In December 2015, after years of negotiations, the EU Parliament and the EU Council agreed on a European General Data Protection Regulation (GDPR). The aim is to level the protection of personal data throughout Europe. From a German perspective, the existing data protection laws will not change essentially in view of the GDPR. However, some companies in the rest of Europe will face quite some changes. One of these changes will be the mandatory appointment of Data Protection Officers throughout Europe.
Data Protection Officer: from exception to standard
The European General Data Protection Regulation establishes the obligation to appoint a Data Protection Officer (DPO) on a European level. According to the former guideline EC/95/46, the appointment of a DPO was only optional. Hardly any EU member state – one of the exceptions was Germany – had made use of this possibility.
However, in the future, companies will have to appoint a Data Protection Officer if personal data is processed in order to regularly and systematically monitor data subjects on a large scale, as for example the measuring of accesses on websites. Furthermore, the appointment also applies in cases in which the core activities of companies is the processing of special categories of data on a large scale like health data in a health insurance company.
The dimension of this very general provision is not yet assessable. Vague definitions such as “a large scale” are from a legal perspective far too subjective to foresee which kind of companies will be covered by this wording. However, it is clear that the idea of a Data Protection Officer finally has started to settle in the perception of European politics.
For German companies, not too many changes with respect to the appointment of a DPO are to be expected. A clause in the respective provisions of the General Data Protection Regulation enables EU member states to establish their own rules for the compulsory appointment of the Data Protection Officer. It would not come as a surprise if Germany made use of this option since it already has quite strict rules for the appointment of a DPO in place in its Federal Data Protection Act.
Requirements for a Data Protection Officer
Other European member states will have to consider the requirements and necessary profile for a Data Protection Officer. Comparable to the German rules, the GDPR stipulates that DPOs need to have expert knowledge in the field. In this context, seminars and trainings will be key as they are already around here.
However, it is expressly foreseen that companies have the option to choose whether they wish to appoint an employee as an internal DPO or if they want to commission this function and to appoint an external DPO. Also this model is not new to German companies.
In the case of an internal Data Protection Officer, namely if the company appoints one of its employees, it has to be ensured that the designated DPO does not face a conflict of interest in view of his/her regular job. This problem is unlikely to appear if the company decides to appoint an external DPO.
From an organisational point of view and to ensure a direct channel for the communication, according to the provisions in the European General Data Protection Regulation, the DPO has to be in direct reporting line to the CEO or at least to the highest management of the company. In order to avoid potential conflicts due to conflicting interests between the management and the DPO, the GDPR prescribes once more that the internal or external DPO may not receive any instructions regarding the exercise of his/her tasks and may not be dismissed or penalised for performing his/her tasks.
Tasks of the Data Protection Officer
The tasks of the DPO remain more or less unchanged in the new GDPR and accordingly comparable to the ones in the German Federal Data Protection Act. Besides the requirement to inform and advise the company and its staff about data protection related questions, the DPO also has the task to monitor the compliance with the data protection rules. Additionally, he/she needs to provide advice and monitor the performance of the new data protection impact assessment, the latter being somewhat comparable to the former prior checking in EC/95/46.
Additionally, the DPO is the contact point for the supervisory authority and obliged to cooperate with it. This in particular will be one of the most important tasks of the DPO since according to the “one-stop-shop” idea of the GDPR, data subjects and companies can revert to one supervisory authority for all their concerns.
Expressly incorporated in the rules is now the obligation to publish the contact details of the DPO and to communicate these to the supervisory authority.
Role of the DPO in a corporate group structure
For an international company with locations in other European member states, it is important to note that following the harmonised provisions of the regulation, it is possible to appoint a single Data Protection Officer, e.g., the DPO of a German company, as the DPO for the entire group of companies. The advantages of such a DPO for an entire corporate group are clear: a good overview, simplified coordination between the locations and relatively short ways of communication. In cases of very large groups, an additional local role to support the DPO, e. g. a Data Protection Coordinator, should nevertheless be envisaged.
Conclusion: The role of the Data Protection Officer will be upgraded
In conclusion, while at least in Germany the existing legislation will only be amended in details, there will be a clearly different perception of the role of the Data Protection Officer as an institution within companies throughout Europe. The DPO will be a crucial element of large international companies and at the same time this increases his/her standing and position in a company. Companies with branch offices in numerous, not only European member states, should already now start looking into having one Data Protection Officer for the entire group of companies.
Against the background of the new provisions of the GDPR in relation to the DPO, it is clear that the former strict German rules in data protection, sometimes even considered as too strict, will now be a clear advantage of location: While companies in other EU member states now have to establish respective data protection roles and procedures for the first time, German companies already benefit from the established procedures and having an appointed Data Protection Officer.
[av_icon_box position=’top’ boxed=” icon=’ue835′ font=’entypo-fontello’ title=’Our data protection services’ link=’manually,https://www.activemind.de/en/data-protection/’ linktarget=” linkelement=’both’ font_color=” custom_title=” custom_content=” color=” custom_bg=” custom_font=” custom_border=”]Appoint one of our experts as external Data Protection Officer! [/av_icon_box]