Have any Questions? +49 (511) 165 80 40 90

Our Services as external data protection officers

As external data protection officers, we support you in an advising capacity. Our collaboration is designed for the long term, whereby we get to know your company better and better in an iterative process. As a result, we not only optimize your data protection management, but can also provide quick and pragmatic help in the event of data protection mishaps.

  • Advice on all issues relating to data protection
  • Training and awareness
  • Creation of privacy policy(s)
  • Creation of consent forms
  • Preparation of records of processing activities (ROPA)
  • Data protection impact assessments
  • Assistance with requests for information and other inquiries
  • Communication with authorities, contractors, etc.

Responsibilities of the data protection officer


Informing and advising the controller and the employees who carry out processing operations regarding their obligations under the GDPR and other relevant data protection regulations.


Monitoring compliance with data protection regulations and internal processes, including assignment of responsibilities, awareness and training.

Data protection impact assessment

Advice in connection with the data protection impact assessment and monitoring of its implementation for processing activities that may pose a particularly high risk to data subjects.

Cooperation with supervisory authorities

Cooperation with the supervisory authority, including acting as a point of contact for the supervisory authority on data processing related issues.

When is there an obligation to appoint an external data protection officer?

20+ Employees



Sensitive data

The obligation to appoint a data protection officer exists if

  • at least 20 persons are permanently involved in the automated processing of personal data,
  • personal data are processed commercially for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research
  • the core activity of the controller or processor consists in carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects
  • the core activity consists in the processing of special categories of personal data or concerning criminal activities or criminal convictions.

Why is an external data protection officer useful even without the obligation to appoint one?

Violations of data protection law can quickly lead to high costs due to the various sanction measures of the GDPR. In addition, data protection mishaps require immediate action (within 72 hours) in order to respond in a timely manner and - in addition to any damage caused by the mishap - to avoid a fine. With professional advice, you can not only minimize the risks, but also have a designated contact person at your side who knows you and your processing operations and can also provide immediate advice and support in difficult situations.

To be precise, the following financial risks may arise:

20mio €


up to

For instance, in the case of violations

  • against the principles of processing (e.g. processing of personal data without a legal basis or a breach of the principle of data minimization),
  • the data subject rights of the GDPR (e.g., the correct information of the data subjects or the right of access) or
  • in the case of a transfer to a third country where there were no appropriate safeguards to ensure an adequate level of data protection (e.g., the use of IT services from providers in the U.S.)

a fine of up to €20m or 4% of global turnover may be imposed.

10mio €


up to

For instance, in the case of violations

  • against the security of processing (e.g., improperly secured facilities for processing personal data).
  • in the event of violations of the notification and information obligations in the event of data protection mishaps
  • improper implementation of privacy-by-design and privacy-by-default requirements (e.g., incorrect data protection default settings)
  • when using processors (e.g., the conclusion of processing contracts with IT service providers)

a fine of up to €10m or 2% of global turnover may be imposed.

??? €

Compensation for damages

In addition to fines, there is also the risk of having to pay damages:

  • Compensation for material and non-material damage to persons affected by the processing activity.
  • Compensation from competitors due to infringements of competition law.

The amount depends on the individual case. Although it seems unlikely that damages in the scope of (theoretically possible) fines will have to be paid, there may well be a relevant cost risk here, particularly for small and medium-sized enterprises.


You don't have any experience with the topic of data protection yet? A typical schedule of our consulting services looks like this:

Appointment as DPO

First, you appoint us as your data protection officers. In doing so, we tailor our offer to your needs.

Creation / testing of the ROPA

The first step is to create the register of processing activities (ROPA) in order to obtain a structured overview of the processes that require the processing of personal data.

Identification of fields of action

Based on the ROPA, fields of action can then be identified and prioritized.

Adapt and document processes

Processes and procedures are adapted in a data protection-friendly manner. In doing so, we make sure to leverage as many synergies as possible with existing processes and responsibilities to enable effective and economical implementation.

Provide documents

Information requirements, consent forms, etc. are created or revised in line with data protection requirements. Thereby, we are guided by your processes and needs.


Contact us and request a free and non-binding offer.



... is a data protection consulting firm based in Hanover (Germany) and Vienna (Austria), that places great value on individual consulting and the development of pragmatic solutions. Our team consists exclusively of lawyers who have specialized in data protection and have the certain nerd factor to optimally fill the niche between law and technology.

Contact us

lexICT GmbH
Ostfeldstraße 49
30559 Hannover

+49 (511) 165 80 40 90

+49 (511) 165 80 40 99

Copyright 2023. All Rights Reserved.
Settings saved

Further information can be found in our privacy policy.

You are using an outdated browser. The website may not be displayed correctly. Close