When is a data protection officer mandatory?

Personal data is processed in almost every company. Special obligations apply when handling this data and in some cases this also includes the appointment of a data protection officer. But when is a Mandatory data protection officer? What possibilities are there to fulfill such an obligation?

Obligation to appoint a data protection officer

Art. 37 DSGVO and Section 38 BDSG impose the obligation to appoint a data protection officer by the responsible party in certain cases. If the requirements specified in the law are met, the appointment of a data protection officer is mandatory. All other data controllers are free to appoint a data protection officer.

Requirements

The GDPR requires the controller to appoint a data protection officer committed,

• if the processing is carried out by a public authority or public body (courts are not included in the scope of their judicial activities) or
• Where the core activity involves processing operations which, by virtue of their nature, their scope or their purposes, require monitoring on a large scale, on a regular basis and systematically or
• if, as part of the core activity, special category data pursuant to Art. 9 GDPR or data on criminal convictions and offenses (Art. 10 GDPR) are processed.

The GDPR thus sets a fairly narrow framework within which the appointment of a data protection officer is really mandatory. The purpose is to cover the areas in which particularly sensitive or particularly extensive personal data be processed.

However, these requirements are extended by the BDSG, so that the scope of the obligation is not so small after all. According to Section 38 BDSG, the designation is also mandatory in Germany,

• if, as a rule, at least 20 persons are permanently involved in automated processing personal data are employed or regardless of the number of persons engaged in processing
• if processing operations are carried out that are subject to Data protection impact assessment are subject to Art. 35 GDPR or
• when personal data processed for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research.

However, the threshold of 20 employed persons is not as clear-cut as it first sounds:

The 20-person threshold must be reached "as a rule". This means that the number of people who are involved in automated processing over a period of one year is considered. personal data are employed or how many will be employed within the scope of a forecast.

The persons must also be "continuously" employed, which means that the task is performed by these persons on a regular basis. It does not have to be the main task or core of the person's activity to handle personal data. It is sufficient that handling of personal data takes place within the scope of the specific activity. For this purpose, it is sufficient that the person is connected to a communication system such as Outlook or has access to the company's own address directories. When examining whether the threshold value has been exceeded, employees who have no other competencies than to have personal data displayed are also included.

This means that some companies in Germany are subject to the obligation to appoint a data protection officer and may not even be aware of it. Failure to appoint a data protection officer is now considered a medium formal violation that usually costs between 20,000 and 30,000 euros (depending on turnover) in fines.

Internal or external data protection officer?

company could not only appoint an employee to the position of Appointing a data protection officerbut also an external person with this task.

If an internal employee is chosen, he or she will have to undergo a lot of training. In addition, the employee must receive regular training, which results in additional costs and less manpower for the actual tasks. Because of this effort, the position is usually very unpopular among employees. In addition, it is often difficult for internal employees to maintain an overview of the entire company and thus be able to perform their duties effectively. An internal employee must be unbiased and may not monitor himself, IT employees or employees with personnel or departmental responsibility as well as all employees in management positions and employees with corporate bodies are already excluded from this.

If, on the other hand, you choose an external consultant, you can rely on their certified expertise and don't have to worry about further training. In addition, the fixed fee makes it easy to estimate the additional work involved and keep it within limits. The External data protection officer usually has a better overview and maintains neutrality.

What is the better alternative for a company, however, must be decided on a case-by-case basis.

Multiple data protection officers necessary?

In principle, it is possible to appoint a joint data protection officer for several entities that are under the same management.

According to Art. 37 II, it is possible for companies to appoint a joint corporate data protection officer. You can find more details on this here.

According to Art. 37 III, the same shall apply to authorities and public bodies if this is possible according to the organizational structure.

FAQ

Q: When is a data protection officer required?

A: A The data protection officer in accordance with the GDPR is required from a certain number of employees or for certain types of data processing operations.

Q: When must a data protection officer be appointed?

A: A data protection officer must be appointed if personal data is regularly processed in a company, regardless of the size of the company.

Q: What are the tasks of a company data protection officer?

A: The The company data protection officer is responsible, among other things, for monitoring responsible for ensuring compliance with data protection regulations, advising employees and cooperating with supervisory authorities.

Q: When are fines threatened in connection with the data protection officer?

A: Fines may be imposed for violations of the General Data Protection Regulation (GDPR), especially if no data protection officer has been appointed or if Data protection regulations was violated.

Q: Is the appointment of a data protection officer required by law?

A: Yes, in certain cases the appointment of a Data protection officer by law to ensure that data protection is guaranteed in a company.

Q: Which data processing operations require the appointment of a data protection officer?

A: Special types of data processing, such as health data or information on criminal convictions, may require the appointment of a data protection officer.

Q: What are the position and tasks of a data protection officer?

A: The data protection officer has an independent position within the company and is responsible for monitoring data protection, the Training of employees and cooperation with authorities.

Q: When is a data protection officer mandatory?

A: A According to the GDPR, the data protection officer is is required if personal data is regularly and systematically processed in a company. The exact criteria for when the appointment of a data protection officer is necessary are set out in the BDSG.

Q: When does a data protection officer have to be appointed?

A: A company must appoint a data protection officer if the data processing involves particularly sensitive data or if this is necessary due to the nature, scope or purposes of the data processing.

Q: What are the tasks of the company data protection officer?

A: The company data protection officer has the task of monitoring compliance with data protection regulations, carrying out training within the company, answering inquiries from data subjects and acting as a point of contact for the supervisory authorities.

Q: In which cases is it necessary to appoint a data protection officer?

A: A company is obliged to appoint a data protection officer if it regularly and systematically processes personal data or if this is required by law.

Q: What fines can be imposed for violating data protection regulations in relation to a data protection officer?

A: For violations of the data protection regulations can result in high fines. in particular if no data protection officer was appointed, although this was necessary.

Q: What role does the GDPR play in the appointment of a data protection officer?

A: The GDPR sets out the requirements for the appointment of a data protection officer and regulates the responsibilities and duties of the data protection officer. Obligations in relation to the protection of personal data.