Data protection officer

from Wikipedia, the free encyclopedia
The articles data protection officer and data protection officer (General Data Protection Regulation) overlap thematically. Help me to better differentiate or merge the articles (→  instructions ) . To do this, take part in the relevant redundancy discussion . Please remove this module only after the redundancy has been completely processed and do not forget to include the relevant entry on the redundancy discussion page{{ Done | 1 = ~~~~}}to mark. Domitius Ulpianus ( discussion ) 08:50, Dec. 2, 2018 (CET)

A data protection officer ( DPO ) works towards compliance with data protection in an organization . The person can be an employee of this organization or be appointed as an external data protection officer. The data protection officer must have the necessary specialist knowledge for the exercise and must not get into a conflict or the risk of self-control.

On the German federal level, there is the commonly Federal Data Protection Officer referred to the Federal Commissioner for Data Protection and Freedom of Information ; Federal states each have a state data protection officer . The first data protection officer in Germany was Willi Birkelbach , he was appointed by the State of Hesse in 1971.

The Austrian data protection authority has existed in Austria since January 1, 2014 .

In Switzerland there is the Federal Data Protection and Information Commissioner (FDPIC).

In the Principality of Liechtenstein there is a data protection office (DSS) in the state administration.

At EU level there is an independent authority called the European Data Protection Supervisor .

In the US legal area, Chief Privacy Officers (CPO) sometimes carry out data protection tasks at the management level of companies and organizations on a voluntary basis.

The International Conference of Commissioners for Data Protection and the Protection of Privacy , whose members are subnational and national as well as international or supranational institutions, takes place every year .

Tasks, activities and orders

The task and activity of a data protection officer is regulated in Germany in § 4f and § 4g of the Federal Data Protection Act (BDSG) as well as the corresponding national regulations. The data protection officer works towards compliance with the BDSG and other laws ( TMG , TKG etc.). One of the main tasks is to control and monitor the correct application of data processing programs . The staff who deal with personal data are made familiar with the law and its practical implementation (training) in a suitable manner. The data protection officer is not bound by any instructions in carrying out his duties.

A data protection officer must be appointed if personal data (e.g. employee data in the HR department, customer and prospect data ) are processed automatically:

  • in all public bodies (e.g. authorities ) and
  • in non-public bodies (e.g. companies, associations), if more than nine people (Section 4f Paragraph 1 Clause 1 and 4 BDSG) are constantly processing this data or have access to this data. This limit does not apply if a certain risk is suspected that requires an immediate appointment or procedures are used that are subject to prior checking ( Section 4d (5), Section 3 (9), Section 4e , Section 4f (1) sentence 6 BDSG ), or if they process personal data in a commercial manner in order to pass them on to third parties (e.g. address data trading). This limit also does not apply if full automation of the recording is used, for example, for statistics (e.g. market and opinion research) or research purposes.

In the case of non-automated data processing, the regulation only applies to more than 20 people (Section 4f Paragraph 1 Clause 1, 3 BDSG). Part-time workers are fully taken into account here; the legislature deliberately does not speak of employees, but of persons; also to avoid that companies only work with self-employed and freelance employees, in order to avoid the obligation to appoint.

Processing is automated if data processing devices ( computers ) are used for this purpose . If the data processing takes place e.g. B. using index cards , it is not automated , unless these are intended for later processing in the EDP and are directed to the effect that this would otherwise be a preparation for data processing.

The company must appoint a data protection officer no later than one month after commencing its activity (Section 4 (1) sentence 2 BDSG). Failure to order or late ordering is an administrative offense ( Section 43 (1) No. 2 BDSG) and can be punished with a fine of up to 50,000 euros (Section 43 (3) BDSG).

Prior checking

According to Section 4d (5) BDSG, data processing is subject to “prior checking” if it poses particular risks for the rights and freedoms of the person concerned. This is particularly the case when special types of personal data are processed in accordance with Section 3 (9) BDSG or the processing of the data is intended to assess the personality of the person concerned, including their skills, performance and behavior. According to Section 4d (6) BDSG, the prior check may only be carried out by a data protection officer, as well as checking whether a prior check is necessary.


A distinction is made between official, church and company data protection officers. There are also data protection officers from the federal government and the federal states who exercise a control and ombudsman function.


Depending on the regulation in the federal or state data protection laws, authorities appoint their own data protection officers who are the contact persons for the storage and processing of personal data.


The dioceses of the Catholic Church , the Evangelical Church in Germany and the Evangelical regional churches each appoint their own data protection supervision for their area. Under canon law, this is regulated by the Law on Ecclesiastical Data Protection (KDG) of the Catholic Church and the EKD Data Protection Act.


The data protection officer in a private company works towards compliance with data protection regulations (but has no right of instruction ). As part of his work, the data protection officer presents the current status of the company, the check is already carried out from the factory gate, a data protection check is typically carried out from the outside to the inside and checked whether the existing measures are sufficient or there are opportunities for improvement. The data protection officer also shows the current status of the EDP and the network and checks whether the guidelines are being adhered to; In addition, the data protection officer also makes recommendations for improvement. For all procedures for the collection, processing, transmission or use of personal data, the current status is shown, preliminary checks are carried out and possible improvements are shown. It is possible that manuals are also created for certain processes. The data protection officer will check at regular intervals at his own discretion whether changes have been made or whether further optimizations have been made. If new procedures are introduced, the data protection officer must be informed in advance and will carry out a prior check if necessary . It is important to ensure that only authorized persons can only process data that is limited to the purpose and that the owner of the data can exercise his right to information , correction, blocking and deletion . He is also responsible for training employees in order to make them aware of data protection issues. As part of this work, the data protection officer will also typically create and regularly update the directory of procedures and the directory for everyone in accordance with Section 4g (2) BDSG. The data protection officer is the point of contact for management and employees in all matters relating to data protection. The data protection officer can also set up appointments for free advice in the company at his own discretion so that the employees can visit them here and get advice. The data protection officer also informs about possible changes in the area of ​​the BDSG and the supporting laws, if these are to be observed by the company.

The data protection officer is free of instructions in the exercise of his specialist knowledge and is independent of superiors. He must not be disadvantaged because of the performance of his duties. The data protection officer reports directly to the management, which also receives its reports and preliminary checks.

With the amendment of the Federal Data Protection Act (so-called BDSG amendment II 2009), the company data protection officer was equipped with improved protection against dismissal , in accordance with Section 4f (3) BDSG. Unless there are reasons for dismissal without notice , the termination of the employment relationship concluded with the company data protection officer is not permitted. This protection against dismissal remains in effect for a further year after the appointment has been terminated, even if the company data protection officer is dismissed. An internal data protection officer is usually appointed for a period of 5 years; in some federal states, 3 years is also considered appropriate. A shorter order is generally not given, as the internal data protection officer would otherwise not be able to carry out his work to the appropriate extent. During this time, the former company data protection officer may only be dismissed if there are reasons for termination without notice within the meaning of § 626 BGB (termination without notice for an important reason). The supervisory authority can recall the appointed DPO if he does not have the required specialist knowledge or reliability. The appointment can be revoked by the management if the supervisory authority so requests or if there is an important reason i. S. v. § 626 BGB is given.

Commissioner for data protection and freedom of information

Data protection officers of the federal states monitor and advise the public authorities in the federal state on data protection issues. Within the scope of this task, he is independent, free of instructions and only subject to the law. In the federal states with the Freedom of Information Act , the state commissioners for data protection are also commissioners for freedom of information .

Expertise and reliability

Only those who have the necessary specialist knowledge may be appointed as data protection officers. The required reliability requires that there is no conflict of interest in the performance of the function. This exists above all for all persons who have their own interest in the company (e.g. because of a stake in its assets, e.g. partners or partners) or have a management role. Managing directors or department heads, especially those of the HR or IT department, therefore regularly leave. Other people outside the company can also leave the company, such as the permanent tax advisor or auditor or an external data protection officer, who himself could be subject to a conflict of interest if, for example, he is employed by the company that also implements the IT solution or other solutions for the company has, and thus there are conflicts of interest and the risk of self-control. The supervisory authorities can check the specialist knowledge of the data protection officer and have it verified and, in justified cases, also determine the ineffective appointment or remove the data protection officer from his appointment.

External data protection officers can be appointed in practically all organizations, especially in private companies. In particular, due to changes in the law in the Criminal Code and the Federal Data Protection Act 2006, 2008 and 2009, this has been made possible, so that those who have kept secret may also appoint external data protection officers. The data protection officer must be appointed in writing in accordance with the requirements of the BDSG.

The appointment of a company data protection officer often causes “practical difficulties” for a company, as the state commissioner for data protection and freedom of information in North Rhine-Westphalia Bettina Sokol wrote in her 17th data protection report: “Basically, the option of appointing external commissioners [...] is often a practicable one Solution, because they often do not have staff themselves who have the professional qualifications required for data protection officers. ”For this purpose, the option of appointing an external data protection officer was created, which has now also been clearly defined by the job titles“ data protection officer ”and“ data protection officer ” . In 1990, the Ulm Regional Court was the first court in Germany to decide on the professional profile of data protection officers. In its “Ulm judgment”, which is often quoted in professional circles, the court defined the activity of the data protection officer as an independent profession and set criteria for specialist knowledge.

A typical data protection officer has a good knowledge of IT, he has sufficient knowledge of the BDSG and can apply it, and he meets the personal suitability requirements from the Ulm judgment. In the resolution of the Düsseldorfer Kreis , an assembly of the highest supervisory authorities for data protection in the private sector, of November 25, 2010, further requirements for the necessary specialist knowledge are defined.

The requirements for the suitability of a data protection officer are still based on the company. The larger a company is or the more complex the data processing, the higher the requirements can be. The data protection officer must in any case be able to check data protection in the company, otherwise his appointment is ineffective. An external data protection officer may also due to expansion of the Criminal Code Geheimnisträger act (z. B. doctors , lawyers , accountants, etc.), as appropriate rights to remain silent and seizure ban was extended to them. Specialist training courses for data protection officers are carried out by DEKRA, IHK, TÜV, Ulm University of Applied Sciences, IQ-Zert and others. Apart from the ISO standard, there are no legally binding standards, although the job of data protection officer generally requires high and comprehensive qualifications.


There is no regulated professional training for data protection officers, nor are there any courses that directly qualify for this activity. However, there are numerous advanced training courses for beginners and for advanced training. Providers of entry-level courses are mostly commercial educational institutes and the chambers of industry and commerce . From one-day events to more than three-week courses, everything is included, most courses last between one and four days. According to Stiftung Warentest , entry-level courses should last at least five days. In order to be able to cope with the complex tasks in practice as a data protection officer, continuous training and updates of knowledge are necessary. The introductory courses often end with an exam. The training providers themselves or external certifiers, such as B. the Dekra . If the courses complete without an examination, the graduates receive i. d. Usually a certificate of attendance from the training provider. There are no standards for such introductory courses, but individual actors have formulated requirements for the job profile of the data protection officer, e. B. the Düsseldorfer Kreis or the professional association of data protection officers in Germany (BvD).

See also


Web links

Wiktionary: Data protection officer  - explanations of meanings, word origins, synonyms, translations

Individual evidence

  1. EDP ​​in the Odenwald . In: Der Spiegel . No. 20 , 1971 ( online ).
  3. Data protection office .
  4. Gola / Schomerus, Commentary on the BDSG, 7th edition, on § 4f, marginal no. 27
  5. ^ LG Ulm, judgment of October 31, 1990 , Az. 5 T 153 / 90-01, full text.
  6. Düsseldorfer Kreis . The Federal Commissioner for Data Protection and Freedom of Information. Retrieved June 22, 2011.
  7. Minimum requirements for the specialist knowledge of the Düsseldorfer Kreis . (PDF) The Federal Commissioner for Data Protection and Freedom of Information; Retrieved June 22, 2011.
  8. Courses for company data protection officers: specialists for sensitive data. , November 27, 2014; accessed on February 27, 2015