What are the tasks of a data protection officer?

What must a data protection officer (DPO) be able to do?

A few years ago, the General Data Protection Regulation (GDPR) came into force. In the course of this law, many new regulations were introduced, including those requiring the appointment of a data protection officer (DPO) by the company.

This regulation is intended to ensure that a high level of quality for the protection of personal data is provided by the controller or processor.

A company has the choice of an internal or external data protection officer to name.

The internal DPO is selected and appointed by the management.

What are the tasks of a data protection officer under the GDPR?

You are probably familiar with the term "data protection officer" (DPO) or have already heard it. But what functions and tasks are associated with this role in the company? Data protection along with it? Does your own company even need a data protection officer?

In this article, we provide information on when you need a data protection officer and what obligations and tasks a (company) data protection officer has under GDPR has.

When is a data protection officer required?

Art. 37 of the GDPR specifies the conditions under which the Responsible persons or the processor has the obligation to appoint a data protection officer. The German legislator has defined this obligation in Section 38 Federal Data Protection Act (BDSG) (new version).

For example, a data protection officer must always be appointed if at least 20 people in your company are constantly working with automated data processing. Processing of personal data are employed, i.e. you have at least 20 employees who come into contact with personal data.

If you have not yet dealt with the requirements for appointing a data protection officer, we strongly advise you to check whether this is necessary.

Tasks of company data protection officers according to GDPR and BDSG in the company

The data protection officer is a person who is responsible for data protection. He or she must ensure the protection of personal data by complying with relevant data protection regulations.

However, this does not mean that the data protection officer has to take care of all operational data protection independently. They are entitled to delegate tasks and monitor compliance with data protection regulations. The decisive factor is that they assume responsibility for compliance with data protection regulations.

The data protection officer does not have to be an employee of the company. It is possible to appoint both an internal company data protection officer and an external data protection officer from an expert service provider. The tasks of external data protection officers according to GDPR and BDSG do not differ.

What exactly the tasks of a (company) data protection officer entail is defined in more detail in Art. 39 GDPR:

• The data protection officer monitors compliance with data protection regulations, in particular those of the GDPR and the BDSG.
  He creates and manages the Processing directoryinvestigates and remedies the causes of data protection incidents and carries out data protection checks.
• The data protection officer advises the controller/processor in all data protection matters and supports the implementation of data protection requirements.
  For example, he draws up guidelines, advises on data protection impact assessments and monitors their implementation in accordance with Art. 35 GDPR.
• The data protection officer is the point of contact for all issues relating to both the employer and the employees or the data protection officer. Works Council. External parties such as customers, contractual partners or suppliers can also contact the data protection officer with questions.
• The data protection officer also raises awareness with regard to data protection. For example, he is involved in employee training sessions to teach them how to handle personal data correctly in their day-to-day work.
• The Data Protection Officer also works together with the supervisory authorities. He is the point of contact for the supervisory authorities in connection with all data protection issues.

The scope of duties of a data protection officer is therefore diverse and has grown since the introduction of the GDPR. They should therefore have the necessary professional qualifications to be able to perform their duties and tasks as a data protection officer competently and expertly.

The data protection officer is not bound by instructions in his work. However, he is also not authorized to issue instructions. This means that the implementation of his recommendations remains the Responsible persons or processors. Good cooperation between the data protection officer and the management is therefore crucial for effective operational data protection.

Tasks in protection against dismissal

As a designated DPO, the employee has protection against dismissal, which only justifies dismissal in the event of gross misconduct. The Responsible persons shall also ensure that it provides the DPO with all the necessary resources to enable it to carry out its activities.

Election of the data protection officer

When choosing between an internal or external data protection officer, you should bear in mind that an external data protection officer has no affiliation with your own company and therefore remains neutral, meaning that no conflicts of interest can arise when performing the duties of a data protection officer.

There are also many other advantages that speak in favor of an external data protection officer. We have listed these advantages in our blog 'What are the costs of an external data protection officer?', where we take a closer look at the costs of an external data protection officer, among other things.

Required expertise

According to GDPR only those who have the "required expertise" should be appointed as DPOs. If the required expertise cannot be fulfilled, the supervisory authorities are entitled to dismiss the DPO.

An external data protection officer usually already has the required qualifications. The tasks of an external data protection officer do not differ from those of an internal data protection officer. However, an external DPO is usually better able to guarantee the required expertise than an internal DPO thanks to their extensive experience.

It is crucial that a DPO has the necessary expertise. Primarily a basic knowledge of data protection law and data protection practice, IT security as well as soft skills in order to be able to GDPR to fulfill the prescribed tasks and duties of a data protection officer.

This includes advising those responsible on data protection issues and supporting the implementation of measures that implement data protection requirements. The DPO is the contact person for the employer, the employees, the Works Council and external parties, such as contractual partners, customers and suppliers. He is also the primary contact for inquiries from and to the responsible supervisory authorities.

The data protection officer should also be involved in employee training measures. The aim is to involve the Processing employees involved in the processing of personal data about general data protection requirements in order to ensure data protection here as well.

The central task of the DPO is to advise the person responsible on the implementation and realization of measures that ensure the set compliant Processing of personal data. It should be noted here that the DPO only has an advisory role and is not responsible for the actual implementation.

Responsible persons should ensure that the implementation of data protection-compliant processes is not a one-off project, but requires constant revision. If there is no concept for the establishment of such processes as part of a data protection organization, the DPO should be involved in the creation of such a concept.

The first indication of such an organization can be the collection of the list of processing activities.
Such a directory helps with the organization of data protection-compliant processes and provides a quickly accessible source for obtaining the necessary information about data-processing processes.

In the course of establishing data protection-compliant processes, the implementation of data protection-friendly default settings should always be taken into account (privacy by design/default). This, in conjunction with regular data protection audits and risk assessments, is a good way to be able to act in a data protection-compliant manner in the future and avoid legal risks due to a lack of compliance with data protection regulations. GDPR to minimize.