Data protection according to GDPR
Data Protection Officer Duties and Appointment
The data protection officer is the person responsible for coordinating and monitoring compliance with the requirements of the General Data Protection Regulation (GDPR). Many companies in the European Union are obliged to appoint a data protection officer. In the following article, we inform you about the obligation to appoint a data protection officer, the differences and the tasks of the data protection officer.
Content on the subject of data protection officer:
Types and responsibilities of data protection officers
Data Protection Officers (abbreviated as "DPOs") exist for different areas of responsibility, at the federal level there is the Federal Commissioner for Data Protection and Information Security (BfDI) Ulrich Kelber, in the individual federal states there are so-called state data protection officers and in companies there are company data protection officers. Company data protection officers can be divided into internal and external DPOs.
Federal Commissioner for Data Protection
The Federal Commissioner for Data Protection and Information Security is responsible for the processing of personal data of all federal public bodies as well as all non-public bodies, from the area of telecommunications and postal service companies. In addition, he advises private companies that fall under the Security Review Act and is the competent supervisory authority for the job centres. One of the most important tasks of the BfDI is to inform the German Bundestag and the public about developments in the private sector that are relevant to data protection.
State Data Protection Commissioner
The state data protection commissioners are the data protection commissioners of the respective federal states and are responsible for reviewing data protection in authorities and public bodies, within the respective federal state. They also act as supervisory authorities and monitor compliance with data protection law in companies, associations, self-employed persons and clubs in the federal state.
Company data protection officers
The company data protection officer supports companies in complying with data protection and implementing the GDPR. Unlike the Federal Commissioner and the State Commissioners, this is not a state institution, but rather an expert in the field of data protection who is responsible, among other things, for training employees, managing data protection measures or acting as an interface between the company and the supervisory authority.
Internal data protection officer
An internal DPO is directly employed by a company and has been appointed by the management as the person responsible for implementing corporate data protection. Often, employees are entrusted with the activity of data protection in addition to existing tasks, for which further training and a certain expertise in this area are necessary. If an existing employee is to be appointed as an internal DPO, it should be noted that the employee must not belong to the IT department, the HR department or the management. Otherwise, the employee would have to control himself/herself and there would be a conflict of interest.
External Data Protection Officer
An external data protection expert is an external consultant appointed by a company to implement operational data protection as the responsible person. The main difference to the internal data protection officer is that the external DPO is not directly employed by the company but also supports other companies in the implementation of the General Data Protection Regulation (GDPR). External data protection officers often have the necessary qualifications and experience, but usually need more time to integrate into the company structure.
Data Protection Officer
The tasks of the company data protection officer and the official data protection officer hardly differ from each other. The main difference between these two types of data protection officers is that the data controller is not, for example, a company from the private sector, but a public authority or public body.
Who must appoint a data protection officer?
The obligation to appoint a data protection officer applies in accordance with GDPR primarily to public authorities and public bodies. But also companies whose core activity is the particularly extensive processing of personal data or the processing of special categories of data (in accordance with Article 9 and 10(GDPR), must appoint a data protection officer in accordance with the GDPR. (see Article 37 GDPR)
An opening clause in the GDPR offers each member state the opportunity to create stricter conditions for the appointment of an in-house data protection officer. In the new Federal Data Protection Act, for example, Germany has, among other things, regulated the obligation to appoint company data protection officers more strictly than in the GDPR.
Thus, the appointment of a data protection officer according to Art 38 BDSG compulsory for all companies in Germany, insofar as at least 20 employees (Federal Council decision on 20 September 2019) constantly deal with the automated processing of personal data.
In summary, as a private company, it is easy to assess whether the appointment of a data protection officer is necessary on the basis of three criteria. If at least one of the three criteria applies, there is a legal obligation to appoint a data protection officer. The criteria are:
- The number of employees who regularly and recurrently work with personal data is at least 20 (employees are also auxiliary staff, trainees, temporary workers or freelancers)
- Processing of a special category of personal data takes place. (This includes race, ethnic origin, political opinion, religious beliefs, trade union membership, health, sexual life or criminal behaviour - see Article 9 and 10 GDPR)
- Personal data are transferred, collected, processed or used on a business basis (i.e. the core activity of the company consists of these processing operations).
The intentional or negligent failure to appoint a company data protection officer constitutes an administrative offence subject to a fine.
Even if the company is not subject to the obligation to appoint a data protection officer according to legal requirements, the regulations of data protection law must nevertheless be fully complied with. This poses a particular challenge for smaller companies, as they simply lack data protection expertise. In such cases it makes perfect sense to voluntarily appoint a data protection officer.
Tasks of the Data Protection Officer
As an expert in data protection, the data protection officer has the task of ensuring that the requirements of the General Data Protection Regulation in the company and to prevent data protection breaches. In Article 39 GDPR the tasks of the data protection officer are regulated in detail:
- Informing and advising the controller or processor and the employees carrying out processing operations about their obligations under this Regulation and under other Union or Member State data protection legislation;
- Monitoring compliance with this Regulation, other Union or Member State data protection legislation and the controller's or processor's personal data protection policies, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and audits thereof;
- Advice - upon request - in connection with the data protection impact assessment and monitoring of its implementation pursuant to Article 35 (https://help.robin-data.io/artikel-35-dsgvo);
- Cooperation with the supervisory authority;
- Acting as a contact point for the supervisory authority on issues related to the processing, including prior consultation pursuant to Article 36, and, if necessary, advice on any other issues.
By teaching, advising and assisting companies in many processes, such as the Data protection impact assessment supports, the danger of Data Protection Breaches greatly reduced. Should a mishap nevertheless occur, the DPO helps to report it to the competent supervisory authority. The DPO acts as a contact point and mediator in the event of (queries) regarding data protection law from companies, supervisory authorities and data subjects.
Information and consultation
Data protection officers are obliged to provide information about the existing obligations under data protection law. This obligation exists both vis-à-vis the controllers as well as towards the employees. Especially employees who process individual-related data must be trained or sensitised in the handling of data, technical devices and with regard to the existing electronic dangers. Such instruction is possible, for example, through regular e-mail communication. Counselling also plays a major role and in this case means support in solving concrete problems.
As a branch of the supervisory authority the DPO also monitors compliance with all data protection requirements in the company or in an organisation. The DPO is responsible for the internal assignment of responsibilities and tasks to the person in charge, as well as for the sensitisation and training of employees, and for the corresponding review.
Creation of guidelines
In the company, the data protection officer also assists in the drafting of legal documents that are related to data protection law. These include company agreements, but also internal regulations and guidelines. As advisors, data protection officers support the preparation of data protection declarations, which serve the fulfilment of the data protection requirements of the Duty to inform . The creation of the data protection documentationwhich is decisive for the fulfilment of the obligations of proof and accountability under data protection law, is carried out by the Data Protection Officer.
Carrying out a data protection impact assessment
If certain data processing operations are carried out in the company, the performance of a Data protection impact assessment to be carried out. In this case, the controller seeks the advice of the DPO and clarifies, for example, whether a data protection impact assessment is required. The DPO will also help with questions about the procedure, which will ensure that the DPIA is carried out properly.
Drawing up the register of processing activities
Both controllers and processors are legally obliged to create processing directories. However, these can become very extensive. A DPO can advise at this point and check the directory for its conclusiveness, for example. Often data protection officers work with Data protection management systemswhich can assist in the creation of the register of processing activities.
Data protection incidents and data subject enquiries
The support of a data protection officer is particularly helpful for important processes and reporting requirements. If a data protection breach occurs, there is not much time before it is reported to the responsible supervisory authority Accordingly, it is important to implement effective processes that let employees know when a data protection incident has occurred and how the DPO is to be involved. In doing so, the DPO acts as an advisor at the side of the data controller.
Employee training on data protection law
In the case of employee training in data protection law, a fundamental distinction must be made between briefings and training. While the data protection officer must instruct and advise employees, the data protection officer is responsible for the actual training. Due to the fluid boundary between training and information.If the training is to be provided, the DPO should at least be involved in the design of the training. Data Protection Officers are only obliged to supervise the implementation of training, but often it is the Data Protection Officers themselves who provide the training. These trainings can be either general or, if necessary, sector-specific.
Participation in employee checks
If there is a ban in a company, e.g. with regard to private internet use, or if there is a fear of misuse, it is necessary for the person responsible to intervene and carry out a check. In order to comply with the rights of employees, the DPO must be involved in these controls.
Consultation of the works council
Another task of the data protection officer is to advise the works council. In addition to providing technical advice, this also requires mediation skills.
Internal versus external data protection officer
The Data Protection Officer may be appointed internally or externally. Internal data protection officers are employees of the company who usually devote themselves to other tasks in addition to their data protection activities. The advantage of an internal data protection officer is that they know the company processes well and probably does not have to familiarise themself with the structures. On the other hand, they will have to acquire extensive data protection expertise in order to do justice to their task. This usually goes hand in hand with costly training courses. In addition, care must be taken to ensure that an internal DPO is not subject to a conflict of interest, i.e. that they do not have to monitor themself. An external data protection officer must first familiarise themself with the company's processes, but brings profound data protection expertise and experience, which means they can probably advise with pragmatic solutions. Which of the two options is more beneficial for a company depends heavily on the requirements of a company.
Position of the Supervisor
In order to be able to fulfil their duties, the GDPR stipulates that a data protection officer must be properly involved at an early stage in all matters relating to the protection of personal data (Article 38 GDPR). To this end, the Data Protection Officer shall have access to all information, processing activities or other resources necessary for this purpose.
The Data Protection Officer may not receive any instructions concerning the performance oftheir duties, nor may they be removed or discriminated against in the performance of those duties. Internal Data Protection Officers even enjoy special protection against dismissal.
DPOs should therefore be able to perform their duties and tasks in complete independence, whether they are employees (i.e. internal data protection officers) or not.
In addition, the Data Protection Officer shall be subject to an obligation of secrecy or confidentiality in the performance of their duties.
Contact point for "internals" and "externals
Data protection officers are the contact persons for data protection issues. This applies both internally within the company for employers, employees and the works council, as well as for external persons. These include, among others, customers, suppliers and data subjects who want information on data protection issues. To enable external persons to contact the DPO, it is important that the contact details are easily accessible (e.g. on the website). In addition to the postal address, the e-mail address must also be provided, while the telephone number is not required.
Contact person of the supervisory authority
Also for the supervisory authority the data protection advisor is a contact person. They act as a kind of branch office of the competent supervisory authority and ensures that the data protection regulations are complied with within the company or organisation. The data protection advisor is the direct contact person for enquiries and inspections by the supervisory authority. Accordingly, it is necessary to notify the supervisory authority of the contact details of the DPO.
What qualifications does a data protection officer need?
The data protection officer, whether internal or external, must have a qualification/expert status. This must be proven by appropriate training and further education and confirmed by official test seals. Since data protection officers act as contact persons within the company as well as for supervisory authorities, communication skills should not be disregarded. This is also necessary when it comes to justifying and implementing proposals for solutions and improvements within the company.
However, concrete specifications with regard to knowledge or training are neither in the GDPR nor provided for in the Federal Data Protection Act. Therefore, in principle, anyone can become a data protection officer. However, with regard to the expertise of a data protection officer, it is advisable to have further interdisciplinary knowledge in addition to knowledge in the area of data protection and data protection law.
This knowledge should cover the areas of risk, project and quality management as well as information security. Furthermore, practical skills such as setting up a data protection management system in companies or public authorities and experience in the consulting environment are advantageous.
The complex requirements of the job description of a data protection officer can now be verified by a university degree. There are currently no more than two such state qualifications in Germany. Data Protection Officer Certifications.
Costs for a data protection officer in the company
The appointment of a data protection officer is always associated with costs. In terms of costs, there are differences between the internal and external appointment of a data protection officer. The internal further training of an employee or the new appointment of an internal data protection officer are compared to the monthly costs as well as individual consultation by an external data protection officer. The costs for an external data protection officer depend on the extent to which the company processes personal data or what kind of personal data is processed and how large the company is and how complex its corporate structure is. Therefore, it is hardly possible to make a general statement about the costs of an external data protection officer.
If you are interested in the costs of an external data protection officer for your company in particular, we will be happy to provide you with an offer free of charge and without obligation.
Personal liability of a Data Protection Officer
In terms of data protection law, the responsible body is always the company itself. The data protection officer has, according to Article 39 GDPR, however, clearly defined tasks, including a comprehensive duty of control. If a breach of data protection becomes serious, high fines may be imposed. If it can be proven that the Data Protection Officer has neglected their duties, this results in claims for damages against them.
Internal data protection officers are employees and are therefore subject to labour law with their liability. However, the following also applies here: whoever acts with intent or gross negligence is regularly liable alone and in full. In the case of normal negligence, the burden is usually shared between employer and employee and only in the case of slight negligence is the internal Data Protection Officer exempted from liability.
The situation is similar for external data protection officers, except that they are of course not subject to the regulations of labour law. As a rule, therefore, external data protection officers are fully liable to the injured party even in cases of slight negligence.
The liability of a data protection officer is an issue that has not yet received much attention. This is because, in practice, fines and therefore also claims for damages have not yet played a major role. However, with increasing regulations on fines, it will certainly become more important in the future.
If the data protection officer has been appointed, the controller must make the contact details public and notify the supervisory authority of the appointment. In the case of groups of companies, a joint company data protection officer may also be appointed.
What are the penalties for not appointing a data protection officer?
If a company fails to comply with its obligation to appoint a data protection officer, it may be liable to prosecution under the Data Protection Act. Art. 83 para. 4 Fines of up to €10 million or 2% of the total annual turnover achieved worldwide in the previous financial year, whichever is higher.
Information from the data protection supervisory authorities
- Federal Data Protection Commissioner for Data Protection and Information Security: The data protection commissioners in public authorities and companies (Link)
- Data Protection Authority Bavaria: The Data Protection Officer (DPO) - Art. 37 to 39 DS-GVO (Link)
- Data Protection Authority North Rhine-Westphalia: FAQ on the data protection officer (Link)
- Data Protection Authority of Lower Saxony: Data Protection Commissioner - Appointment, Position and Tasks (Link)
- Data Protection Authority Rhineland-Palatinate: Data Protection Officer and Data Protection Management (Link)
- The European Data Protection Supervisor: DPO Corner (Link)
- EU Commission: Data Protection Commissioner (Link)