on the tasks of the data protection officer, you are taking on a high risk. Fines of up to EUR 300,000 can even jeopardize your company's existence. | | Variable contract term An external data protection officer is not protected against dismissal and you are therefore free to determine the duration of the contract. |
| Protection against dismissal The internal data protection officer has enjoyed extended protection against dismissal since 01.09.2009 (irrevocable | §4f Abs. 3 BDSG), similar to that of a works council. (1 year protection against dismissal after relinquishing the function of data protection officer). Once an appointment has been made, it can only be revoked under the conditions of termination without notice. | | No training costs An external data protection officer is responsible for their own qualifications. As they take on this task for a large number of companies, they have more experience and are continuously familiar with the latest data protection guidelines. |
| Training costs In order to be able to take on the tasks of a data protection officer on a permanent and legally compliant basis, training on the legal environment of data protection is required first, followed by training on the technical implementation and finally on the organizational structure of data protection management. In addition, continuous further training is necessary. This costs a lot of time and money. (Training, travel, accommodation, materials, release of the internal data protection officer) | | Calculable cost structure Fixed contracts define the cost structures for the tasks and risks assumed externally and can therefore be calculated precisely. |
| Additional expense Due to the additional work involved in taking on data protection tasks, the internal data protection officer can no longer fully perform his core tasks. | | Always up-to-date documents An external data protection officer constantly revises all company-relevant data protection documents so that you are always up to date. He brings with him the experience of many companies. |
| Time delay When taking on the tasks of the internal data protection officer, the employee must first build up their specialist knowledge and document this with a certificate of competence. This delays the direct implementation of the legal requirements. | | External costs An external data protection officer assumes tasks and risks, which results in external service costs. |
The external data protection officer is not a lone fighter but usually has an office in which other employees take care of data protection. There is a functioning vacation replacement so that you always have a contact person.
The external data protection officer has a higher level of acceptance and assertiveness among your employees. He is a data protection officer without the normal background of a colleague. There are therefore no conflicts of interest with other areas and projects.
The external data protection officer has experience in dealing with authorities. They know what the authorities set as a standard. An internal data protection officer only learns this when the company has to deal with an authority due to a data protection breach, which is usually too late.
While the so-called "operational causation" applies to the internal data protection officer in liability matters, the external data protection officer can be held responsible for his actions. Usually, the external DPO has a specialized business and financial loss liability insurance.
We believe there are good reasons to appoint an external data protection officer to protect your interests in the area of data protection.