Data Protection Officer (General Data Protection Regulation)
The data protection officer has two different meanings in colloquial use. On the one hand, various data protection supervisory authorities are referred to as (state) data protection officers or officers. However, the General Data Protection Regulation (GDPR) means by the word a company data protection officer, who is a person appointed by a company who is responsible for monitoring compliance with data protection guidelines.
background
The General Data Protection Regulation came into force on May 25, 2018. The directly applicable ordinance was supplemented by the provisions of the German Bundestag on April 27, 2017 as the Data Protection Adjustment and Implementation Act (DSAnpUG). In the Federal Law Gazette No. 44 of May 12, 2017, the adaptation of data protection law to Regulation EU 2016/679, i.e. the GDPR, as well as the implementation of Directive (EU) 2016/680 in the Data Protection Adjustment and Implementation Act EU / DSnpUG were approved published by the Federal President. In addition to other legislative amendments, the BDSG was completely revised as a supplement to the GDPR.
The GDPR stipulates that companies may have to appoint an internal or external data protection officer as the " controller " for the processing of data . Article 37 (1) GDPR regulates the obligation to appoint the data protection officer, according to which the companies concerned must comply with the legal obligation. The tasks of the data protection officer are defined in Article 39 GDPR and also in Section 7 BDSG (new).
Designation requirement and designation process
Designation requirement
Both the GDPR and the BDSG know reasons that make it necessary to appoint a data protection officer. The national regulations must not lag behind the GDPR, but complement and tighten them.
According to the GDPR
A data protection officer must be appointed in the field of state administration if the processing is carried out by a public body or authority. Processing by courts in their judicial activity is excluded.
Whether a data protection officer has to be appointed in the private sector depends on whether the core activity of a company includes regular and systematic processing of personal data. The criteria for this are:
- Extent of processing measured by the number of data processing employees in the company, the amount of data and type of data records, the period and regularity of the data processing as well as the geographical range of the data processing;
- the purposes of the processing;
- the type of processing.
Alternatively, extensive processing of personal data relating to special categories of data such as B. health-related, political or religious data, a reason for a naming requirement.
The requirement of a data protection officer does not depend on the form of data storage. It is therefore irrelevant whether the sensitive data is available in the form of files or tape recordings, videos, photos or X-ray images and is processed and evaluated.
According to the BDSG
In Germany, in §§ 5, 6 and 38 BDSG, requirements for naming and dismissing data protection officers for public and non-public bodies are stipulated by law. All authorities and other public bodies such as B. Public law companies must appoint a data protection officer without exception. The same applies to market and opinion research institutes . For the private sector, the regulation stipulates that the appointment of a data protection officer is only possible for companies with 20 or more people who are usually constantly involved with automated data processing, and in the event that a data protection impact assessment is required - i.e. especially when sensitive data is available. is mandatory.
Naming process
Oral naming is sufficient according to the GDPR. Nevertheless, the entrepreneur is obliged to submit the contact details of the data protection officer in writing to the competent authority and to publish them.
Selection of the data protection officer
Either an internal employee or an external contractor can be appointed as data protection officer. Which choice is more suitable depends on the type and size of the company and the workload of the data protection officer. However, it is more difficult to break away from an internal data protection officer, as he can only lose his position by giving notice without notice . Corporations can opt for a group data protection officer, provided that he can be reached easily from every branch. He is then the internal data protection officer for his employer and external data protection officer for the other parts of the group. This option is particularly advantageous for EU-wide corporations with several branches, as it avoids having different contact persons and thus ensures more transparency and security in data processing and administration.
A data protection officer may at the same time fulfill other obligations, provided that this does not result in a conflict of interest. This conflict of interest can exist, for example, in the following cases:
- Management, boss and owner level as well as their authorized signatories,
- Subordinate positions with management tasks and decision-making authority on the definition of purposes and means of data processing (IT),
- Employees in a legal department who also represent the company in court,
- Security or money laundering officer,
- Department heads and their employees, if they process personal data themselves, such as in IT, in the HR department, but also in marketing or sales,
- Family ties between the data protection officer and the person responsible.
Duties, rights and qualifications
tasks
Article 39 (1) GDPR defines the minimum tasks of the data protection officer:
- The data protection officer informs and advises the company that named him and its employees on all applicable data protection regulations and, on request, on a data protection impact assessment .
- He monitors compliance with data protection regulations and the strategy with which personal data is to be protected.
- He works with the supervisory authorities and is their point of contact in the company.
The EDPS as the voice of all European regulators sets out the legal obligations of a data protection officer in such a way that this should be as confidential point of contact for victims is available. On the other hand, the person responsible as the disciplinary superior is responsible for the actual implementation of the data protection requirements.
right
In order to be able to carry out their work without bias, data protection officers are subject to special protection against dismissal , the duty of confidentiality and the right to refuse to give evidence . The protection against dismissal only applies to internal data protection officers. You have no right to give instructions to the management, but they cannot instruct them either.
Qualifications and equipment
According to Art. 37 Para. 5 GDPR, the data protection officer is named “on the basis of his professional qualifications and, in particular, the specialist knowledge he has in the field of data protection law and data protection practice, as well as on the basis of his ability to perform the tasks specified in Article 39 . ”He should also be able to fulfill the tasks incumbent on this role. The professional association of data protection officers in Germany (BVD) divides the necessary specialist knowledge in its voluntary commitment into the areas of law , information and communication technology and organization and processes. You should have a professional qualification in at least one of the areas and solid specialist knowledge in the other areas. BVD members also undertake to have at least two years of professional experience in one of the areas and a recognized qualification as a data protection officer (certification).
The person responsible must provide the data protection officer in accordance with Art. 38 Para. 2 GDPR with the resources necessary for the performance of his tasks, including a. to maintain the specialist knowledge and enable him to access personal data and processing operations.
Penalties for infringement
Failure to designate despite the obligation will lead to severe fines for the company concerned. The GDPR provides for fines of up to 10 million euros or 2% of global annual sales, whichever is higher.
Web links
- Central archive for activity reports of the federal and state data protection officers and the supervisory authorities for data protection - ZAfTDa
- Mission statement for data protection officers of the professional association of data protection officers in Germany (PDF; 187 kB)
Individual evidence
- ↑ New data protection law (BDSG-new): The Federal Data Protection Act is Europeanized - computerwoche.de. Retrieved November 29, 2017 .
- ↑ Requirement of a data protection officer according to DSGVO / BDSG new version. Accessed on July 25, 2018 .
- ↑ Nina Diercks, Christian Frerix, Tobias Hinderks: The data protection officer, especially with regard to the EU General Data Protection Regulation (GDPR) - Part 8 of the EU GDPR . In: diercks digital right blog . ( diercks-digital-recht.de [accessed on February 5, 2019]).
- ↑ Internal vs. External DPO | Data protection expert . In: Datenschützexperte.de . ( datenschutzxperte.de [accessed on November 29, 2017]).
- ↑ State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (Ed.): 34th Activity Report on Data Protection . S. 28–29 ( datenschutz.de [PDF]).
- ↑ Position paper on the role of Data Protection Officers of the EU institutions and bodies. In: https://edps.europa.eu . EDPS, accessed on 5 February 2019 .
- ^ BvD Berufsbild Edition 4th professional association of data protection officers in Germany, accessed on February 5, 2019 .
- ↑ GDD-Praxishilfe_DS-GVO_1.pdf - GDD eV Accessed on November 29, 2017 (English).