Data protection officer in Germany

Following the introduction of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC (General Data Protection Regulation) by the European legislator, the level of protection of personal data has increased significantly and external data protection officers, whose main task is to ensure that personal data is processed properly and that the obligations imposed on the controller and processor by the GDPR are fulfilled, have taken on an increasingly important role.

 

Role of the data protection officer

The data protection officer has the task of monitoring and advising on compliance with data protection in the company. In accordance with Article 39 sec.1 of the GDPR, the main tasks of the data protection officer additionally include:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations;
  • to monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance;
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

 

Obligation to appoint a data protection officer in Germany

According to § 38 sec. 1 of the Bundesdatenschutzgesetz (German Federal Data Protection Act), the controller and the processor must appoint a data protection officer if they generally employ at least 20 persons permanently with the automated processing of personal data. If the controller or processor carries out processing operations that are subject to a data protection impact assessment in accordance with Article 35 GDPR, or if they process personal data on a commercial basis for the purpose of transmission, anonymised transmission or for the purpose of market or opinion research, they must appoint a data protection officer, regardless of the number of persons involved in the processing.

It should be emphasised that the tasks of the data protection officer can be carried out not only by a hired employee, but also by an external contractor. As the external Data protection officer is not an employee of the company concerned, there is generally no possibility of a conflict of interest. The scope of the services provided by the external Data protection officer is defined in the service contract in each individual case. The main advantage of outsourcing the tasks of the data protection officer is that no additional employee needs to be permanently employed for the tasks of the data protection officer, which is of particular economic importance for smaller companies.

As an external data protection officer in Germany, Grau Rechtsanwälte PartGmbB ensures effective and professional protection of the processing of personal data in your company and enables efficient and lawful data management of your employees, contractual partners and clients.

We support you in connection with the applicable legal provisions and their changes in the area of data protection in Germany at national and European level. In addition, we can help you develop a Data protection policy in Germany.

By appointing Grau Rechtsanwälte PartGmbB as your external data protection officer, you are relieved of the liability that arises when appointing an internal data protection officer in a company. As the main task of the data protection officer is to ensure the lawful processing of personal data in the company, you also minimise the risk of high administrative fines of up to EUR 20.000.000,00 for violations of the GDPR provisions as well as further civil liability.

Grau Rechtsanwälte PartGmbB advises audits and supports companies, also as an external data protection officer, in the area of data protection.

If you have any further questions, please contact our office at +49 (0) 40 180 364 020 or office@graulaw.eu.

Do you have any questions or require our consultation?

Contact us. We will further help you.