Legal requirements for the appointment of a data protection officer
With the entry into force of the General Data Protection Regulation (GDPR), the concept of data protection officers was established at European level. The obligation to appoint a data protection officer now affects companies in Europe depending on their (core) areas of activity or size. In particular, companies that carry out extensive processing of special data or data processing must appoint a company data protection officer.
In Germany, the obligations to appoint a data protection officer for non-public companies were specified in Section 38 of the Federal Data Protection Act (BDSG). Here, it was stipulated that a data protection officer must be appointed if, as a rule, at least 20 persons are permanently employed with the automated processing of personal data.
Section 38 of the BDSG also stipulates that a data protection officer must be appointed if processing is carried out that is subject to a data protection impact assessment (Article 35 of the GDPR) or if personal data is processed on a business basis for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.
Alternatives to the appointment of a data protection officer
Corporate groups and companies have two options for fulfilling their obligation to appoint a data protection officer. Either they appoint an employee as internal data protection officer or an external data protection officer is appointed. When making their decision, corporate groups and companies should ensure on the one hand that the potential data privacy officer is not subject to any conflict of interest; because as an employee of the IT department, HR department or management, he or she would have to control himself or herself.
On the other hand, assuming the responsibility of the data protection officer requires specific expertise in data protection law and IT security, which will make the selection difficult. Thus, the appointment of an external data protection officer is a very good alternative for many groups and companies, since both a conflict of interest and the lack of specialist knowledge can be ruled out.
Tasks of a data protection officer
The tasks of the data protection officer include:
- Informing and advising the controller and processor with regard to their obligations under the statutory data protection provisions
- Sensitization and training of employees
- To work in principle towards compliance with all data protection regulations relevant to the Group or the company.
- Advisory function on all issues related to the protection of personal data
- Verification of processing operations and the associated compliance with the protection of personal data
- Consulting and monitoring for the implementation of data protection impact assessments
- Cooperation with the supervisory authority
Sanctions
If a group or company intentionally or negligently fails to appoint a company data protection officer, this constitutes an administrative offense punishable by a fine.
An overview of the sanctions imposed by the data protection supervisory authorities can be found here.