What are the tasks of a data protection officer?

Request for information

What must a data protection officer (DPO) be able to do?

The General Data Protection Regulation (GDPR) came into force a few years ago. As part of this law, many new regulations were introduced, including those requiring the appointment of a data protection officer (DPO) by the company.

This regulation is intended to ensure that a high level of quality for the protection of personal data is provided by the controller or processor.

A company has the choice of an internal or external data protection officer to name.

The internal DPO is selected and appointed by the management.


What are the tasks of a data protection officer under the GDPR?


You are probably familiar with the term "data protection officer" (DPO) or have already heard it. But what functions and tasks are associated with this role in operational data protection? Does your own company even need a data protection officer?

In this article, we provide information on when you need a data protection officer and what obligations and tasks a (company) data protection officer has under the GDPR.


When is a data protection officer required?


Article 37 of the GDPR specifies the conditions under which the controller or processor is obliged to appoint a data protection officer. The German legislator has further specified this obligation in Section 38 of the Federal Data Protection Act (BDSG) as amended.

For example, a data protection officer must always be appointed if at least 20 people in your company are permanently involved in the automated processing of personal data, i.e. if you have at least 20 employees who come into contact with personal data.

If you have not yet dealt with the requirements for appointing a data protection officer, we strongly advise you to check whether this is necessary.


Tasks of company data protection officers according to GDPR and BDSG in the company


The data protection officer is a person who is responsible for data protection. He or she must ensure the protection of personal data by complying with relevant data protection regulations.

However, this does not mean that the data protection officer has to take care of all operational data protection independently. They are entitled to delegate tasks and monitor compliance with data protection regulations. The decisive factor is that they assume responsibility for compliance with data protection regulations.

The data protection officer does not have to be an employee of the company. It is possible to appoint both an internal company data protection officer and an external data protection officer from an expert service provider. The tasks of external data protection officers under the GDPR and BDSG do not differ.

What exactly the tasks of a (company) data protection officer entail is defined in more detail in Art. 39 GDPR:

  • The data protection officer monitors compliance with data protection regulations, in particular those of the GDPR and the BDSG.
    He creates and maintains the processing directory, investigates and remedies the causes of data protection incidents and carries out data protection checks.
  • The data protection officer advises the controller/processor in all data protection matters and supports the implementation of data protection requirements.
    For example, he draws up guidelines, advises on data protection impact assessments and monitors their implementation in accordance with Art. 35 GDPR.
  • The data protection officer is the point of contact for all issues for both the employer and the employees or the works council. External parties such as customers, contractual partners or suppliers can also contact the data protection officer with questions.
  • The data protection officer also raises awareness with regard to data protection. For example, he is involved in employee training sessions to teach them how to handle personal data correctly in their day-to-day work.
  • The Data Protection Officer also works together with the supervisory authorities. He is the point of contact for the supervisory authorities in connection with all data protection issues.

The scope of duties of a data protection officer is therefore diverse and has grown since the introduction of the GDPR. They should therefore have the necessary professional qualifications to be able to perform their duties and tasks as a data protection officer competently and expertly.

The data protection officer is not bound by instructions in his or her work. However, he is also not authorized to issue instructions. This means that the controller or processor remains responsible for implementing their recommendations. Good cooperation between the data protection officer and the management is therefore crucial for effective operational data protection.


Tasks in protection against dismissal


As a designated DPO, the employee has protection against dismissal, which only justifies dismissal in the event of gross misconduct. The responsible party must also ensure that they provide the DPO with all the necessary resources to enable them to carry out their duties.


Election of the data protection officer


When choosing between an internal or external data protection officer, you should bear in mind that an external data protection officer has no affiliation with your own company and therefore remains neutral, meaning that no conflicts of interest can arise when performing the duties of a data protection officer.

There are also many other advantages that speak in favor of an external data protection officer. We have listed these advantages in our blog 'What are the costs of an external data protection officer?', where we take a closer look at the costs of an external data protection officer, among other things.


Required expertise


According to the GDPR, only those who have the "necessary expertise" should be appointed as DPO. If the required expertise cannot be met, the supervisory authorities are entitled to dismiss the DPO.

An external data protection officer usually already has the required qualifications. The tasks of an external data protection officer do not differ from those of an internal data protection officer. However, an external DPO can usually guarantee the required expertise better than an internal DPO thanks to their extensive experience.

It is crucial that a DPO has the necessary expertise. Primarily a basic knowledge of data protection law, data protection practice, IT security and soft skills to fulfill the tasks and duties of a data protection officer prescribed by the GDPR.

This includes advising those responsible on data protection issues and supporting the implementation of measures that implement data protection requirements. The DPO is the point of contact for the employer, employees, the works council and external parties such as contractual partners, customers and suppliers. He is also the primary contact for inquiries from and to the responsible supervisory authorities.

The data protection officer should also be involved in employee training measures. The aim is to educate employees involved in the processing of personal data about general data protection requirements in order to ensure the protection of data here too.

The central task of the DPO is to advise the controller on the implementation and realization of measures to ensure the processing of personal data in compliance with the law. It should be noted here that the DPO only has an advisory role and is not responsible for the actual implementation.

Those responsible should ensure that the implementation of data protection-compliant processes is not a one-off project, but requires constant revision. If there is no concept for the establishment of such processes as part of a data protection organization, the DPO should be involved in the creation of such a concept.

The first indication of such an organization can be the collection of the list of processing activities.
Such a directory helps with the organization of data protection-compliant processes and provides a quickly accessible source for obtaining the necessary information about data-processing processes.

In the course of establishing data protection-compliant processes, the implementation of data protection-friendly default settings should always be taken into account (privacy by design/default). This, in conjunction with regular data protection audits and risk assessments, is a good way to be able to act in a data protection-compliant manner in the future and minimize legal risks due to non-compliance with the GDPR.

Share this post :