The GDPR applies to people, companies and corporations of all sizes which process personal data of EU residents. Limits currently apply in Germany regarding company size: If more than nine employees in your company process personal data, you must appoint a data protection officer. Our team provides you with an external data protection officer, thus giving you peace of mind when it comes to complying with the legal regulations.

You have two options: appointing an internal data protection officer – who must prove specialist knowledge and whose contract cannot be terminated after being assigned this role – or choosing an external data protection officer.


The benefits of an external data protection officer from TÜV Hessen

  • Legal certainty
  • No training period required
  • Access to years of expert knowledge
  • Complete cost control
  • No costs for further training
  • Neutral consultation
  • No conflicts of interest with other tasks
  • Calculable costs
  • No additional costs for training employees as data protection officers
  • Impartiality if you employ us as an external data protection officer
  • Neutral position gives ability to mediate, for example between company management, departments, works council, employees


Our services in detail

  • Check-up for EU GDPR (gap analysis)
  • Provision of an external data protection officer
  • Consultation and support for your internal data protection officer when implementing your data protection projects
  • Use of our data protection expertise from a wide range of sectors for your individual situation


Legal background

Already legally valid, the EU General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In Germany, the GDPR will be supplemented by a “new” Federal Data Protection Act. Currently, companies in which more than nine people are permanently employed with the automated processing of personal data are obliged to appoint a data protection officer in accordance with the German Federal Data Protection Act (BDSG).

If you have any questions on the topic of data protection officers, or if you require additional information, please call us or contact us via email.



Rufen Sie uns an

+49 6151 600-394

Frequently asked questions about data protection and the EU GDPR


What is data protection?<br/> Data protection is the permanent guarantee that personal data is processed, used and stored within the scope of legal and contractual parameters. The EU GDPR will noticeably tighten the already stringent requirements for data protection in Germany.

When does the EU GDPR take effect? <br/> The European General Data Protection Regulation was passed in 2016. It applies to all companies located in the European Union or that provide goods and services to EU citizens, regardless of size and sector. The regulation will take effect in every EU member state from May 25, 2018, without previously being implemented in national laws.

Why is the EU GDPR necessary?<br/> A uniform data protection regulation in Europe became a necessity due to globalization and the sometimes unchecked fragmentation and redundancy of data on different platforms and increasingly cloud-based systems – including those outside Germany and Europe. The EU has shown itself willing to stem the questionable handling of personal data by some states and organizations, which use this data for purposes other than that for which it was originally intended and offer different or no explanations at all for this misappropriation.

Who has to appoint a data protection officer?<br/> Those most affected by these changes include medical practices and other establishments in the healthcare sector (e.g. care homes, hospitals etc.), forwarding agents, recruitment agencies, law offices (with a focus on criminal law), trade unions and/or other professional organizations whose activities include membership administration.

When is a data protection officer required according to the GDPR?<br/> All companies that mainly process the special data categories listed below are obliged to designate a data protection officer in accordance with Article 37 of the EU GDPR. The German Federal Data Protection Act, according to which a data protection officer is required when more than nine people are permanently employed with the automated processing of personal data, would then become redundant. According to Article 9 of the EU GDPR, special categories of personal data are those which contain information on:

  • racial and ethnic origin
  • political opinions
  • religious or ideological views
  • trade union membership

and the processing of

  • genetic data
  • biometric data for unique identification of a natural person
  • health data
  • data on sexual relationships or the sexual orientation of an individual
  • personal data on criminal convictions and crimes in accordance with Article 10

What are the consequences of non-compliance? <br/> From May 25, 2018, data protection violations can be sanctioned with fines of up to EUR 20 million or 4 percent of the worldwide turnover (within a group!). In addition, the cessation of the violation in accordance with Art. 58 Para. 2 can be supplemented with the instruction to adapt the data processing procedure to comply with the legal regulations, as well as a ban on data processing either permanently or for a limited time.