The implementation of data protection requirements poses major challenges for many companies.
Necessity for a data protection officer
Considering the complexity and often abstractly formulated regulations, which must be adhered to when dealing with personal data, some companies would like to have a guide, who gives orientation. The regulations of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) require that public and non-public bodies (e.g. partnerships, legal persons and free-lancers) must appoint a data protection officer if at least ten employees are involved in the processing of personal data (§ 38 BDSG). This obligation applies with fewer than ten employees, if automated data processing is to be carried out which is subject to a “pre-control”. This is regularly the case when installing a video surveillance system. It consists of a technical and organizational analysis before the introduction of a measure to minimize the risks of restricting the rights and freedoms of those affected.
Purpose of the data protection officer
The purpose of the data protection officer is to work towards compliance with the BDSG and other data protection regulations. This means, in particular: monitoring the proper application of the data processing programs used to process personal data, and to ensure that the persons involved in the processing of data are able to comply with the provisions of the GDPR and the BDSG (sec. 39 par.1 lit.a GDPR). His activity also includes carrying out pre-checks on automated processing, if these are subject to special data protection risks. (sec. 35 par.2 GDPR).
The data protection officer analyses the security level in the company in so-called “audits”, makes recommendations and supports the management in the production and implementation of a security and data protection concept. The management of the company can delegate own obligations, such as the installation and management of the procedure list (§ 4g Abs.2, 4e S.1 Nr.1-8 BDSG) to the data protection officer. Through regular training measures, the data protection officer contributes to the fact that the employees develop awareness for data protection-relevant matters in their daily work. He supports the management with his expertise when outsourcing work to service providers (so-called “order data processing”), in the transmission of personal data abroad, in questions concerning the use of virtual data storage (“cloud-computing”) and in areas of employment protection. The company itself, however, always remains the controller.
Through his work, the data protection officer ensures that data protection is maintained for all processes within the company and for all external actions. This creates transparency and strengthens the credibility of the company. It contributes to a positive image and avoids expensive legal disputes through anticipatory action. That’s why the data protection officer is an important organ in the company.
Internal data protection officer versus external data protection officer
When appointment a data protection officer you have to evaluate two alternatives: the so-called “in-house data protection officer” is an internal employee assigned for the data protection responsibilities. He is free of directive in exercising his duties. In order to safeguard his independence, he only reports to the management within the company (§ 4f Abs. 3 BDSG). The internal data protection officer’s competence covers the entire company, which results in an authority to check the processes of all departments on their privacy compliance.
The so-called “externally appointed data protection officer” is an outside person, assigned to take over the above-mentioned tasks. The benefits of the external data protection officer are numerous. He already has the necessary expertise and professional experience to take over the task, and his employees can concentrate on their core activities and do not have to incorporate new duties. An external data protection officer is free from internal business conflicts; a participation of the works council in the appointment is not necessary.
When appointing an employee, the relevant participation rights of the works council must be regarded, since this transfer of additional functions is considered as a transfer. In this respect, the works council can exercise influence by denying its consent to the appointment due to a lack of suitability.