In many constellations, responsible companies are obliged to appoint a data protection officer. There are special legal regulations for this in the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-new).
Data protection officers take over the entire coordination of data protection tasks in the company and in this way relieve the management of a company since the highest management level is generally responsible for the implementation of data protection.
It is also becoming increasingly clear that the temporary grace period is now over and the implementation of data protection is becoming increasingly important. Data protection officers help companies immensely with their expertise, especially to avoid sensitive fines in the coming years.
In our blog post, you will learn which central tasks a data protection officer has according to the specifications of the European GDPR and what role data protection officers play in companies.
Tasks of the data protection officer according to GDPR
The data protection officer primarily fulfills a neutral control function for the processing of personal data within the meaning of the GDPR. By evaluating relevant processes in the company and establishing measures, data protection and thus sensitive data should be ensured.
The main tasks of a data protection officer are:
Information and advice:
The data protection officer informs and advises responsible companies on all relevant data protection issues. In this way, he helps the person responsible to comply with his obligations. The solution-oriented approach of a data protection officer allows data protection and entrepreneurship to be reconciled. The people to be advised include the person responsible (usually an entrepreneur) himself and his employees.
Art. 37 para. 1 GDPR also makes it clear that the data protection officer must be involved properly and at an early stage in all questions relating to the protection of personal data.
Monitoring compliance with the GDPR and other data protection regulations:
The data protection officer also fulfills his legal duty by monitoring compliance with the GDPR. It serves as an extension of the supervisory authority and uses selected measures to ensure that those responsible meet their obligations. It is also essential to monitor the assignment of responsibilities, the sensitization, and the training of the employees involved in the processing operations and the related reviews by the data protection officer.
The management level of a company must also support the data protection officer according to Art. 38 Para. 2 GDPR and make the necessary resources available. In addition, the data protection officer is not bound by instructions, see Article 38 (3) GDPR.
Cooperation with supervisory authorities:
Another important task of the data protection officer is the correspondence with supervisory authorities and coordination in certain cases, such as data protection violations or reporting obligations. According to the GDPR, deadlines must also be observed regularly.
A data protection officer knows how to meet these deadlines and solve problems. In particular, he serves the supervisory authority under Article 37 (1) GDPR, but also all other persons as the first point of contact for data protection issues.
Data protection impact assessment:
The tasks of the data protection officer also include advice on data protection impact assessments and, in this context, prior consultation under Article 36 GDPR. The data protection officer supports the person responsible for the correct preparation of the risk analysis or risk assessment before the respective data processing is carried out.
Creation of guidelines:
To comply with the principle of accountability according to Art. 5 Para. 2 DSGVO, the data protection officer, helps the person responsible to create data protection guidelines, e.g. for IT and Internet use. This is intended to ensure that a uniform internal regulation on data protection is made in the company.
Creation of a list of processing activities:
According to Art. 30 GDPR, responsible bodies and processors are obliged to create a list of processing activities. The data protection officer provides support with the necessary information from the VVT and helps with the content requirements under Article 30 (1) lit. a) to g) GDPR. He checks the made VVT for coherence and can contribute to the improvement.
Read Also: Data Protection In The Employment Contract
List of duties of a data protection officer
In addition, according to Art. 37 to Art. 39 GDPR, the data protection officer can take on the following tasks, among others:
- Communication with processors and service providers
- Creation of order processing contracts (AVV)
- Coordination of the conclusion of order processing contracts
- Review and creation of data protection declarations
- Creation and verification of declarations of consent
- Development of a procedure for processing data subject rights
- Examination of technical and organizational measures
- Recommendations for legally required technical and organizational measures
- Draft of authorization and deletion concepts
- Review and writing of information letters for data subjects
- Creation of contracts, such as EU standard data protection clauses under Article 46 (2) (c) GDPR for the transfer of personal data to third countries or the draft of a contract on joint responsibility under Article 26 GDPR
But when is the appointment of a data protection officer required? Information on when you need a data protection officer can be found here.
Tasks of the data protection officer in detail
The focus of the work of a data protection officer is advice. This applies to all questions relating to data protection. Advice is given on-site, by telephone, and by email. In addition, the creation of legally required documentation is essential: In the GDPR, a so-called reversal of the burden of proof was regulated in Art. 5 Para. 2 GDPR.
This means that companies must provide proof of compliance with data protection regulations. This is one of the reasons why almost all data protection tasks have to be documented. To relieve companies of this time-consuming documentation obligation, the data protection officer takes over the preparation of the documentation.
This applies in particular to the record of processing activities (VVT) under Article 30 GDPR or to the record of technical and organizational measures that have been set up in the sense of Article 32 GDPR. The training of employees and cooperation with the supervisory authorities are also important areas of responsibility for the data protection officer.
The advisory and sometimes also leading activity in the area of data protection impact assessments under Art. 35 DSGVO is another activity of the data protection officer, which relieves the responsible companies immensely.
Process of the tasks of a data protection officer
Data protection officers usually follow a certain ideal-typical procedure when fulfilling their tasks: First, as part of a process analysis or inventory, all current processing of personal data and the current status of data protection are recorded, then the legally required documentation is prepared.
Measures required under data protection law are implemented in the next step in consultation with the responsible company and further action required is recorded. At the same time, a data protection management system is established from the start to solve the complex data protection tasks in a clear, agile, and dynamic way.
What are the regular tasks of a data protection officer in the company?
Data protection officers usually prepare the legally required documentation in the first step after the audit or inventory. This includes, for example, the record of processing activities (VVT) under Art. 30 GDPR, declarations of consent under Art. 7, 8 GDPR, and information letters under Art. 12 et seq. GDPR or the creation of reports, for example following an audit.
The required training of employees in data protection can be carried out personally by the data protection officer or coordinated using an e-learning platform. Advising responsible companies on all data protection issues takes up the largest part of the duties of a data protection officer. The processing of data subject rights, such as in the case of asserting a right to information under Article 15 GDPR, can also be delegated to the data protection officer.
You can find out more about the costs of data protection officers here.
Is a data protection officer authorized to give instructions?
An instruction is an order that describes what is to be done or not to be done. In principle, the authority to issue instructions is assigned to superiors. Based on their expertise and experience, they issue instructions to those who are bound by instructions.
Freedom from instructions, on the other hand, exists when someone is not bound by instructions. These definitions also play an important role in the position of the data protection officer, because although he is not subject to instructions, he is not authorized to issue them. Specifically, this means that he has to go about his work without receiving instructions from a superior.
However, he may not give any binding instructions himself but only act in an advisory capacity.
For advice from the data protection officer, the regulation of the direct reporting route to the highest management level under Article 38 (3) sentence 3 GDPR applies. He is therefore obliged to report directly to the person responsible, his management level, or the processor.
The reporting obligation of the data protection officer also includes the obligation of regularity, which can be semi-annually or annually. Reports must therefore be given directly to the highest management level at regular intervals.
Read Also: Appoint A Data Protection Officer
Can anyone become a data protection officer?
By law, not everyone can be appointed a data protection officer. Any person who has a conflict of interest or whose self-control is at risk is explicitly excluded from this under Art. 39 (6) sentence 2 GDPR. This is the case if the data protection officer performs other tasks that conflict with the basic tasks of the data protection officer under Article 39 GDPR.
For example, the control function is weakened if the data protection officer is also the managing director or a person close to him. The Berlin data protection authority has already fined a company over €525,000 for this. As long as the data protection advice comes from a neutral basis, the monitoring of data protection is not influenced and the correspondence with supervisory authorities is also neutral in terms of data protection law, other tasks do not represent a conflict of interest.
The supervisory authorities agree that the top service level, i.e. persons such as the managing director, owner, executive staff, manager, or authorized signatory, may not be appointed as data protection officers for their own company. The obligation to represent the person contradicts the control function from the point of view of the GDPR.
What qualifications does a data protection officer need to have?
To do justice to the position of the data protection officer within the meaning of the GDPR, the requirements of Art. 37 Para. 5 GDPR must be met in any case. Deviating national regulations is not provided for by the GDPR and is also not permitted. Member States are only free to require supplementary or additional qualifications.
In principle, a data protection officer must fulfill three main tasks: He must be appointed based on his professional qualifications and in particular his specialist knowledge in the field of data protection law. Furthermore, the same qualification standard for data protection practice must be available. For the third qualification, the data protection officer must be able to perform the tasks specified in Art. 39 GDPR based on his skills.
These qualifications should already be available in advance, i.e. before appointment as a data protection officer. However, practice shows that this is not always seamlessly possible. Nevertheless, the qualifications should be made up for as soon as possible after the appointment and then also be maintained. This means that the knowledge must always be kept up to date to meet the data protection requirements.
Data protection officers can prove their expertise with appropriate seals of quality, e.g. from TÜV or IHK. It should be noted that certificates represent a snapshot and may not provide sufficient specialist knowledge to deal with more complex data protection issues.