Data Protection Officer (EU)

The data protection officer (DPO) is a person appointed by a company or organization to monitor, advise and control compliance with the GDPR. The DPO must have the necessary expertise and independence and must not be disadvantaged or dismissed in the performance of his duties.

Why is data protection important for your company?


of cyber attacks are directed against SMEs

Here are a few recent examples:

  • Mercedes Benz, entire Gitlab data (code) online
  • 23andme, DNA data published by approx. 6 million customers.
  • Trello, data hacked on 15 million customers
  • Motel One, ransomware attack
  • Verivox, software vulnerability

Data protection & privacy are fundamental rights in the EU

The right to privacy and to a private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention on Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). Privacy and data protection are two fundamental rights enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. The Charter contains an express right to the protection of personal data (Article 8). With the entry into force of the Lisbon Treaty in 2009, the Charter of Fundamental Rights became as legally binding as the EU Treaties. It is therefore binding on EU institutions and bodies and Member States. Article 16 of the Treaty on the Functioning of the European Union (TFEU) also requires the Union to adopt rules on the processing of personal data. The relevant legislation here is the General Data Protection Regulation (GDPR) and the country-specific data protection laws.


of companies regard data protection as a business necessity

In today's market, data protection compliance has become an important aspect of the customer buying process. An efficient data protection organization makes it possible to shorten sales cycles by being able to quickly provide the necessary information for a supplier audit. Data protection also helps build customer trust and enables you to increase business attractiveness.

Do you need a data protection officer?

Not all companies or organizations need to appoint a DPO. The GDPR requires a DPO when:

  • the core activity of the company or organization requires extensive processing of special categories of data or the systematic monitoring of data subjects;
  • the core activity of the company or organization requires regular and systematic processing of personal data on a large scale;
  • the company or organization is a public body or authority, except in the case of courts acting as part of their judicial activity.

However, the GDPR also leaves room for Member States to adopt their own rules for appointing a DPO. These are called opening clauses. One example of this is Germany, which requires the appointment of a DPO when personal data is processed automatically by at least 20 employees. Other countries have adopted similar or different regulations, which must be observed depending on the respective national law.

What activities does a SIDD data protection officer do?

The activities that a data protection officer (DPO) must perform under the GDPR include:

Activities required by law
Optional activities

How much work does a data protection officer have

This is highly dependent on the company and also on the complexity of the business and IT. However, the recommendation of the Conference of Independent Federal and State Data Protection Authorities (DSK) in Germany, which specifies a weekly working time of 20 hours for a fully employed data protection officer, provides possible guidance.

In response to a question from the FDP parliamentary group in the German Bundestag dated 18.06.2019, the Federal Data Protection Commissioner estimates that a data protection officer in an average company with around 250 employees must work around 10 hours a week in order to comply with his legal obligations. This is based on a sample survey of 50 companies that were checked between 2016 and 2018.

In a survey of its members in 2017, the Professional Association of Data Protection Officers of Germany (BvD) e.V. determined that a data protection officer needs an average of 14.2 hours per week to work. Working hours vary depending on company size, industry, number of processes and the complexity of data processing.

Why you
should name SIDD as your external data protection officer

You save time and money by outsourcing the tasks of the data protection officer to us.
You benefit from our many years of experience and comprehensive expertise in the area of data protection.
They minimize the risk of data breaches, fines and liability claims.
You will receive independent and objective advice on all data protection issues.
You strengthen the trust of your customers, employees and business partners in handling their personal data.

Which packages does SIDD offer?

We offer two types of packages.

Standard (SMEs)

What happens after you order at SIDD?

Contract signing

We conclude a service contract that contains the framework conditions and scope of our activities as a DPO. Digital, of course 😉

Kick-off meeting

We conduct a kick-off workshop with the customer to get to know each other, agree on expectations and discuss the next steps.

Data protection analysis

We carry out an inventory of the customer's data protection-relevant processes, systems and documents in order to determine the current status and the need for action.

Data protection concept

We create an action plan to implement the data protection requirements for the customer. This plan includes, among other things, the preparation or revision of data protection declarations, procedural records, data protection impact assessments, order processing contracts and internal guidelines.

Data protection implementation

We support the customer in the practical implementation of the planned measures, e.g. through advice, training, testing or support in communication with the persons concerned or the supervisory authorities.

Data protection support

We are available to customers as a permanent point of contact for all data protection issues and are responsible for continuously monitoring, updating and adapting data protection measures to the changing legal and technical framework conditions.