Important in brief: the appointment of a data protection officer
The appointment of a data protection officer is to be understood as an appointment. A data protection officer must be appointed according to the requirements of the General Data Protection Regulation and the requirements of the Federal Data Protection Act. The formal and content aspects when ordering a data protection officer must be observed.
Whether there is an obligation to appoint a data protection officer is determined by the number of employees, the type of data of processing, and the activity of the company. The data protection officer ordered must provide the necessary qualifications and proof of ongoing training. After ordering a data protection officer, this should be reported to the responsible supervisory authority.
What does the appointment of a data protection officer mean?
An order from the data protection officer is not made by phone or online form, like many other orders in our society. Many companies cannot initially assign the term appointment of a data protection officer and therefore make assumptions. The order in data protection is very simple: the order can be compared with an appointment. The order goes hand in hand with the fact that the data protection officer publicly performs its function and thus becomes a carrier of rights and obligations in the company.
The company is only sufficiently secured if the data protection officer is appointed according to the requirements of the General Data Protection Regulation. To comply with the formalities, an ordered certificate signed by the management is set up. The order certificate must show exactly which person takes over the activity of the company data protection officer and is thus responsible for operational data protection in the future.
What tasks does a data protection officer have after his order?
The data protection officer has an internal or external function to ensure compliance with the data protection requirements of one or more companies. In the company, the data protection officer is the linchpin for data protection. An important feature of the data protection officer is that it acts without instructions in the sense of data protection and that other interests may not predominate. Often a conflict of interest cannot be avoided, so companies order the data protection officer externally in the form of a service contract.
The tasks of a data protection officer are legally standardized. However, a larger range of tasks is often taken over by the external data protection officer in order to relieve the company as best as possible. In any case, the data protection officer must be able to perform his tasks without instructions. The tasks of a data protection officer go from Article 39 of GDPR, which should initially guarantee compliance with relevant data protection regulations, particularly regarding the processing of personal data. Against the background of compliance with the General Data Protection Regulation, the following tasks are an essential part of the work of a data protection officer:
Lessing and advising the company
The data protection officer ordered is obliged to sensitize the entire company to data protection in accordance with Article 39 (1) lit. a) GDPR and to be available to advise. Not only the management is trained and advised, but the entire workforce processes personal data.
It is also the task of the data protection officer to adapt the data protection training to the company’s individual processing. The content of data protection training should therefore always be well thought out.
Monitoring of compliance with data protection
The data protection officer is responsible for ensuring that regular reviews of compliance with data protection are carried out. For this purpose, every data protection officer should audit the company in data protection law. If available, the auditing can be accompanied by quality management. In any case, internal data protection officers offer that external data protection officers carry out an audit since operating blindness cannot be prevented.
Advice on data protection consequences
All companies that carry out certain processing that could lead to a high risk of violating data protection must carry out data protection consequences. The data protection officer order must be included here since an assessment of the organizational and technical measures taken is necessary.
Communication with the supervisory authority
The data protection officer is responsible for the fact that both data breakdowns and inquiries from those affected are exchanged with the supervisory authority. The supervisory authority is also available to the data protection officer for difficult reviews, such as data protection consequences.
In total, however, it does not mean that the data protection officer is liable for compliance with data protection or is responsible. The data protection officer is entitled to delegate and monitor tasks. This is also imperative for smooth data protection management.
When do you need a data protection officer?
Some companies have been unsure since the General Data Protection Regulation came into force whether there is an obligation to name a data protection officer. In principle, it is always advisable to have a data protection officer check the data protection organization in order to get a qualitative overview of the potential risks. Because companies that do not fall under the obligation to appoint a data protection officer must also meet data protection to the same extent as other companies. In any case, there is a duty to appoint a data protection officer in accordance with Art. 37 Para. 1 GDPR if:
- A public body carried out the processing
- The core activity in the implementation of processing processes is, which, due to their nature, scope and purpose, require extensive, regular, and systematic surveillance
- The core activity in the processing of special data according to Art. 9 (special personal data) or Art. 10 (personal data on criminal offenses) exists
- Section 38 (1) BDSG also specifies that a data protection officer must also be appointed if at least 20 employees are constantly employed processing personal data.
Number of employees
If more than at least 20 employees (BDSG new) are regularly employed by automated data processing (collection and use), the obligation to order is. Automated data processing is already the case when employees communicate via email.
Type of data
If particular personal data in accordance with Article 9 and Article 10 GDPR are processed, which inform about the breed, ethnic origin, political opinion, religious beliefs, trade union, health, or sex life of a person, there is also an obligation regardless of the number of employees.
The activity of the company
The core activity of the company lies in the implementation of processing processes, which, due to their nature, scope or purpose, requires extensive regular and systematic monitoring of data subjects. As a rule, you can recognize these processing processes from the fact that you have to create data protection consequences of the consequences (e.g. video surveillance).
It can only be decided whether an order from a data protection officer is necessary. We would be happy to advise you free of charge.
Who can be appointed data protection officer?
In order for a person to be appointed as a data protection officer, certain requirements must be met, so that the appointment of the data protection officer is also effective. In principle, a data protection officer can be appointed by an internal employee or external employee (as part of a service contract). It is important to note that professional and technical qualifications must be available so that the proper performance of the standardized tasks from Art. 39 GDPR is guaranteed.
Often when ordering the data protection officer using internal resource conflicts, employees with cable functions or functions that are understood to be contradictory to data protection are intended to perform the role of a data protection officer. If there is a conflict of interest, the appointment of the data protection officer is ineffective. For this purpose, there has already been a fine of over € 525,000 against companies.
Who may not be appointed data protection officer?
Companies must ensure that the appointment of a data protection officer is also effective. It is therefore essential to note that not every person can be named in the company as a data protection officer. In principle, only people may exercise the role of the data protection officer who cannot get into a conflict of interest. If the company’s operational interests are in the foreground of the employee, the order is ineffective. As a rule, this is the case when management positions, department heads, or works council members take on the role of the data protection officer. Since the potential of an ineffective order is great, many companies order their data protection officer externally.
What happens if I don’t order a data protection officer?
If companies that are legally obliged to order a data protection officer, refrain from ordering a data protection officer or carrying out an ineffective order, very high fines may occur. The supervisory authorities may impose fines of up to 20 million euros. In addition, companies should have already recognized that a data protection officer is a quality feature and can therefore be regarded as a competitive advantage. On the other hand, companies also risk the loss of reputation with customers.
Conclusion to appoint a data protection officer
The question of when a data protection officer must be ordered can be answered as follows: A data protection officer must be ordered (except for public bodies) if over 20 employees process personal data in the company or process special personal data (health data, etc.) According to Art. 9 and 10 GDPR or the core activity, this requires this due to its type, scope, and/or purpose. Since this is a matter of interpretation, advice is recommended as soon as your company processes data on a larger scale. In addition, it must be ensured that the order does not lead to an internal conflict of interest and that the data protection officer is appointed taking into account his professional and professional qualifications.