External DPO (S)

Data protection officer for small businesses

nationwide | secure | individual consulting


Externer Berater in Köln für den Datenschutz und DSGVO
Page Content

    External Data Protection Officer

    External DPO (S) - GDPR for small businesses

    Are you looking for a (new) data protection officer? Custom fit, support and consulting included? We take care of your concerns - quickly and straightforward.

    Flat-rate package S for start-ups and small companies: Takeover of an existing DPO mandate or initial appointment by Cortina Consult - one price, everything included.

    Services and Prices

    • We provide you with a data protection officer
    • incl. data protection manual (DSMS) and employee training courses
    • compliant Website inkl.
    • we provide structure & coaching on all documents and questions concerning the DSGVO
    • this service takes place conveniently online
    • Setup costs - one-time at the start: 1375€

    175 € a month

    Audit | Implementation | Prevention

    3 steps to a data protection-compliant organization



    Have you selected the right package for your company? Then you can get started right away: Your new DPO introduces himself and discusses the further procedure with you. The foundation for the project that follows have been laid.


    Appointment and registration of the ext. data protection officer


    Personal DPO

    Cortina Consult provides the external data protection officer (DPO) for your company - and supports you in creating and implementing an effective data protection concept. From day 1 of the cooperation, the following services are included:

    • Providing an external data protection officer (DPO) by Cortina Consult.
    • Ext. DPO is mentioned on your website and/or privacy policy
    • Registration of the DPO with the state data protection authority
    • Introduction of the external data protection officer in the company
    • Contact person for authority, customers, employees
    • Short communication for acute questions: 2x per month

    Assessment as the basis for cooperation



    An initial assessment is the first official act of an external data protection officer. It determines the current situation of the data protection in the company, on the basis of which recommendations for action can be made.

    • Assessment of the situation regarding data protection (via questionnaire)
    • Status report and recommendation for action

    Communication via teams, ticket system, phone & email


    Ticket System

    Efficient support can be ensured with a modern, software-based ticket system. Simple handling facilitates communication so that your concerns can be processed as quickly as possible.


    as the basis of compliance with the GDPR


    Data protection management system

    A data protection management system (DSMS) is the basis for compliance with the GDPR in a company, because it supports the fulfillment of the verification and documentation obligations. We provide our DSMS. Here you can manage and check your documents easily and clearly.

    • Hosting and update of the data protection manual
    • Introduction to the DSMS: Remote Meeting
    • Updating of templates, checklists, etc.
    • Maintenance of the data protection manual


    Step-by-step implementation of the tasks at hand. After the initial assessment, we start the joint project - from the legally compliant website to the order-processing-contracts and TOM (technical-organizational measures).


    Information requirements
    Implementation of the requirements of Art. 13 /14 DSGVO


    Information requirements Art. 13/14 DSGVO

    Companies (and also public authorities) are obliged to inform subjects about data processing when collecting personal data.

    • Remote meeting to introduce the implementation of all relevant procedures in the company
    • Listing and documentation of all relevant procedures
    • Providing a HTML and Word template

    Privacy Policy and Cookie Consent Tool



    Nowadays, almost every company has a corporate website. According to DSGVO, this requires an imprint, a privacy policy and in most cases also a cookie banner. As web specialists, we take over the creation of imprint as well as DSE and CMP for you.

    • DSGVO Website Check
    • Creation of privacy policy (PP): 1 website
    • Social media DSE: on request
    • Hosting and update service for PP, incl. protection against warning fees
    • CookieBanner check and report: 1 website

    Employee data protection
    Onboarding of new employees and staff


    Employee data protection

    The requirements of the DSGVO must be taken into account - and documented - when onboarding new employees. In your data protection manual, you will find all the necessary templates, checklists and documents.

    Templates for onboarding new employees:

    • Drawing sheet
    • Commitment forms
    • Declarations of consent

    Employee training
    Data protection training for your staff


    Employee Training

    Raising employee awareness is an important part of the DSGVO in companies, not only for compliance, but also to prevent data protection incidents.

    • General introduction to the DSGVO (live webinar): max. 25 persons
    • Company-specific introduction to the DSGVO with individual choice of date (live webinar): on request
    • Documentation and proof of successful training attendance

    Review and creation of order processing contracts


    Order processing contracts

    Order processing contracts (OPC's) regulate the transfer of personal data between the controller and the processor/sub-provider to ensure that the data entrusted to it is only processed for the agreed purpose.

    • Provision of a list for the purpose of identifying all service providers (incl. updating)
    • Guidance for the introduction, creation and maintenance of OPC's: Remote Meeting with DSK
    • Provision of an OPC documentation template with sample sheet
    • Maintenance of OPC and service provider list
    • Number of checks of submitted OPC's: 5 OPC's/year

    Deletion concept
    Introduction into the creation of a deletion concept


    Deletion Concept

    Companies are obliged to delete personal data if it is no longer required and there is no legal obligation to retain it.

    • Provision of a template for the creation of a deletion concept.
    • Introduction to individualization and maintenance of content: Remote meeting with DSK

    Data protection incident
    Support guide for data protection incidents


    Data protection incident

    Should a data protection incident occur in the company, it is a matter of acting quickly and taking the right actions.

    • Providing an employee guide: "Guidance on handling data protection incidents".

    Compiling the register of processing activities


    Register of Data Processing Activities

    In a register of processing activities (DPA), the essential information on data processing is provided in order to make it available to the supervisory authority upon request. The essential information includes the purpose and the type of data processing as well as the description of the recipients.

    • Providing a process list, incl. updating
    • Provision of a DPA template with sample sheet
    • Instructions on how to create and maintain the process list: Remote meeting with DSK
    • Creating the DPA according to the process list: Remote meeting with DSK

    Concepts for technical-organizational measures


    Technical-Organizational Measures

    Technical and organizational measures relate to the framework conditions for data processing. They are implemented by means of instructions, processes and procedures and include rules, specifications and instructions for data protection such as

    • Provision of templates for concepts, documentation, guidelines.
    • General introduction to customization and maintenance of content: Remote Meeting
    • Templates for various employee policies and IT concepts, including:
    1. Guideline for dealing with IT systems
    2. Guidelines for dealing with the Internet and e-mail
    3. Authorization concept
    4. IT documentation

    Data protection impact assessment (if required)


    Data protection impact assessment

    A data protection impact assessment is a risk analysis resulting from the audit of the existing data protection concept in order to weigh up future measures.

    • Number of accompanied DPIA: on request

    Affected party requests
    Guideline for dealing with inquiries from affected parties


    Affected Party Requests

    Data subject rights refer to the right of data subjects to request information about the processing of their data. A data subject request must be followed up within a period of one month in a specific form (keyword: encryption).

    • Providing an employee guide: "Guidance on handling data protection requests".

    Write a message!


    Updating the data protection management system


    Service Desk
    Communication and support via ticket system, TEAMS, telephone and e-mail


    Ongoing services

    Some aspects require recurring attention. For example, if new employees join the company, they must also be trained. New service providers need an data processing agreement. The website evolves, adjustments to cookie banners and privacy policy may be required. The following services are therefore part of ongoing operations:


    Updating the data protection manual
    Updating of all documents created in the project


    Compliance Report
    Website check incl. update service of the Cloud DSE


    Compliance Report

    The CLOUD DSE we create and host is checked and updated automatically by us.


    DSGVO News
    Providing a newsletter (data protection information)


    DSGVO News

    HR departments and marketing departments in particular deal with personal data and need to keep up to date with the frequently changing legal situations. We provide you with the necessary information for a permanently secure handling.

    • Newsletter and regular information on relevant data protection news

    Easy communication and accessibility for follow-up questions


    Employee Training
    Data protection training for your staff


    Service Desk
    Even after project completion: communication and support via ticket system, TEAMS, telephone and e-mail


    Privacy Seal
    Cortina seal for your website + individual status URL for your company


    Privacy Hub
    Individual access to own company profile (Space)

    Looking for external data protection consulting?

    Pragmatic implementation of the GDPR requirements. Would you like to learn more about the Remote DPO's from Cortina Consult?


    Frequently Asked Questions about the DPO Packages

    Why Cortina Consult?

    The Cortina Consult team has been consulting large and small companies on data protection matters for over 10 years. In the meantime, we have grown into a team of data protection experts, lawyers, IT security experts and specialists for web compliance (privacy policy, cookie banners, information requirements) as well as programmers and UX designers. This extraordinary combination enables exceptional service from a single source, from which our customers from all industries benefit. Our claim is not only to offer the best quality service, but also to work budget-oriented and efficiently. For this reason, we offer more and more of our services online/remote.

    What is remote data protection consulting?

    In remote consulting, communication between consultant and client takes place via e-mail / telephone / video conference / data exchange server and other digital media. The physical presence of the consultant is therefore no longer necessary, which brings many advantages for both sides. After all, remote is not a trend that has only come about through Covid. For years, more and more services, especially in the area of consulting, have been offered online. We have all the necessary means to make the consulting and the process of implementation personal and effective. 

    What are the advantages of remote consulting?

    • Reduced consultant fee
    • No travel costs
    • Low infrastructure requirements
    • Flexible scheduling
    • Efficient and simple communication 
    • Time savings thanks to efficiency and flexibility 
    • Preservation of the personal level through video communication
    • Protection against contagion (Covid) 

    What are the requirements for remote consulting?

    1. Stable internet connection
    2. Installation of collaboration softwares like Zoom or similar
    3. Access to data exchange folders 

    Which package suits me best?

    DPO Small: 
    The Small package is for companies with a small budget or few data protection needs, such as retail, hospitality, and craft businesses. An initial assessment provides an overview of the current situation. The subscription price already covers the most important aspects of data protection, such as the assignment of the data protection officer, the data protection manual, the privacy policy and employee training. Templates and completion aids/instructions for contracts and more help with the implementation of other GDPR regulations. Following the principle of Do-It-Yourself and save money, the customer's own commitment is required during implementation.

    DSB Medium:
    The Medium package is for medium-sized companies with manageable data protection needs, such as advertising agencies, lawyers, consultants or online stores. A detailed assessment at the beginning creates the basis for further steps. The subscription price already covers the most important aspects of data protection, such as the assignment of the data protection officer, the data protection manual, the privacy policy and employee training. We support the implementation of further regulations with the help of templates and instructions.

    DPO Scale:
    The Scale package is for companies that need comprehensive data protection and do not want to do it themselves such as financial companies, HR service providers, software companies, corporations, international companies or data processing companies. You leave all the work to our data protection experts and enjoy full protection. The scope of the packages will be individually tailored to you after an initial needs analysis. Of course, all basic content such as the data protection handbook, a compliant website (privacy policy and cookie banner, information obligations) and employee training are included. Our legal, IT & web experts will advise you on all other data protection issues. If the issues are too complex, this can also be done on site.

    For small & medium enterprises, B2B

    175€ /Month

    • We provide your DPO
    • Initial analysis (document analysis)
    • Digital privacy manual (web-based platform)
    • Onboarding, coaching & progress review included.
    • Employee training (eLearning up to 25 employees)
    • Privacy hub: SMALL Package
    • Cookie banner (check & consulting), subsequent monitoring / reporting
    • Privacy policy for websites (1x CLOUD DSE), incl. protection against warning costs
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Support Hotline (IT, Legal, Web)
    • No travel expenses, flexible scheduling
    • Update Service & Newsletter
    • Personal contact

    Perfect for e-commerce, logistics, IT & B2C

    275€ /Month

    • We provide your DPO, incl. subsidiaries
    • Inventory (audit & document analysis)
    • Digital data protection manual (web-based platform) with 3 access points
    • Onboarding, coaching & progress review included.
    • Employee training (eLearning up to 75 employees)
    • Privacy Hub: MEDIUM Package
    • Cookie banner (check & consulting), subsequent monitoring / reporting
    • Privacy policy for websites (3x CLOUD DSE), incl. warning cost protection
    • Social Media Privacy Policy (e.g. Xing, FB, IG)
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Instant support (IT, Legal, Web)
    • Controlling: We keep an eye on your projects
    • No travel expenses, flexible scheduling
    • Update Service & Newsletter
    • Data protection seal
    • Personal contact

    Perfect for companies with more complex requirements & B2C

    Upon request

    • We provide your DPO, incl. subsidiaries, groups etc.
    • Inventory (audit & document analysis)
    • Digital data protection manual (web-based platform) with any number of accesses
    • Employee training (onsite, individual webinars, eLearning).
    • Privacy Hub: ENTERPRISE Package
    • Cookie Banner (implementation, configuration), subsequent monitoring / reporting
    • Privacy policy website (CLOUD DSE), incl. protection against warning costs
    • Social Media Privacy Policy (e.g. Xing, FB, IG)
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Instant support (IT, Recht, Web)
    • Onboarding, coaching & progress review including communication.
    • Data protection seal
    • Update service & newsletter (company-specific)
    • Personal contact & project manager
    • Individual package: scope according to contract
    Datenschutzsiegel-blau-coco_Zeichenfläche 1
    • Specialists from Law, IT & Web and Performance Marketing
    • Support tailored to your needs
    • Personal consultants
    • Digital project management

    Do you still have questions about the topic or about data protection in general?

    We are happy to help you:


    Your data protection officer

    Jörg ter Beek
    Data protection expert


    Sensibilisierung neuer MitarbeiterInnen


    Service Desk
    Auch nach Projektabschluss: Kommunikation und Support via Ticketsystem, TEAMS, Telefon und E-Mail


    Cortina DSB-Siegel für deine Website + individuelle Status-URL für dein Unternehmen


    Privacy Hub
    Individueller Zugang zum eigenen Unternehmensprofil (Space)