FAQ External Data Protection Officer

Data Protection Officer according to the GDPR with effect from 25.05.2018

Data Protection Officer and EU-General Data Protection Regulation?

Since the GDPR entered into force on 25 May 2018, there has been a Europe-wide obligation to appoint a Data Protection Officer (DPO) for the first time. The concept of the DPO is an important aspect of the GDPR. He can facilitate compliance with the GDPR and represent a competitive advantage for the company due to his expertise. External DPOs cooperate with both companies and public authorities and thus contribute to the protection and realization of fundamental rights. Qualified external DPOs help organizations mitigate the risks associated with Data Breaches. This includes, for example, a potential loss of image and financial burdens. Furthermore, external DPOs strengthen the confidence of customers and employees in the data collection and processing of the respective company. This confidence is the basis for the sustainable performance of activities and the necessary qualification of the external DPO. It is also relevant that the activity of the External DPO is highly transparent and comprehensible.

When is it mandatory to appoint a Data Protection Officer?

The obligation to appoint a DPO applies if an enterprise carries out an activity of Art. 37 (1) GDPR. These activities require special control regarding data protection.
Art. 37 (1) lit. a)-c) GDPR regulates the conditions under which such special control under is necessary.
It is mandatory to appoint a DPO,

  • where the processing is carried out by a public authority or body,
  • where the core activity of the controller or processor is to carry out processing operations which, by their nature, scale and/or purposes, require extensive, regular and systematic supervision of Data Subjects, or
  • where the core activity of the controller or processor is the processing on a large scale of special categories of data as referred to in Art. 9 or of Personal Data relating to criminal convictions and offences as referred to in Art. 10.

For example in Germany, according to § 38 Federal data Protection Act (BDSG), a DPO must be appointed if:

  • As a general rule, at least 10 persons are permanently involved in the automated processing of Personal Data
  • In the case of automated processing (it is not necessary for the collection, processing or use of Personal Data to be the core activity of the person employed)
  • The obligation also applies to companies with less than 10 persons involved if:
  • The controller or the processor is subject to a Data Protection Impact Assessment pursuant to Art. 35 GDPR
  • Personal Data are processed for the purpose of transmission, anonymous transmission or for purposes of market and opinion research
What does processing by an authority or public body mean?

The GDPR does not regulate which authorities and bodies are affected. In this respect, the GDPR contains an opening clause for national legislators.

What is the core activity of the controller?

The concept of core activity covers any activity that is indispensable to the achievement of the objectives of the undertaking concerned, namely the main activity. It must be determined whether the activity is essential to achieve the objectives of the company or inseparably linked to them. Processing must therefore be the primary business purpose (e.g. the processing of specific personal data, such as health data in the health sector). This applies in particular to companies trading with data, credit bureaus or address traders.

What does extensive processing mean?

There are several evaluation criteria for extensive processing operations:

  • Processing of large amounts of Personal Data at regional, national or supranational level,
  • Affectedness of a large number of persons
  • High risk for those affected
  • Quantity of data records affected/multitude of processing steps
  • Duration and permanence of Data Processing
Which privileges exist for the Data Protection Officer?

According to Art. 38 (3) GDPR, the DPO is protected against dismissal, must maintain confidentiality and has the right to refuse to testify.

Can a company appoint a Data Protection Officer voluntarily?

Even if Art. 37 (1) a) –c) GDPR are not applicable, a DPO may be appointed on a voluntary basis. The provisions of the fourth section of the GDPR also apply to voluntary appointments.

Can a company also appoint an external Data Protection Officer?

Art. 37 para. 6 GDPR allows the Appointment of an internal DPO from within the company as well as an external DPO. It is therefore up to the companies to decide whether they wish to appoint an internal or external DPO.

Can a privacy team be ordered?

Yes, several persons may also jointly carry out the tasks of the DPO. For reasons of legal certainty, the responsibilities of individual persons should be documented. It is also recommended that a main person responsible is appointed.

Can a Data Protection Officer be appointed for a group of companies?

Yes, Art. 37 (2) GDPR explicitly allows the Appointement of a DPO for the entire group, provided that the DPO is easily accessible from each establishment.

What does easy accessibility of the Data Protection Officer mean?

The easy accessibility should ensure that personal communication is possible. Contact possibilities are:

  • Setting up a contact form on the website
  • Provision of a telephone number and/or e-mail address
  • Regular consultation hours for employees

The decisive factor is that the DPO’s characteristics and position within the company mean that he is actually in a position to act as a personal point of contact for Data Subjects and Supervisory Authoritys, e.g. to communicate and cooperate with them and to fulfil the tasks imposed on him by the GDPR.

Are small businesses also obliged to appoint a Data Protection Pfficer, whether internally or externally?

Depending on the size of the company or the type of data processed, even smaller companies that carry out complex Data Processing operations and whose activities therefore deserve particularly high attention under Data Protection Law are legally obliged to appoint a DPO depending on the size of the company or the type of data processed.

When does a Data Protection Officer has to be appointed?

The date of designation is not regulated in the GDPR. However, the DPO should be appointed at the latest when the conditions for an appointment are met.

Does the Data Protection Officer have to be appointed in written form?

Art. 37 (7) GDPR provides that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” It is therefore sufficient for the Data Subjects and the Supervisory Authority to be provided with the contact details of the DPO, which are necessary for contacting the DPO and enable simple communication (address, telephone number, e-mail address). A written order is therefore not required but for reasons of legal certainty and against the background of the duty to provide evidence, a written order is recommended. It is also recommended to provide the Supervisory Authority with detailed contact details and the Data Subjects should be provided with a hotline on the company website or the contact details of the DPO on the website.

Which persons may be appointed as Data Protection Officers?

According to Art. 37 (5) GDPR only persons who possess the necessary expertise and reliability to perform their duties may be appointed as DPO. Pursuant to Art. 38 (6) GDPR such groups of persons are excluded whose activities as DPO may lead to conflicts of interest. This refers in particular to the management, heads of the IT department and other persons in similar positions whose neutrality cannot be guaranteed.

What are the duties and obligations of a Data Protection Officer under the GDPR?

Art. 39 GDPR outlines the scope and duties of the DPO. These include, above all:

  • informing and advising controllers, processors and employees
  • monitoring compliance with the GDPR and national regulations
  • raising awareness regarding data protection and conducting trainings
  • advice and monitoring in connection with the DPIA
  • cooperation with the Supervisory Authority
  • acting as a contact point for the Supervisory Authority
  • risk-oriented performance of tasks
  • extension of the catalogue of tasks possible by agreement

The DPO thus has a broad field of duties. He assumes the role of a mediator, is the contact person for the Supervisory Authority and is responsible for ensuring that the Supervisory Authority receives the necessary documents and information to fulfil its powers of investigation, correction, approval and consultation. In addition, the DPO is also the contact person for Data Subjects and is available as a discussion partner within the company. The Data Processing Authority remains responsible for compliance with Data Protection Regulations, the DPO merely works towards compliance and has no other decision-making powers. In order to be able to carry out its tasks to the full extent, the DPO must be involved in accordance with Art. 38 (1) GDPR ” properly and in a timely manner, in all issues which relate to the protection of personal data.”. In accordance with Art. 38 para. 3 sentence 3 GDPR, the DPO is not subject to instructions and is directly subordinated to the highest management level.

What is the position of the Data Protection Officer?
  • Proper and early integration
  • Provision of necessary resources
  • No instructions regarding the exercise of his/her tasks
  • Independence
  • Direct reporting path to the highest management level
  • Right of appeal of the Data Subjects
  • Secrecy, confidentiality and the right to refuse to give evidence
  • No conflict of interest
  • Cooperation with the Supervisory Authority
Which personal requirements does the Data Protection Officer need?
  • Professional qualification
  • Expertise in the field of Data Protection law and practice
  • Ability to perform the tasks specified in the GDPR or local data protection laws
How is the level of expertise determined?

Art. 37 (5) GDPR stipulates that the level of expertise required is determined in particular by the scope of Data Processing of the controller and the need for protection of Personal Data collected or used by the controller. The DPO must have sufficient expertise in the area of Data Protection Law and professional quality. Sufficient means that the sensitivity of the data, the complexity and the amount of data must be taken into account. Greater complexity requires greater expertise.

Which requirements must a Data Protection Officer meet?

Courts and specialist literature fill these requirements with the following attributes, among others:

  • High legal competence,
  • Distinctive IT knowledge,
  • Didactic skills and psychological empathy,
  • Organizational talent,
  • Obligation to continuous further training,
  • Obligation to secrecy,
  • Independence of the Data Protection Officer.

We fulfil these diverse requirements and tasks above average due to our many years of expertise as external DPO. Please contact us for further details – we will be happy to make you an offer tailored to your needs.

Which qualifications does a Data Protection Officer need?

The requirements for the External DPO range from specially acquired personal and professional qualifications to comprehensive knowledge of the tasks and services performed by the companies and further general requirements for the exercise of the profession. External DPOs must not only have the necessary qualifications, but must also be able to use them appropriately and identify where solutions need to be implemented that require further professional qualifications.

What can an external Data Protection Officer do for your company?

The activities of the external DPO can help to further develop the company, optimise it and, in particular, make it compliant with data protection regulations. They range from the examination, optimisation and prior checking of business processes to the control of technical and organisational measures and contracts with service providers and subcontractors, to the preparation of statements and participation in individual projects, such as the implementation of a new personnel management system.

Does the GDPR provide sanctions for the non-appointment of a Data Protection Officer if such an appointment is necessary?

Yes, according to Art. 83 (4) lit. a) GDPR a fine of € 10.000.000,00 or 2% of the worldwide achieved annual turnover (whichever is higher) is possible.

Who is liable for infringements of the GDPR ?

In principle, the GDPR stipulates that the company is responsible for compliance with the GDPR, but this does not preclude recourse to the internal relationship between the company and the DPO.

Dealing with personal data of children according to the GDPR

According to Art. 8 GDPR, special requirements must be met with regard to consent for the use of Personal Data of children in the service of the information society. The consent of the child is lawful if he or she has reached the age of 16. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.