Who needs a data protection officer?

Who needs a data protection officer
Categories:

Who must appoint a data protection officer under EU rules?

EU and German data protection law provide for different cases in which a Data Protection Officer (DPO) must be appointed. It is often forgotten that even if these regulations are not applicable in your case, all companies (as well as all authorities and associations) must comply with the provisions of the GDPR.

This means that even if you are not obliged to do so, you should still have a data protection officer to support you with your data protection obligations.

Related articles from our blog: What are the costs of a data protection officer? Read here

When is there an obligation to appoint a DPO in the narrower sense?

 

The duty under German law

In its Federal Data Protection Act (§38) adopted strict regulations.

Insofar as twenty people are constantly working with the automated Processing personal data, companies must appoint a data protection officer. The following elements must be taken into account here. The number of employees in a company can be included in the overall assessment. Employees who do not have access to data processing equipment with which personal data processed, such as cleaning staff or assembly line workers, should not be taken into account. The status of the persons processing the Processing in the company is irrelevant. It does not matter whether they are full-time or part-time employees, freelancers or temporary workers, as well as trainees, volunteers and interns, and the management also counts as one of the twenty people mentioned above.
As a rule, the aim is always to ensure that one-off changes are not taken into consideration.

The number of employees alone is not sufficient to rule out an obligation to designate. The impact of the company's activities on natural persons also plays an important role here. If these activities are likely to pose a high risk to the rights of natural persons, a so-called Data protection impact assessment This means that the risks must be examined in detail and the measures that contribute to reducing these risks in the company must be taken into account. Companies that carry out processing operations that are subject to such data protection impact assessments not just once but more frequently must also appoint a data protection officer. For example, if a petrol station is responsible for installing a Video surveillance only has to carry out a data protection impact assessment once, it does not have to appoint a data protection officer.

An obligation also exists if your company personal data on a commercial basis for the purpose of Transmission processed, whereby business is not to be interpreted in the conventional sense, i.e. also includes activities that do not generate a profit but are carried out for a certain period of time. In practice, this includes companies such as credit agencies that check the creditworthiness of individuals or companies that provide third parties with address data for advertising purposes.
The fact that the data is transmitted anonymously does not constitute an exception to the naming obligation. If you personal data for market or opinion research for customers, you must also have a data protection officer.

The obligation under EU law

In contrast, most member states of the European Union have not adopted any specific regulations regarding the DPO, so that only the provisions of the General Data Protection Regulation (GDPR, Article 37) must be taken into account.

According to Art.37 para.1 lit.b GDPR there is initially an obligation to designate if the core activity of the company requires extensive regular and systematic monitoring of individuals in the sense of observing their behavior (such as the click behavior of a user on the company's website). The number of data subjects, the amount of data processed and the geographical scope of data collection as well as the duration must be taken into account. For this purpose, only processing operations that are either continuous or repeated and that follow a specific plan and organization should be included.
Finally, it should be noted that the processing operations that are inextricably linked to the core activity should also be considered as one of the core activities, as in the case of healthcare services in hospitals, which cannot be carried out without the core activity. Processing the Health data of patients are possible.

There is also an obligation to designate (Art.37 para.1 lit.c GDPR), if the core activity in the extensive Processing special categories of data or personal data relating to criminal convictions, and Criminal offenses exists. The Processing In most companies, the processing of special data only concerns sick notes, certificates of incapacity for work, pregnancy (maternity protection) and (in the case of Germany and Austria) religious affiliation. However, these are not core activities and these processing operations can be regarded as minor, so that Art.37 para.1 lit.c GDPR can be interpreted as not applicable.

Most companies can benefit from a data protection officer

If one summarizes the aforementioned regulations, one could conclude that companies that are active in Germany only need a data protection officer in exceptional cases and that companies in other EU countries only need a data protection officer in minor cases.

This would be a mistake, as the obligations of the GDPR must be observed even without a designation obligation. Therefore, at least one employee should be dedicated to this topic and check whether all processing of personal data complies with the legal framework.

At the end of a pure cost-benefit analysis, companies often find that it is cheaper to appoint a data protection officer than to take the risk of disregarding data protection regulations. In addition to the Fineand to the costs of the proceedings (before the Supervisory authority and, if necessary, the legal proceedings), the company may suffer a loss of trust from its customers.

However, as smaller companies in particular are often faced with data protection obligations (responding to requests from data subjects, Documentation...) are overwhelmed, it is worth getting help from an external data protection officer.
What is the general advantage of appointing an external data protection officer? In contrast to an employee of the company, who needs time to familiarize himself with the job, can make mistakes because he misjudges a case due to his lack of experience and may have to seek help in the end, the external data protection officer has the necessary experience to act quickly and in a targeted manner. They can exchange information with colleagues who also have experience in other areas. Depending on the number of hours for the employee acting as internal data protection officer, the size of the company and the tasks to be performed, there are different frameworks for an external DPO mandate.

At 2B Advice GmbH, the number of hours in the work packages offered is adjusted according to the size of the company. This is why our clients include small companies as well as large and medium-sized enterprises.

You are welcome to contact our sales department so that we can make you an offer tailored to your needs.

Related articles from our blog: Data protection impact assessment (DPIA): What needs to be done? Read here

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts