The responsible party bears the responsibility for compliance with data protection. If it is a company, i.e. a legal entity, it cannot of course act itself. Responsibility for data protection in the company is therefore borne by the person authorised to represent the company or legal entity, usually the managing director, board member or manager in general.
In practice, attempts are often made to pass on the issue of data privacy. In many cases, the management hopes that this will also result in a transfer of responsibility and, as a result, an exemption from its own liability. However, the mere delegation of a task cannot result in a release from responsibility. This article explains under which conditions at least a partial release from liability is possible.
To what extent can data protection be delegated?
Even if companies have appointed a data protection officer, this does not automatically reduce management’s responsibility for data protection. This is because the duties of the data protection officer essentially consist of monitoring whether data protection is being implemented correctly in the company and, in particular, whether management is pursuing a suitable strategy for this purpose. In addition, the data protection officer has advisory and information duties with regard to data privacy issues.
The company itself is and remains responsible for the correct implementation of data protection; in the final analysis, this means the management. It is true that management can delegate tasks to employees or external parties for completion. However, delegating a task does not mean that responsibility is lost; it merely changes.
Criteria for the delegation of data protection in the company
When delegating corporate data protection, the management actually responsible must meet special criteria in order to fulfil its duty of care:
When selecting the recipient of the task, the management must already ensure that the recipient has sufficient personal and professional competencies to perform the task in a professional manner.
When an employee is suitable for a particular position is determined on a case-by-case basis. As a guideline, the more responsible the task, the greater should be the expertise and practical experience in the future field of activity. In the case of senior executives, care should also be taken to ensure that they have sufficient leadership skills and are also able to withstand greater pressure.
In addition, conflicts of interest should be avoided: No one should supervise a process for which they themselves are responsible.
The recipient of the task should, if necessary, be instructed in his new field of activity before taking up the job. In particular, the tasks and duties associated with the new activity should be explained to him or her, as well as the standard work processes.
The correct handling of the required equipment, for example the use of encryption and data transmission technologies, may also play an important role here.
With regard to the data protection officer, the records of the processing activities (ROPA) should be mentioned here in particular, which should prepare the officer for his or her tasks and support him or her in completing them.
The organisation or the position or role of the data protection officer in the company deserves special attention. The management should always ensure that the data protection officer has all the resources necessary to fulfil the tasks and duties. The officer must also be granted the necessary competencies and authorisations and the corresponding areas of responsibility must be clearly defined.
For reasons of transparency and accountability, the subject and scope of the delegation should be specifically defined and recorded in each case. After all, it is precisely this documentation that can, under certain circumstances, determine in the event of a dispute who bears the actual responsibility for a (failed) action. With the accountability obligation introduced by the General Data Protection Regulation (GDPR), records to prove that this obligation has been met are indispensable anyway.
The recipient of the task should be familiarised with the relevant legal provisions. Depending on the scope of the activity, general instruction may no longer be sufficient; instead, specific training on data protection topics is appropriate.
In addition, it must be clear to each employee at all times for which part of the operational process the respective employee is responsible and which legal regulations and other framework conditions must be complied with when performing the activity.
Incidentally, the duty to inform and train exists in principle even if the management can assume that the employee already has relevant knowledge. The particularities of the respective assignment must always be pointed out.
As a matter of principle, the management must satisfy itself that the delegated task has been performed correctly. However, there is no comprehensive obligation to monitor individual implementation steps. Here, too, the scope of the control is determined according to the circumstances of the individual case. What does due diligence require?
Important criteria here are, in particular, the reasonableness of monitoring measures, the size of the company, the employee’s qualifications, the importance or complexity of the task and the structure of the internal organization. As a rule, it may be sufficient to carry out spot checks to ensure that the monitoring obligations are fulfilled. It is also to be expected that the management will receive regular reports from the representatives in order to intervene in a controlling manner if necessary.
Criteria for obtaining external advice
In order to decide with due care, the decision-maker must do so on the basis of adequate information. If the necessary information or expertise is not available, it must be provided.
Particularly in the area of data protection law, it may well be that due diligence requires the purchase of external advice. If such advice is obtained, the responsible party may rely on this advice under the following conditions according to the established case law of the German Federal Court of Justice (what we also consider here to be appropriate criteria for other countries):
- The consultant must demonstrate professional competence. This is usually expressed by membership of a particular profession, such as lawyers, tax consultants or auditors. The decisive factor is, of course, that the profession and the requirements to be met match. In practice, it must be noted that although data protection officer is a recognised profession, it does not require professional training or a degree, unlike the examples mentioned. Currently, anyone may call themselves such and offer their services. In order not to run into their own liability, responsible parties should therefore critically question whether an external data protection officer can actually possess the necessary qualification in an emergency. It should be obvious that one-time participation in a seminar – ideally lasting several days – to become a certified data protection officer is not sufficient to acquire the necessary expertise for more complex issues off the cuff.
- The consultant must be independent.
- The consultant must have been sufficiently informed. This is a matter of obligation! I.e. the enterprise must inform actively. Of course, the consultant should also ask specific questions.
The result of the consultation must at least be subjected to a plausibility check. Is the result based on complete information, is it comprehensible and free of contradictions? If all of these requirements are met beyond doubt, then in case of doubt, it is no longer the person responsible who is liable, but if necessary the external consultant.
Conclusion: Data protection can be delegated, liability remains
Only when all of the above criteria are met in the delegation of data protection is there no longer any doubt about the management’s duty of care. However, responsible managers must ultimately bid farewell to the dream of being able to completely put data protection to rest by delegating it or appointing a data protection officer.