According to the General Data Protection Regulation (GDPR), the appointment of a data protection officer  is mandatory according to the requirements of Art. 37 Para. 4 GDPR in conjunction with Section 38 BDSG. In the following blog article we answer the most important, fundamental questions about the data protection officer.
What is a data protection officer?
The data protection officer (DPO) is a natural person who is responsible for compliance with data protection within an organization. The DPO represents a control distance and has a duty to advise the person responsible. Furthermore, the data protection officer is not subject to instructions and may not be restricted in order to fulfill his tasks. The data protection officer is not authorized to issue instructions, but may only make recommendations and report to the top management level.
Who takes on the job of the data protection officer?
The data protection officer can be appointed internally, i.e. within an organization, as well as externally. If the data protection officer is appointed internally, it must be ensured that there is no conflict of interest. It should therefore e.g. no IT manager, managing director, head of human resources, head of legal, etc. will take over the position of data protection officer. Furthermore, it must be ensured that the appointed data protection officer has the necessary specialist knowledge of data protection law and data protection practice for the performance of his tasks.
What tasks and obligations does the data protection officer have?
The tasks of the data protection officer are derived from the General Data Protection Regulation according to Art. 39 GDPR.
Monitoring the correct application of the data processing programs:
The data processing programs that are used in the company must be checked by the data protection officer to determine whether they meet the requirements of the General Data Protection Regulation or whether further measures have to be taken to ensure data protection-compliant processing.
Training of employees
The task of the data protection officer also includes training the controller’s employees in the area of data protection law. This can be done in various ways, such as be done through eLearning.
Processing of technical inquiries from employees, customers, etc.
The data protection officer is obliged to properly process inquiries from employees and customers of the person responsible and then to provide information.
Advice to management, employees and departments on technical and organizational measures
The personal data must be protected during processing by means of technical and organizational measures. The task of the data protection officer is to advise and support those responsible for appropriate measures.
Review of the requirements of service providers e.g. B. in the context of order processing
When commissioning new service providers, the data protection officer must be informed in advance. The task of the data protection officer is to check the service provider to determine whether he is processing the personal data in compliance with data protection regulations. This is done by examining the agreement on order processing and checking the technical and organizational measures taken by the service provider.
Control and protection of the rights of those affected
The person responsible is responsible for safeguarding the rights of the data subject (e.g. information, correction and deletion request). The task of the data protection officer is to provide the person responsible with adequate support and to provide him with information on data protection issues.
Supervision in keeping the record of processing activities
The controller must keep a record of processing activities. This describes the process of processing the personal data. The data protection officer must support the person responsible here. Furthermore, it is the duty of the data protection officer to monitor all processes in which personal data is processed and to check whether these have already been documented.
Assistance with risk assessment and data protection impact assessment
If processing involves a particularly high risk for the rights and freedoms of the natural person (e.g. extensive video surveillance), a data protection impact assessment must be carried out in accordance with Art. 35 GDPR. The task of the data protection officer is to support the person responsible in carrying out a data protection impact assessment in accordance with Art. 35 GDPR.
Support in reporting data breaches to the supervisory authorities
If the data breach poses a particularly high risk for the rights and freedoms of the data subject, this must be reported to the competent supervisory authority within 72 hours of the data breach becoming known. However, the data protection officer must be informed of every data breach. Its task is then to assess whether this is notifiable or not.
Creation of an activity report
According to Art. 39 GDPR, the data protection officer is obliged to inform the person responsible about his obligations under data protection law and to monitor compliance with the GDPR in the company. This obligation is met through an activity report.
Did you know that we not only provide external data protection officers and advise you on all aspects of the subject, but also offer eLearning? You don’t even have to be a consulting customer.
We’re here to help. Please call us on 08505 919 27-0 or fill out our contact form.
 It always refers to both male and female persons. For the sake of easier readability we only use the masculine form in this text.
Ramona Höfler ist seit ihrer Ausbildung zur Kauffrau für Büromanagement bei uns tätig. Sie kennt deshalb unser Dienstleistungs-Portfolio sehr genau. Mittlerweile unterstützt sie unser Team nicht nur im Backoffice sondern steht unseren Kunden auch als zertifizierte Datenschutzbeauftragte mit Rat und Tat zur Seite. Service- und Lösungsorientierung, Flexibilität und Kompetenz stehen für sie an erster Stelle.
This post is also available in: German