When does a data protection officer become a legal obligation?
The General Data Protection Regulation (GDPR) has been in force throughout the European Union (EU) for a few years now.
And a data protection officer (DPO) is required in most institutions, especially companies that process personal data. The DPO is appointed on the basis of their expertise in data protection law and practice and serves as a point of contact for data protection issues and as a supervisor to ensure compliance with data protection regulations.
Related articles from our blog:
What are the costs of a data protection officer?
Read here
When does a data protection officer have to be appointed under the GDPR?
The GDPR stipulates when data controllers or processors must appoint a data protection officer in writing.
For example, if a company has 20 or more employees involved in personal data processing, i.e. a public body or authority, with the exception of courts, as long as they are active in their judicial business.
Data protection officers are mandatory from when and must also be appointed if the core activities of the controller or processor require systematic monitoring due to the nature, scope or extent of data subjects. In addition, a data protection officer must be appointed if personal data is processed in certain cases of criminal convictions or offenses.
In other cases and regardless of the number of employees, a data protection officer may be appointed in accordance with the GDPR, but this is often only required for very specific and extensive personal data processing. This includes personal data processing relating to political/religious beliefs, ethnicity/race, health and sex life.
In the case of groups of companies, public authorities or public bodies, a data protection officer may be appointed in accordance with Art. 37, taking into account the organizational structure and size, as long as the data protection officer is permanently available.
When do you need a data protection officer?
Despite the new GDPR, the German Federal Data Protection Act (BDSG) applies where the GDPR has no specific regulations. So, when do you need a data protection officer? According to the BDSG, a data protection officer is mandatory if 10 or more people process personal data automatically. In addition, companies must appoint a data protection officer in writing if they transmit personal data on a commercial basis, transmit it anonymously or process it for market research or opinion polling.
If your company has failed to investigate the need to appoint a data protection officer, an audit is recommended.
You can find out more about the obligation of a Data protection impact assessment:
Related articles from our blog:
Data protection impact assessment (DPIA): What needs to be done?
Read here
Fines as a penalty under the GDPR can lead to costly sanctions. The company is only protected from fines if this data protection officer is appointed correctly. This is formally finalized in writing with a signed certificate of appointment from the management.
To summarize when a data protection officer is needed; A data protection officer is a person with expertise in data protection law who advises an organization on data protection law and ensures that data protection regulations are complied with. They are necessary when certain data is processed and a breach of these regulations can be punished with high sanctions by the GDPR.