When is a data protection officer mandatory?

Personal data is processed in almost every company. Special obligations apply when dealing with these and in some cases the appointment of a data protection officer is also part of this. But when is a data protection officer mandatory? What options are there for complying with such an obligation?

Obligation to appoint a data protection officer

Art. 37 DSGVO and Section 38 BDSG impose the obligation to appoint a data protection officer by the responsible party in certain cases. If the requirements specified in the law are met, the appointment of a data protection officer is mandatory. All other data controllers are free to appoint a data protection officer.

Requirements

The GDPR requires the controller to appoint a data protection officer,

• if the processing is carried out by a public authority or public body (courts are not included in the scope of their judicial activities) or
• Where the core activity involves processing operations which, by virtue of their nature, their scope or their purposes, require monitoring on a large scale, on a regular basis and systematically or
• if special category data according to Art. 9 GDPR or data on criminal convictions and offenses (Art. 10 GDPR) are processed as part of the core activity.

Thus, the GDPR sets a rather narrow framework in which the appointment of a data protection officer is really mandatory. The purpose is to cover the areas in which particularly sensitive or particularly extensive personal data is processed.

However, these requirements are extended by the BDSG, so that the scope of the obligation is not so small after all. According to Section 38 BDSG, the designation is also mandatory in Germany,

• if, as a rule, at least 20 persons are permanently employed with the automated processing of personal data or regardless of the number of persons engaged in processing
• If processing operations are carried out that are subject to a data protection impact assessment pursuant to Art. 35 DSGVO or
• if personal data are processed on a business basis for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.

However, the threshold of 20 employed persons is not as clear-cut as it first sounds:

The 20-person threshold must be reached "as a rule". This means that the number of persons employed with the automated processing of personal data over a period of one year is considered, or what number will be employed in the context of a forecast.

The persons must also be "continuously" employed, which means that the task is performed by these persons on a regular basis. It does not have to be the main task or core of the person's activity to handle personal data. It is sufficient that handling of personal data takes place within the scope of the specific activity. For this purpose, it is sufficient that the person is connected to a communication system such as Outlook or has access to the company's own address directories. When examining whether the threshold value has been exceeded, employees who have no other competencies than to have personal data displayed are also included.

This means that some companies in Germany are subject to the obligation to appoint a data protection officer and may not even be aware of it. Failure to appoint a data protection officer is now considered a medium formal violation that usually costs between 20,000 and 30,000 euros (depending on turnover) in fines.

Internal or external data protection officer?

Companies could not only appoint an employee as a data protection officer in addition to his or her normal duties within the company, but also assign this task to an external person.

If an internal employee is chosen, he or she will have to undergo a lot of training. In addition, the employee must receive regular training, which results in additional costs and less manpower for the actual tasks. Because of this effort, the position is usually very unpopular among employees. In addition, it is often difficult for internal employees to maintain an overview of the entire company and thus be able to perform their duties effectively. An internal employee must be unbiased and may not monitor himself, IT employees or employees with personnel or departmental responsibility as well as all employees in management positions and employees with corporate bodies are already excluded from this.

If, on the other hand, you choose an external consultant, you can rely on their certified expertise and do not have to worry about further training. In addition, the fixed fee makes it easy to estimate the additional expense and keep it within reasonable limits. The external data protection officer usually has a better overview and maintains neutrality.

What is the better alternative for a company, however, must be decided on a case-by-case basis.

Multiple data protection officers necessary?

In principle, it is possible to appoint a joint data protection officer for several entities that are under the same management.

According to Art. 37 II, it is possible for companies to appoint a joint corporate data protection officer. You can find more details on this here.

According to Art. 37 III, the same shall apply to authorities and public bodies if this is possible according to the organizational structure.

FAQ

Q: When is a data protection officer required?

A: According to the GDPR, a data protection officer is required from a certain number of employees or for certain types of data processing operations.

Q: When must a data protection officer be appointed?

A: A data protection officer must be appointed if personal data is regularly processed in a company, regardless of the size of the company.

Q: What are the tasks of a company data protection officer?

A: The company data protection officer is responsible, among other things, for monitoring compliance with data protection regulations, advising employees and cooperating with supervisory authorities.

Q: When are fines threatened in connection with the data protection officer?

A: Fines can be imposed for violations of the General Data Protection Regulation (GDPR), especially if no data protection officer has been appointed or data protection regulations have been violated.

Q: Is the appointment of a data protection officer required by law?

A: Yes, in certain cases the appointment of a data protection officer is required by law to ensure that data protection is guaranteed in a company.

Q: Which data processing operations require the appointment of a data protection officer?

A: Special types of data processing, such as health data or information on criminal convictions, may require the appointment of a data protection officer.

Q: What are the position and tasks of a data protection officer?

A: The data protection officer has an independent position in the company and is responsible for monitoring data protection, training employees and cooperating with authorities.

Q: When is a data protection officer mandatory?

A: According to the GDPR, a data protection officer is required if personal data is regularly and systematically processed in a company. The exact criteria for when the appointment of a data protection officer is necessary are set out in the BDSG.

Q: When does a data protection officer have to be appointed?

A: A company must appoint a data protection officer if the data processing involves particularly sensitive data or if this is necessary due to the nature, scope or purposes of the data processing.

Q: What are the tasks of the company data protection officer?

A: The company data protection officer has the task of monitoring compliance with data protection regulations, carrying out training within the company, answering inquiries from data subjects and acting as a point of contact for the supervisory authorities.

Q: In which cases is it necessary to appoint a data protection officer?

A: A company is obliged to appoint a data protection officer if it regularly and systematically processes personal data or if this is required by law.

Q: What fines can be imposed for violating data protection regulations in relation to a data protection officer?

A: Violations of data protection regulations can result in high fines, especially if no data protection officer was appointed, although this was necessary.

Q: What role does the GDPR play in the appointment of a data protection officer?

A: The GDPR sets out the requirements for the appointment of a data protection officer and regulates the responsibilities and obligations in relation to the protection of personal data.