Data protection officer according to German law

Appointment of the DSB

4 f (1) of the German Data Protection Act (BDSG) regulates the mandatory appointment of a data protection officer within the public sector where automated data processing is present.

In the private economic sector, a data protection officer must be appointed within one month after having a minimum of 10 employees are regularly commissioned with the automated processing of personal data. Regardless of the number of employees, a data protection officer must be appointed in the non-public sector by law, according to § 4f (1) BDSG, if:

  • the automated processing of personal data is subject to prior checks,
  • automated data processing procedures take place for the purpose of transmission, or
  • automated data processing procedures take place for the purpose of market and opinion surveys.

Or if according to § 4f (1) BDSG:

  • at least 20 persons are commissioned with the non-automated data processing. According to § 1 (2) no. 3 BDSG, a file reference is always required (e.g. the personal data processed form a file must originate from data processing systems).

Naturally, data protection must always be exercised even if the prerequisites mentioned above are not present. Thus, a company may appoint a data protection officer on a voluntary basis in order to ensure efficient task executions.

Legal status of the data protection officer

The operational data protection officer is, compared to the respective supervisory authority, not considered a “third party”, but instead a part of the company. This is equally applicable for the internal as well as the external data protection officer.

For safeguarding the interests of the data subject, it must be guaranteed that the data protection officer can pursue his work without external influence and independently. In the process, he is subject to certain obligations, to meet the strict requirements of the BDSG and area-specific data protection laws. § 4f BDSG establishes the legal specification of the data protection officer.

The following points must be taken into consideration:

The data protection officer:

  • must be an expert and reliable, that is, specifically independent
  • is an immediate subordinate of the manager of the responsible authority
  • is free to make decisions in his special area should not experience discrimination because of his work
  • has a special protection against dismissal, if he is commissioned internally (he can only be terminated for good cause – § 626 BGB or can be dismissed by the supervisory authority). A particularly good cause would be – for example – gross violation of the secrecy obligation or if there is a corruption charge.
  • is sworn to secrecy (breach is punishable: § 203 (2a) StGB)
  • has a right to refuse to give evidence
  • has a right to be supported by the company (supporting staff, infrastructure, access to all relevant documents)
  • has a right to further training and continuing education paid by the company

For appointing the internal or external data protection officer, the link below provides free documents and samples for download:

Requirement & duties of the data protection officer

Before an external or internal data protection officer is appointed, his professional and social competencies must be taken into consideration. The German legislator has formulated strict requirements in § 4f BDSG. The checklist below can help the company in making a competent choice.

Checklist for the requirements as regards the data protection officer:

  1. Expert knowledge (§ 4f (2) BDSG)

    • legal knowledge of the general and special data protection law
      (Consultants are also allowed by § 4f (5) BDSG)
    • technical knowledge, especially the EDP systems
    • organizational abilities, introduction and implementation of new processes in
      company structures
    • pedagogical abilities, communicative and didactic abilities (e.g.: for trainings)
    • cooperation and ability to work in a team
  2. Reliability (§ 4f (2) BDSG)

    • Secrecy with regard to the personal data of the data subject
    • Incorruptibility/Objectivity in the execution of tasks
    • Personal responsibility for remedying data protection issues
    • Sensibility for the interests of the data subject and company objectives
    • no conflict of interest: Decision-makers and responsible persons are unsuitable

If the prerequisites listed above are missing, the company can revoke the appointment of the data protection officer or the supervisory authority can dismiss him after examination.

A more specific explanation of the job description of the data protection officer can be found here:

The data protection officer must work towards compliance with data protection provisions according to § 4g (1) BDSG. However, he is not responsible for the actual implementation.

Rather, the responsible authority, for example, the company, must ensure the implementation of the recommendations of the data protection officer.

The internal data protection officer is only liable in case of gross negligence or intentional acts, whereas the external data protection officer is liable without restriction.

An extensive overview of the tasks of the data protection officer can be found below. It must be noted however, that data protection and its related tasks must be ensured even without the appointment of a data protection officer (e.g. creation of a procedure index and the prior checks).

Tasks of the data protection officer:

  • Provision of public procedure index (§ 4g (2) BDSG)
  • Performing prior checks in case of automated processing with special risks
    (§ 4d (6) BDSG)
  • Obligating the employees to data secrecy (§ 5 BDSG)
  • Monitoring the EDP programs that process personal data (§ 4g (1) no. 2 BDSG)
  • Protecting the principles of data prevention and data frugality: The aim is to collect, process or use as little personal data as possible
    (§ 3a BDSG)
  • Contact person for data subjects (§ 4f (5) BDSG)
  • Coordination and monitoring of the measures for data protection and data security,
  • Participation in answering requests for disclosure by data subjects and notifying the data subjects in case of data collection
  • Representing the company in data protection matters
  • Training the employees (§ 4g (1) no. 2 BDSG)
  • Consulting about technical and organisational measures