What is a data protection officer?

The data protection officer advises a company in all areas of data protection law and supports it in the implementation of legal requirements. In addition, the data protection officer acts as a contact person for the entire company, as well as for external parties such as customers, partners or suppliers.

The data protection officer advises a company on all data protection issues and supports it in implementing legal requirements.

Data protection officers act and make decisions on behalf of the company. In the event that damage is caused by negligent conduct, the internal data protection officer is exempted from legal liability. Thus, the company is fully liable for the damage.

When is it necessary to have a data protection officer?

In the General Data Protection Regulation (GDPR), the condition for the data protection officers are defined. The designation of the data protection officers is necessary if:

1. it is a public authority or public institution.


2. the operation of a company requires systematic monitoring.


3. the objective of the company is the processing of personal data.

In other circumstances, data protection officers are not required. However, some provisions of the Federal Data Protection Law (BDSG) in data protection law provide for a position for data protection officers.

What is the task of a data protection officer?

A data protection officer carries out controls regarding data protection. By means of targeted monitoring, effective protection of personal data can be ensured. However, data protection officers may not make independent decisions in dealing with data protection measures. Rather, this position describes a responsibility with regard to compliance with data protection obligations. The tasks of data protection officers are outlined below:

• General education about obligations under data protection law


• Training of employees


• Advising on data protection legal obligations


• Monitoring of legal requirements in data protection


• Documentation of the monitoring of lawful collections and secure processing of personal data


• Creating legally applicable documents
  

  These include, for example, company agreements, guidelines e.g. on private Internet and e-mail use, or a general data protection policy.



• Conducting the privacy impact assessment
  

  Your privacy impact assessment is about a proper risk analysis of an adequate protection of personal data.

  
  
• Involvement in employee inspections
  

  In the case of prohibited Internet or e-mail use as well as misuse concerns, regular controls on the part of the company are necessary.

Practical implementation

First and foremost, data protection officers should have the necessary expertise to perform the tasks. Data protection officers must be provided with the necessary resources by the company to perform the tasks described above. Generally, the more complex the processing operations, the more extensive the resources and expertise of the data protection officers must also be.

These required resources include:

1. Sufficient time for inspections and monitoring


2. if necessary, a separate budget for performing services


3. Appropriate premises including: printers, computers ect.


4. Further training opportunities, e.g. workshops, trade shows training courses and literature.