External data protection officers vs. the Legal Services Act

from R. Olschewsk

Data protection regulations and the associated decisions are becoming increasingly complex and the individual issues often require a qualified legal review.

The admissibility or inadmissibility of proceedings often depends on minor changes to contracts, formulations of consent or procedures. The Act on Extrajudicial Legal Services (RDG) regulates whether this legal review may be carried out by the data protection officer. Legal services pursuant to Section 2 RDG are any activity in specific third-party matters as soon as it requires a legal examination of the individual case.

The Legal Services Act stipulates that free legal audits or reviews are permitted as part of ancillary duties of a primary duty. Legal services in connection with another activity are permitted if they are ancillary to the profession or activity. Whether an ancillary service exists is to be assessed according to its content, scope and factual connection with the main activity, taking into account the legal knowledge required for the main activity. The main duty of the data protection officer is to monitor the processes involving personal data in the company and to raise employee awareness of data protection (Section 4g BDSG).

However, if the external data protection officer primarily undertakes legal audits or legal representation in the context of contract negotiations and regularly drafts contracts, such as service or employment contracts, and reviews works agreements or international IT contracts, the situation becomes problematic. If the external data protection officer is acting in a legal advisory capacity without a corresponding license to practice law, he or she is probably no longer acting lawfully. Customers should then be particularly cautious, as an overstepping of competence in the event of damage may no longer be covered by the professional liability insurance of a data protection officer. Ultimately, it is even questionable whether the "inexpensive" IT specialists often found on the market who are trained in data protection law have an overview of the complexity of the respective legal matter when they provide legal advice. In the case of complex legal issues, external data protection consultants should work together with specialized lawyers in order to protect themselves and their clients from incorrect advice. Ideally, the data protection officer even has a dual qualification as a lawyer and data protection consultant and is also well networked with IT security experts.

Further information:

• laws-on-the-internet.com/rdg/