Who needs a data protection officer?

Who needs a data protection officer

Who must appoint a data protection officer under EU rules?

EU and German data protection law provide for different cases in which a Data Protection Officer (DPO) must be appointed. It is often forgotten that even if these regulations are not applicable in your case, all companies (as well as all authorities and associations) must comply with the provisions of the GDPR.

This means that even if you are not obliged to do so, you should still have a data protection officer to support you with your data protection obligations.

Related articles from our blog: What are the costs of a data protection officer? Read here

When is there an obligation to appoint a DPO in the narrower sense?


The duty under German law

Germany has adopted strict regulations in its Federal Data Protection Act (§38).

Companies must appoint a data protection officer if twenty people are permanently involved in the automated processing of personal data. The following elements must be taken into account here. The number of employees of a company can be included in the overall assessment. Employees who do not have access to data processing equipment used to process personal data, such as cleaning staff or assembly line workers, should not be taken into account. The status of the persons carrying out the processing in the company is irrelevant. It does not matter whether they are full-time or part-time employees, freelancers or temporary workers, as well as trainees, volunteers and interns, and the management also counts as one of the twenty people mentioned above.
As a rule, the aim is always to ensure that one-off changes are not taken into consideration.

The number of employees alone is not sufficient to exclude an obligation to designate. The impact of the company's activities on natural persons also plays an important role here. If this is likely to pose a high risk to the rights of natural persons, a so-called data protection impact assessment must be carried out, i.e. the risks must be examined in detail and the measures that contribute to reducing these risks in the company must be taken into account. Companies that carry out processing that is subject to such data protection impact assessments not just once but more frequently must also appoint a data protection officer. If, for example, a petrol station only has to carry out a data protection impact assessment once for the installation of video surveillance, it does not have to appoint a data protection officer.

An obligation also exists if your company processes personal data for business purposes for the purpose of transmission, whereby business is not to be interpreted in the conventional sense, i.e. also includes activities that do not generate a profit but are carried out for a certain period of time. In practice, this includes companies such as credit agencies that check the creditworthiness of individuals or companies that provide third parties with address data for advertising purposes.
The fact that the data is transmitted anonymously does not constitute an exception to the designation obligation. If you process personal data for market or opinion research for customers, you must also have a data protection officer.

The obligation under EU law

In contrast, most member states of the European Union have not adopted any specific regulations regarding the DPO, meaning that only the provisions of the General Data Protection Regulation (GDPR, Article 37) need to be taken into account.

According to Art.37 para.1 lit.b GDPR, there is initially a designation obligation if the core activity of the company requires extensive regular and systematic monitoring of persons in the sense of observing their behavior (such as the click behavior of a user on the company's website). The number of data subjects, the amount of data processed and the geographical scope of data collection as well as the duration must be taken into account. For this purpose, only processing operations that are either continuous or repeated and that follow a specific plan and organization should be included.
Finally, it should be noted that the processing operations that are inextricably linked to the core activity must also be considered as one of the core activities, as in the case of healthcare services in hospitals, which are not possible without the processing of patients' health data.

There is also a designation obligation (Art. 37 para. 1 lit. c GDPR) if the core activity consists of the extensive processing of special categories of data or personal data relating to criminal convictions and offenses. In most companies, the processing of special data only concerns sick notes, certificates of incapacity for work, pregnancy (maternity protection) and (in the case of Germany and Austria) religious affiliation. However, these are not core activities and these processing operations can be considered minor, so that Art. 37 para. 1 lit. c GDPR can be interpreted as not applicable.

Most companies can benefit from a data protection officer

If one summarizes the aforementioned regulations, one could conclude that companies that are active in Germany only need a data protection officer in exceptional cases and that companies in other EU countries only need a data protection officer in minor cases.

This would be a mistake, as the obligations of the GDPR must be observed even without a designation obligation. Therefore, at least one employee should be dedicated to this topic and check whether all processing of personal data complies with the legal framework.

At the end of a pure cost-benefit analysis, companies often find that it is cheaper to appoint a data protection officer than to take the risk of disregarding data protection regulations. In addition to the fine that may be imposed and the costs of the proceedings (before the supervisory authority and, if necessary, the court proceedings), the company may suffer a loss of trust from its customers.

However, as smaller companies in particular are often overwhelmed by their data protection obligations (responding to requests from data subjects, documentation, etc.), it is worth getting help from an external data protection officer.
What is the general advantage of appointing an external data protection officer? In contrast to an employee of the company, who needs time to familiarize himself with the job, can make mistakes because he misjudges a case due to his lack of experience and may have to seek help in the end, the external data protection officer has the necessary experience to act quickly and in a targeted manner. They can exchange information with colleagues who also have experience in other areas. Depending on the number of hours for the employee acting as internal data protection officer, the size of the company and the tasks to be performed, there are different frameworks for an external DPO mandate.

At 2B Advice GmbH, the number of hours in the work packages offered is adjusted according to the size of the company. This is why our clients include small companies as well as large and medium-sized enterprises.

You are welcome to contact our sales department so that we can make you an offer tailored to your needs.

Related articles from our blog: Data protection impact assessment (DPIA): What needs to be done? Read here

Share this post :