When is a data protection officer mandatory?

Personal data is processed in almost every company. Special obligations apply when dealing with these and in some cases the appointment of a data protection officer is also part of this. But when is a data protection officer mandatory? What options are there for complying with such an obligation?

Obligation to appoint a data protection officer

Art. 37 DSGVO and Section 38 BDSG impose the obligation to appoint a data protection officer by the responsible party in certain cases. If the requirements specified in the law are met, the appointment of a data protection officer is mandatory. All other data controllers are free to appoint a data protection officer.

Requirements

The GDPR requires the controller to appoint a data protection officer,

• if the processing is carried out by a public authority or public body (courts are not included in the scope of their judicial activities) or
• Where the core activity involves processing operations which, by virtue of their nature, their scope or their purposes, require monitoring on a large scale, on a regular basis and systematically or
• if special category data according to Art. 9 GDPR or data on criminal convictions and offenses (Art. 10 GDPR) are processed as part of the core activity.

Thus, the GDPR sets a rather narrow framework in which the appointment of a data protection officer is really mandatory. The purpose is to cover the areas in which particularly sensitive or particularly extensive personal data is processed.

However, these requirements are extended by the BDSG, so that the scope of the obligation is not so small after all. According to Section 38 BDSG, the designation is also mandatory in Germany,

• if, as a rule, at least 20 persons are permanently employed with the automated processing of personal data or regardless of the number of persons engaged in processing
• If processing operations are carried out that are subject to a data protection impact assessment pursuant to Art. 35 DSGVO or
• if personal data are processed on a business basis for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.

However, the threshold of 20 employed persons is not as clear-cut as it first sounds:

The 20-person threshold must be reached "as a rule". This means that the number of persons employed with the automated processing of personal data over a period of one year is considered, or what number will be employed in the context of a forecast.

The persons must also be "continuously" employed, which means that the task is performed by these persons on a regular basis. It does not have to be the main task or core of the person's activity to handle personal data. It is sufficient that handling of personal data takes place within the scope of the specific activity. For this purpose, it is sufficient that the person is connected to a communication system such as Outlook or has access to the company's own address directories. When examining whether the threshold value has been exceeded, employees who have no other competencies than to have personal data displayed are also included.

This means that some companies in Germany are subject to the obligation to appoint a data protection officer and may not even be aware of it. Failure to appoint a data protection officer is now considered a medium formal violation that usually costs between 20,000 and 30,000 euros (depending on turnover) in fines.

Internal or external data protection officer?

Companies could not only appoint an employee as a data protection officer in addition to his or her normal duties within the company, but also assign this task to an external person.

If an internal employee is chosen, he or she will have to undergo a lot of training. In addition, the employee must receive regular training, which results in additional costs and less manpower for the actual tasks. Because of this effort, the position is usually very unpopular among employees. In addition, it is often difficult for internal employees to maintain an overview of the entire company and thus be able to perform their duties effectively. An internal employee must be unbiased and may not monitor himself, IT employees or employees with personnel or departmental responsibility as well as all employees in management positions and employees with corporate bodies are already excluded from this.

If, on the other hand, you choose an external consultant, you can rely on their certified expertise and do not have to worry about further training. In addition, the fixed fee makes it easy to estimate the additional expense and keep it within reasonable limits. The external data protection officer usually has a better overview and maintains neutrality.

What is the better alternative for a company, however, must be decided on a case-by-case basis.

Multiple data protection officers necessary?

In principle, it is possible to appoint a joint data protection officer for several entities that are under the same management.

According to Art. 37 II, it is possible for companies to appoint a joint corporate data protection officer. You can find more details on this here.

According to Art. 37 III, the same shall apply to authorities and public bodies if this is possible according to the organizational structure.