Data protection officer
The processing of personal data has increased in recent times. Businesses and public authorities rely on being able to store and process our personal data. To guarantee the protection of our data, Parliament has established by law that certain businesses and public authorities must appoint a data protection officer.
We explain which companies and authorities are subject to these laws and provide an overview of the responsibilities of a data protection officer.
Data protection officer
Public authorities and private entities that conduct automatic data processing are required to appoint data protection officers (§ 4f German Data Protection Act, Bundesdatenschutzgesetz, BDSG).
The automatic processing of data, including through the use of data processing equipment (e.g. text processing), encompasses any storage, alteration, transfer, blocking and deletion of data.
Non-public entities include legal persons, such as public limited companies or private limited companies, partnerships, associations without legal capacity (e.g. trade unions or political parties), and natural persons (e.g. doctors, architects, lawyers).
Entities are only required to appoint a data protection officer if they employ more than nine people to automatically process data or more than twenty people to manually process data. To determine whether a person is employed for the purposes of processing data, it is the core function of the role that is considered and not the status of employment or job title.
Regardless of the number of persons employed for the purposes of automatic data processing, all non-public entities must appoint a data protection officer if they process data for commercial transfer (e.g. trade in addresses) or for anonymised transfer (e.g. market research). This includes entities which process data automatically and for which preliminary checks are required.
A preliminary check is required if the personal data to be processed is of a sensitive kind (e.g. data on racial or ethnic background, political opinion, religious or philosophical conviction, trade union membership, health and sexuality), or if the data is to be processed for the purposes of analysing the personality of a person, unless consent of the person has been obtained or there is a legal requirement to collect such data.
What are the duties of a data protection officer?
The primary duty of a data protection officer, also known as data compliance officers or data privacy officers, is to ensure an entity’s compliance with data protection regulations. The spectrum of duties fulfilled by a data privacy officer is diverse and encompasses all areas of a business that come into contact with data protection law.
A data protection officer is not responsible for implementing data protection provisions, but rather analyses and supervises compliance with data protection rules and therefore reports directly to company management.
The precise duties fulfilled by data compliance officers vary depending on the nature of the company. Such duties may include producing reports, examining contracts, developing company policy, distributing information, supervising the company’s data processing operations and acting as a contact person for data protection issues. Data protection officers are responsible for keeping a register of a company’s data processing procedures and for training employees.
Liability of data protection officers
Data protection officers must possess in-depth knowledge of all relevant data protection and data security regulations, and must have a strong command of how they should be implemented.
Pursuant to § 4g (1) BDSG, data privacy officers must work to ensure compliance with the German Data Protection Act and other relevant data protection legislation. Officers must fulfil their role conscientiously. If they fail to do so, they can be held liable.
To determine whether data protection officers can be held liable, it is necessary to distinguish between internal and external officers.
In cases of a breach of duty by internal data protection officers, employment law provisions apply. Such officers are considered employees and the principles of limited employee liability apply in their entirety. In this situation, companies can only take steps against data protection officers if they acted intentionally or gross negligently.
Where external data protection officers are engaged, the situation is different. Companies can pursue a data protection officer’s failure to fulfil their role, provided liability has not been limited by contract. Normally, external data protection officers will limit their liability in the contract and exclude liability for minor negligent behaviour. As a result, external data protection officers are usually only liable for gross negligent or intentional behaviour. This means that companies are generally fully liable for breaches of data protection legislation and cannot avoid liability by arguing that they employed an insufficiently educated data protection officer.
What is personal data?
According to § 3 BDSG, personal data includes: “information about the personal or material circumstances of an identified or identifiable individual.”
Information on the personal circumstances of a person include, but is not limited to: name, age, address, date of birth, marital status, nationality, religious denomination, profession, characteristics, appearance, state of health, personal values and fingerprints.
Information on the material circumstances of a person include: contractual relationships, construction planning, property ownership, existence of an employment relationship, participation in training seminars and telephone conversations.
The data need not refer to a specific person. Instead, it is sufficient that the information can be used to identify a person. For example, it is possible that telephone numbers, insurance numbers or university enrolment numbers can be used to identify individuals.
The German data protection provisions do not apply to information on legal persons. However, if the information concerns partnerships, which are run by natural persons, the data protection rules do apply.
Germany’s data protection framework also recognises that some information is particularly sensitive and therefore requires higher protection. Such data may only be collected, processed and used with the consent of the individual concerned. Such information includes country of origin, political conviction and religious beliefs.
Do you have questions about IT law, licences or data protection? We are happy to help!
German lawyer, Christian Solmecke, and his expert team are available to answer your questions.
Call us on 0221 / 951 563 0 (Beratung bundesweit) or use our contact form.