Every day, companies process and store a wealth of personal data, for example from business partners, customers, suppliers and, last but not least, their own employees. For this reason, the topic of data protection now plays a very important role in companies. Which companies need a data protection officer? Who is eligible to be a data protection officer? What are their tasks, rights and duties?

Which companies must have a data protection officer?

Which companies must appoint their own data protection officer is regulated by § Section 38 of the Federal Data Protection Act (BDSG). Accordingly, a company data protection officer is required in companies with at least 20 employees who are permanently engaged in the automated processing of personal data. This refers to companies with at least 20 employees, who are regularly involved in the processing of personal data. These employees include, for example, customer advisors or employees in the HR department.

In addition, companies must process data that are subject to a data protection impact assessment, or which involve personal data processed commercially for the purpose of transmission or for market or opinion research, regardless of the number of employees.

According to Art. 37 General Data Protection Regulation (GDPR) companies must also appoint a data protection officer if:

• The core activity of the company consists of carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects.
• The core activity of the company consists of the extensive processing of special categories of data pursuant to Art. 9 GDPR or of personal data relating to criminal convictions and offences pursuant to Art. 10 GDPR.

A group of companies may have a Joint Data Protection Officer if the data protection officer is easily accessible from every branch office.

Note: Please note that even companies that are not obliged to appoint a data protection officer must take care of data protection issues and comply with the applicable data protection regulations. In this respect, employers who are not legally obliged to appoint a data protection officer should check and consider whether they should voluntarily appoint a person as data protection officer.

Function and tasks of the data protection officer

The tasks of the data protection officer are defined in Art. 38/39 GDPR . Its main tasks include:

• Informing and advising the management and employees regarding their data protection obligations
• Creating transparency in operational data processing
• Advice on technical and organisational measures in the area of data processing
• Monitoring whether data protection regulations are complied with in the company
• Checking whether the company's data protection strategy and internal data protection guidelines are being implemented
• Sensitisation and training of employees with regard to data protection regulations
• Representation of the company in data protection issues
• Advice in connection with the data protection impact assessment and monitoring its implementation
• Cooperation with the supervisory authority
• Contact for the supervisory authority
• Risk assessment regarding the fulfilment of its tasks

Who can act as a data protection officer?

When it comes to the question of who is appointed as the company data protection officer, companies have a relatively large amount of room to manoeuvre. They can assign this task to their own employees or entrust it to a data protection officer. This person should be familiar with data protection issues and be appropriately qualified and trained. However, it is also possible to appoint an external data protection officer to order. It is important to weigh up in advance which option - the internal or external solution - makes more sense in your case.

The contact details of the company data protection officer must be made available to the public, for example by stating the contact details on the company website.

Tip: The data protection officer should be appointed in writing. The main tasks, rights and obligations of the data protection officer should also be set out in writing.

Rights and duties of the data protection officer

The rights and obligations of the company data protection officer are governed by Art. 38 GDPR.

1.  Involvement in data protection issues: The employer must ensure that the data protection officer is involved properly and at an early stage in all matters relating to the protection of personal data.
2. Provision of resources: The employer must support the data protection officer in the fulfilment of their tasks in accordance with Art. 39 GDPR by providing them with the necessary resources and access to personal data and processing operations, as well as the resources required to maintain their expertise.
3. Working without instructions: The employer must ensure that the data protection officer can carry out his or her tasks independently. The data protection officer is not bound by instructions in his/her function as data protection officer.
4. Prohibition of discrimination: The data protection officer may not be dismissed or discriminated against by the employer for the fulfilment of his/her duties.
5. Reporting obligation: The data protection officer must report directly to the highest management level of the company on his or her work.
6. Contact person for data protection issues: Data subjects may contact the Data Protection Officer with any questions relating to the processing of their personal data and the exercise of their rights under the GDPR.
7. Secrecy and confidentiality: The data protection officer is bound by the regulations on secrecy and confidentiality in the fulfilment of his/her duties.
8. Avoidance of conflicts of interest: If the data protection officer performs other tasks and duties, the employer must ensure that these tasks and duties do not lead to a conflict of interest with his/her tasks and duties as data protection officer.

Dismissal of the data protection officer

Dismissal of the company data protection officer is only possible within narrow limits. Pursuant to Section 6 (4) BDSG, the dismissal of a company data protection officer is only permissible in corresponding application of Section 626 BGB. This means that it has to be an important reason for dismissal. Good cause in this sense may exist, for example, if the data protection officer persistently neglects their monitoring duties or if there are conflicts of interest with other tasks or activities.

Please note: If the appointment of the data protection officer was not mandatory, but was made voluntarily by the employer, then the employer can dismiss the data protection officer at any time without there having to be good cause. 

Special protection against dismissal

Company data protection officers enjoy a special protection against dismissal. This means that the termination of the employment relationship is generally not permitted unless there are facts that authorise the company to terminate the employment relationship for good cause without observing a notice period. Special protection against dismissal even applies up to one year after the end of employment as a data protection officer. 

However, the special protection against dismissal only applies if there was an obligation to appoint a data protection officer. If the employer has appointed the data protection officer voluntarily, the special protection against dismissal does not apply.