A data protection officer monitors compliance with data protection regulations and is the contact person for data protection issues. Depending on the legal requirements and the organizational unit for which he or she works, he or she has specific tasks. Data protection officers may be appointed by the federal government, the states or by companies and other organizations. The GDPR obliges the appointment of a data protection officer under certain conditions.
What is a DPO (Data protection officer)?
The abbreviation for data protection officer is (DPO). In general terms, this is a person or institution that monitors and controls compliance with data protection. The role of an organization’s data protection officer can be assumed by an internal or external person or institution. In Germany, there is a Federal Commissioner for Data Protection and Freedom of Information at the federal level. This is an independent data protection authority pursuant to Article 51(1) of the General Data Protection Regulation (GDPR). At the state level, there are so-called state data protection commissioners.
The General Data Protection Regulation (GDPR), which came into force in 2018, requires companies to appoint a company data protection officer in certain cases. As a rule, these officers report directly to the management and require specific expertise to perform their duties. An essential task of the DPO is the control of the guidelines in the handling of personal data.
General tasks of a data protection officer
General tasks of a data protection officer, regardless of the institution for which he or she works, include:
- Controlling and monitoring compliance with data protection regulations in the handling of personal data
- Assuming responsibility for implementing data protection guidelines
- Establishing an internal or external organization to monitor data privacy compliance
- Reporting data protection violations
- Documentation of data protection processes
- Monitoring the legality of the collection of personal data
- Internal and external contact for all data protection issues
- Implementation of training courses
- Cooperation with external or internal organizations in the prosecution of data protection violations
- Monitoring the deletion of data
The Data Protection Officer of the GDPR
The General Data Protection Regulation, which came into force in the EU in 2018, enshrines the obligation to appoint a data protection officer for certain companies and organizations at the European level.
The obligation to appoint a DPO depends on various criteria, such as the number of employees (at least ten employees must be regularly involved in automated data processing), the details of the data processed (for example, health or political opinion information), or the business area of the company (core activity of collecting, processing or using personal data). The GDPR data protection officer is an internal or external person who monitors data protection compliance within the organization.
Ultimate responsibility for compliance with data protection regulations remains with the company or the company’s management. The DPO may delegate data protection activities and does not have to perform all tasks himself. The tasks of the data protection officer are defined in the GDPR in Article 39 and in Section 7 of the BDSG.
There are numerous service providers who act as external data protection officers for companies upon request. Data protection officers must be accessible and known to employees, management, supervisory authorities and external or internal persons or organization affected by the processing of their data. If a company fails to appoint a DPO despite the obligation to do so, this constitutes a regulatory offense and can be punished with a fine.