Your benefits
-
Expertise in the corporate group structureThe group data protection officer has many years of expertise in setting up a data protection organization across the entire corporate group.
-
Specialized knowledge in an international context
We are a tried-and-tested consulting partner when it comes to dealing with country-specific issues and structural differences.
-
Integrated solutions
We ensure a uniform level of data protection within the group that regulates processes within the corporate group in a legally secure and economically sensible manner.
Professional data protection management for corporations
Organizing data processing globally and thus minimizing corporate risks is a major challenge in a corporate group structure. In order to centralize data protection, a group of companies can appoint one person as its group data protection officer. The Group Data Protection Officer performs the tasks in accordance with Article 39 of the GDPR. In doing so, he centrally controls and monitors the implementation of the GDPR in the group.
We, intersoft consulting services AG, have been supporting corporate groups in data protection for more than a decade and always follow a hands-on approach. Our group data protection officers are lawyers with a great deal of technical understanding. An external group data protection officer of intersoft consulting ensures uniform data protection standards within the group of companies and also includes individual differences in the cross-national consulting. The external group data protection officer can quickly capture complex issues, always maintains an objective view and is a professional contact for authorities and affected parties. He or she works with you as part of a team and is absolutely confident in leadership and negotiating skills.
Together with you, we centrally ensure data protection-compliant processing within your group structure with the external group data protection officer. In doing so, we always take into account individual business interests and structural conditions. In his function, your external Group Data Protection Officer reports to the highest management level of the corporate group.
In the beginning, the external group data protection officer carries out an analysis of the current situation. The status of the implementation of data protection throughout the group is determined and, in the event of deviations, a risk assessment is carried out and recommendations for action are identified. The results also serve as a basis for ongoing activities in the role of the group data protection officer.
As part of our ongoing consulting services, we provide support for you in setting up a global data protection organization – using the so-called coordinator model. Data protection coordinators or data protection champions are appointed in the individual group companies to support the group data protection officer. Within their area of responsibility, the data protection coordinators support the management and the Group Data Protection Officer in implementing data protection regulations and act as an interface between local authorities and data subjects and the centrally located group data protection officer. We have had very good experience with the coordinator model for many years, have excellent expertise and proven best practices.
This is how we can support you
- Position of an external group data protection officer
- Establishment of a global data protection organization
- Carrying out a state analysis (data protection check)
- Establishment of a data protection management system based on the GDPR
- Training of data protection coordinators and consulting during ongoing operations
- Development of strategic data protection documents such as data protection guidelines / privacy policies, templates, or a data protection concept
- Advice on data transfers abroad in compliance with data protection requirements and on the exchange of personal data within the group
- Design of data protection processes such as information and complaint management or notification of data protection violations
- Monitoring the implementation of data protection regulations
Frequently asked questions about the group data protection officer
We’ll tell you what you should know about the role of the group data protection officer.
A significant challenge for data processing within different corporate groups is that there is no so-called “group privilege” in data protection law. This means that if personal data is transferred to a third party, i.e., outside the company itself, it does not matter whether this third party is a third party or a company within the group structure.
The GDPR provides some relief in group data protection for data transfers based on a legitimate interest of the companies involved. According to Recital 48 of the GDPR, data controllers that are part of a group of companies may have a legitimate interest in transferring personal data within this group for internal administrative purposes. Due to the lack of group privilege in the area of data protection, it is important to ensure that a legal basis exists for any intra-group exchange of personal data. Our experienced data protection consultants will be happy to help you implement data transfers within the corporate group that comply with data protection requirements.
The lack of group privilege poses challenges for group companies. Outsourcing certain corporate areas (e.g., accounting, human resources management or payroll) and centralizing data processing at the group parent will not be possible without further ado.
When introducing and using a group database, it must be clarified, for example, which company is actually “responsible” or whether “joint responsibility” between the participating group companies can even be considered. Under certain circumstances, commissioned processing may also be considered. In addition, companies are under an obligation to base each intra-group transfer of personal data on a valid legal basis. If a group company involved is located in a third country, additional requirements have to be fulfilled. If the group company independently processes employee data that it receives from a group company from the EEA area, the standard contractual clauses provided by the European Commission require supplementary regulations for data protection-compliant data transfer of employee data.
According to Art. 37 (2) GDPR, a group of companies may appoint a joint data protection officer, provided that the data protection officer can be reached from each branch. This was already permissible and customary under the German Federal Data Protection Act (BDSG). The GDPR makes this even easier. A significant advantage of appointing a group data protection officer is the establishment of a uniform level of data protection in the entrepreneurial group through the central organization.
Various models are available to achieve this purpose. Under the so-called single model, one and the same person can hold the function of data protection officer for several or all group companies. In this case, each group subsidiary has properly appointed this person as Group Data Protection Officer. The larger the corporate group, the more resources and employees the Group Data Protection Officer requires in the single model.
An alternative to this is the so-called coordinator model. In this model, each company in the group appoints its own data protection officer, while the group-wide data privacy organization is coordinated by a Group Data Protection Officer. What both models have in common is that all the threads come together at one expert office in order to find uniform solutions for cross-company issues in data privacy.
Competence of more than 60 consultants
- Doctor of Law
- Author and co-author of various specialist books
- Practical experience in various data protection supervisory authorities and law firms with a focus on data protection and IT law
- Rechtsanwalt (Attorney-At-Law)
- State-certified Business IT Specialist
- Extensive experience as a data protection consultant for international corporations
- Rechtsanwalt (Attorney-At-Law)
- Data protection officer (TÜV‑certified)
- Many years of experience as in-house lawyer in trade and industry associations
- Rechtsanwältin (Attorney-At-Law)
- Master of Laws (LL.M.) in Information Technology Law and Intellectual Property Law
- Many years of expertise as a data protection consultant
- Rechtsanwältin (Attorney-At-Law)
- Data protection officer (TÜV‑certified)
- Expertise in data protection
- Practical experience in an international law firm
Competence Center for Applied Security Technology e.V. (CAST)
As a CAST member, we enjoy access to an established competence network. The association is the contact for IT security and state-of-the-art information technology and offers a wide range of services as well as knowledge and experience exchange at a high level.
CIPM Certification
Consultants from intersoft consulting services AG have been certified as Certified Information Privacy Managers (CIPM) by the International Association of Privacy Professionals (IAPP). The CIPM is the only globally accredited certification in data privacy management and trains contact persons with a high level of expertise for day-to-day business in all aspects of data protection. The certification is also ISO accredited (ISO 17024:2012).
Alliance for Cyber Security
The Alliance for Cyber Security (ACS) is an initiative of the German Federal Office for Information Security (BSI), which is proactively dedicated to combating cyber threats. intersoft consulting services AG is a partner of the ACS and is proactively committed to strengthening IT security in companies.
Cyber Security Council Germany e.V.
Cyber-Sicherheitsrat Deutschland e.V. is an association whose purpose is to promote the security of business and society in the age of digitalization and also to position itself as a pioneer internationally. Companies, authorities and political decision-makers shall be strengthened in the fight against cybercrime. As a member, intersoft consulting services AG is proactively involved and advises companies with great competence in the area of cyber security.
Committed according to association criteria of the BvD
intersoft consulting services and its external data protection officers are obligated to comply with the association criteria of “expertise” and “reliability” of the German Association of Data Protection Officers (BvD). (BvD). The criteria guarantee a high and constant level of data protection.
IAPP Corporate Member
Through our corporate membership in the International Association of Privacy Professionals (IAPP), our consultants are interconnected with leading data protection and IT security experts worldwide. As an internationally recognized standard, IAPP signals a high level of trust and is gaining in importance due to the GDPR.
ISO 9001 certified
With the certification of its quality management according to ISO 9001, intersoft consulting services AG documents its efforts to continuously improve its services, processes and cost efficiency in order to further increase customer and employee satisfaction.
View certificate
Hamburg Data Protection Society e.V. (HDG)
The “Hamburger Gesellschaft zur Förderung des Datenschutzes e.V.” was founded as a forum for data protection by representatives from business, science and the media. As a member of the HDG, we actively participate in the further development of data protection topics.
- Fully qualified lawyers (2 state examinations), including attorneys with doctorates
- Specialists in IT law, intellectual property law, copyright and media law, insurance law and social law
- Master of Laws in IT law, media law, intellectual property law and industrial property law
- Bachelor of Laws in information law and business law
- TÜV‑certified data protection officers and data protection auditors
- Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E)
- IT‑Compliance Manager (ISACA) and Compliance Officer (TÜV)
- Data Protection Officer following association criteria (BvD)
- BSI certified audit team leader for ISO 27001 based on IT baseline protection, De‑Mail auditor and IS auditor
- ISO/IEC 27001 Lead Auditor, ISO/IEC 27001 Implementer, ISO/IEC 27001 Practitioner
- GIAC Certified Forensic Examiner, GIAC Advanced Smartphone Forensics, GIAC Reverse Engineering Malware, GIAC Cyber Threat Intelligence, GIAC Certified Incident Handler, GIAC Penetration Tester, GIAC Battlefield Forensics and Acquisition
- IT Security Officer (TÜV)
- Computer scientist and business information scientist
- Master of Engineering IT Security and Forensics
- Bachelor of Science General and Digital Forensics
- Cyber Security Practitioner (ISACA), IT Information Security Practitioner (ISACA)
References
Our locations
Contact us
