External Data Protection Officer (External DPO)
- Flexible solutions for small and large companies
- Individual advice from data protection experts
- Certified data protection quality
External Data Protection Officer:
Your all-round service at IITR
An external data protection officer, often abbreviated to external DPO, from IITR maintains an overview for you and supports your company in meeting the requirements of the EU GDPR. The DPO plays a critical role in ensuring compliance, serving as the bridge between regulatory authorities and your organization. With the EU GDPR's stringent rules and the increasing complexities of data processing activities, it's imperative to have an expert who understands the nuances. The DPO from IITR not only provides guidance on implementing best practices but also conducts regular audits to identify potential vulnerabilities. This proactive approach ensures that any gaps in compliance are addressed promptly, minimizing risks. Moreover, having an external DPO can offer a fresh perspective and unbiased feedback, as they are not influenced by internal company politics or pressures.
External DPO
small Companies
- For companies with up to 30 employees
- Including Data Protection Software Solutions
- Including online training courses and webinars
External DPO
medium-sized Companies
Individual offer
- For companies with 30 or more employees
- Advice from a certified GDPR expert
- Including data protection management system
What is important to me about this?

Who needs a Data Protection Officer?
Simply put: The EU GDPR with the additional German Federal Data Protection Act (BDSG) requires an internal or external data protection officer to be appointed by every company in Germany with twenty employees or more. In some cases, companies might be required to hire a data protection officer at an earlier point – and regardless of the number of employees – for example, if the company processes data that is more sensitive such as health data.

When does it make sense to hire a Data Protection Officer?
A data protection officer should be appointed if the company is required to do so by law (usually, if the company employs twenty people or more who have access to personal data). Irrespective of the legal obligation, companies also often appoint data protection officers for other reasons, when they realize they are in need of professional advice in the area of data protection requirements. This is the case, for example, for companies that process sensitive healthcare data or for companies that process data on behalf of their customers.

Under the EU GDPR, what is particularly important for companies?
The EU GDPR states that companies should above all address the following issues:
- Creating a privacy policy
- Documenting the procedures that process personal data (the so-called “directory of processing activities”)
- Contractual relationships with third-party service providers (keyword: “outsourced processing agreement”)
- Compliance with the minimum standards in IT security
- Educating and training employees
Our Privacy-Kit addresses all of these items and is designed for companies with about 20 employees. Our Compliance-Kit is designed to meet the needs of larger companies.

Who can become a Data Protection Officer and how long does it take to become a Data Protection Officer?
In theory, the training to become a data protection officer usually takes a week, depending on the provider. However, in our experience, the ability to practically apply what was learned requires several years of experience in the field. The International Association of Privacy Professionals (IAPP) offers an ISO-accredited data protection training course.
Arrange consultation appointment now
1. Company size
Number of screen workstations:
FAQs compliance-Kit
Simply put: The EU GDPR with the additional German Federal Privacy Act requires an internal or external data protection officer to be appointed by every company in Germany with twenty employees or more. In some cases, companies might be required to hire a data protection officer at an earlier point – and regardless of the number of employees – for example, if the company processes data that is more sensitive such as health data.
The data protection officer helps you comply with the legal requirements in data protection. Under the EU GDPR, companies are required to prove their data protection compliance not just sporadically, but structurally. The external data protection officer provides advice on data protection issues and lets you know whether your practices comply with applicable data protection laws. The data protection officer also provides tips and recommendations on how you can implement current data protection requirements in your company’s operations.
The EU GDPR states that companies should above all address the following issues:
- Creating a privacy policy
- Documenting the procedures that process personal data (the so-called “directory of processing activities”)
- Contractual relationships with third-party service providers (keyword: “outsourced processing agreement”)
- Compliance with the minimum standards in IT security
- Educating and training employees
Our Privacy Kit addresses all of these items and is designed for companies with about 20 employees. Our Compliance Kit is designed to meet the needs of larger companies.
As a rule, the data protection officer is consulted whenever IT systems are introduced that are critical to data protection, or if data is lost in an attack. Another one of the data protection officer’s responsibilities is to train the employees who do the data processing. Companies receive additional support as well: The data protection officer is the contact person for questions related to data protection and gives the company the tools it needs so it can structure and integrate the data protection issues into in-house procedures.
A data protection officer should be appointed if the company is required to do so by law (usually, if the company employs twenty people or more who have access to personal data). Irrespective of the legal obligation, companies also often appoint data protection officers for other reasons, when they realize they are in need of professional advice in the area of data protection requirements. This is the case, for example, for companies that process sensitive healthcare data or for companies that process data on behalf of their customers.
Each option has its advantages and disadvantages which should be individually tailored to your business. Pursuant to the law, both internal and external data protection officers are mandated to take care of a company’s data protection needs while operating as independent and neutral agents. Data protection requirements have become increasingly complex in recent years. Small and medium-sized companies therefore often rely on external data protection officers who specialize in this area.
In theory, the training to become a data protection officer usually takes a week, depending on the provider. However, in our experience, the ability to practically apply what was learned requires several years of experience in the field. The International Association of Privacy Professionals (IAPP) offers an ISO-accredited data protection training course.
A form to appoint a data protection officer
If you would like to appoint us as your data protection officer, we will send you a form, which you can use as documentation for the data protection supervisory authority, to prove that you have appointed us.
With our Privacy Kit, we offer small companies with up to 20 employees a solution that includes the appointment of a data protection officer. It costs €32.50 per month plus VAT and is billed annually. The Privacy Kit includes web-based data protection management software, which you can use to cost-effectively address data protection issues. Moreover, we are also available to answer any questions you might have.
Additional information about the Privacy Kit can be found here.
As for medium-sized companies equipped with an internal or external data protection officer, we are offering them support with our Compliance Kit, which provides data protection management software based on ISO standards.
Additional information about the Compliance Kit can be found here.
If you would like to receive a detailed offer, you can also request a non-binding cost estimate. Just fill out the form to quickly and easily determine the cost of an external data protection officer for your company.