The implementation of data protection requirements poses major challenges for many companies.
Necessity for a data protection officer
Considering the complexity and often abstractly formulated regulations, which must be adhered to when dealing with personal data, some companies would like to have a guide, who gives orientation. The regulations of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) require that public and non-public bodies (e.g. partnerships, legal persons and free-lancers) must appoint a data protection officer if at least ten employees are involved in the processing of personal data (§ 4f Abs. 1 BDSG). This obligation applies with fewer than ten employees, if automated data processing is to be carried out which is subject to a “pre-control”. This is regularly the case when installing a video surveillance system. It consists of a technical and organizational analysis before the introduction of a measure to minimize the risks of restricting the rights and freedoms of those affected.
Purpose of the data protection officer
The purpose of the data protection officer is to work towards compliance with the BDSG and other data protection regulations. This means, in particular: monitoring the proper application of the data processing programs used to process personal data, and to ensure that the persons involved in the processing of data are able to comply with the provisions of the BDSG as well as other regulations on data protection, in accordance with special requirements of data protection (§ 4g Abs. 1 BDSG). In addition, the officer has the obligation to create reports on stored data collections, data receivers, deletion periods, access authorizations, etc. (§§ 4a, 4e, 4g BDSG). His activity also includes carrying out pre-checks on automated processing, if these are subject to special data protection risks. Furthermore, the data protection officer ensures that customer, supplier and employment data are protected and the principle of data parsimony (§ 3a BDSG) is preserved.
The data protection officer analyses the security level in the company in so-called “audits”, makes recommendations and supports the management in the production and implementation of a security and data protection concept. The management of the company can delegate own obligations, such as the installation and management of the procedure list (§ 4g Abs.2, 4e S.1 Nr.1-8 BDSG) to the data protection officer. Through regular training measures, the data protection officer contributes to the fact that the employees develop awareness for data protection-relevant matters in their daily work. He supports the management with his expertise when outsourcing work to service providers (so-called “order data processing”), in the transmission of personal data abroad, in questions concerning the use of virtual data storage (“cloud-computing”) and in areas of employment protection. The company itself, however, always remains the “responsible body” for the data of all employees, customers and suppliers.
Through his work, the data protection officer ensures that data protection is maintained for all processes within the company and for all external actions. This creates transparency and strengthens the credibility of the company. It contributes to a positive image and avoids expensive legal disputes through anticipatory action. That’s why the data protection officer is an important organ in the company.
Internal data protection officer versus external data protection officer
When appointment a data protection officer you have to evaluate two alternatives: the so-called “in-house data protection officer” is an internal employee assigned for the data protection responsibilities. He is free of directive in exercising his duties. In order to safeguard his independence, he only reports to the management within the company (§ 4f Abs. 3 BDSG). The internal data protection officer’s competence covers the entire company, which results in an authority to check the processes of all departments on their privacy compliance.
The so-called “externally appointed data protection officer” is an outside person, assigned to take over the above-mentioned tasks. The benefits of the external data protection officer are numerous. He already has the necessary expertise and professional experience to take over the task, and his employees can concentrate on their core activities and do not have to incorporate new duties. An external data protection officer is free from internal business conflicts; a participation of the works council in the appointment is not necessary.
The in-house data protection officer enjoys a special protection against dismissal (§ 4f Abs.3 S.4 BDSG). During his appointment and until one year after its ending, the ordinary termination of his employment relationship is prohibited. Only the extraordinary termination is possible. When appointing an employee, the relevant participation rights of the works council must be regarded, since this transfer of additional functions is considered as a transfer. In this respect, the works council can exercise influence by denying its consent to the appointment due to a lack of suitability.
Do you have questions? Please contact: RA Nicole Schmidt, LL.M.
Consulting Service: Data Protection Officer