The Data Protection Officer (DPO) has been appointed, a corresponding forwarding via the e-mail address published in the data privacy statement, which directs the e-mail exclusively to the mailbox of the appointed DPO, has supposedly been set up. The availability of the data privacy officer for data subjects is thus permanently ensured. Really? Unfortunately, no! And the “no” can have unpleasant consequences for the data controller, i.e., for the company!
Two key aspects:
- If a Data Protection Officer has been appointed for the company, his or her contact details must be published in accordance with Article 13 (1) b) GDPR as part of the information obligations towards the data subjects.
- The availability of the Data Protection Officer must be ensured.
The obligation of secrecy
The following must be observed at all times: The DPO is obligated to maintain confidentiality within the scope of his/her activities pursuant to Art. 38 GDPR, §§ 6, 38 BDSG. This confidentiality obligation also applies to the responsible body, including the management and any data protection coordinators! In particular, this applies to the identity and concerns of data subjects (e.g., employees, customers, visitors to the website and other persons), who may contact the data protection officer at any time in accordance with Section 6 (5) BDSG while maintaining confidentiality.
For this purpose, an e-mail address, e.g. “datenschutz@”, has usually been set up and communicated in all data protection information to data subjects for contact purposes.
However, the right to confidential consultation as well as the legal obligation to ensure the availability of the DPO would be counteracted if persons other than the appointed DPO himself/herself had access to the e-mail communication, e.g., data protection coordinators or the IT of the responsible body. Of course, the accessibility of the DPO is also permanently disrupted by a simply non-functioning e-mail forwarding.
Recommendation to maintain confidentiality
It is therefore advisable both to check the access authorizations to the respective “datenschutz@ mailboxes” for data privacy compliance and, if necessary, to strictly regulate or even immediately prevent existing access options, and also to check the function of the established forwarding to the Data Protection Officer by means of regular tests.
Consequences of non-compliance with the obligation
In the event of non-compliance, there is a risk that a supervisory authority will exercise its remedial powers in accordance with Article 58 of the GDPR and that the company, as the responsible entity, may be subject to a substantial fine in accordance with Article 83(5)(b) of the GDPR. Finally, it should be noted that pursuant to Article 77 of the GDPR, every data subject has a right of appeal to the data protection supervisory authorities. If, after sending an e-mail to the company’s Data Protection Officer, for example, a data subject receives an error message or a response from a person who is not the DPO, he or she may make use of this right without delay!
We are happy to support you in all matters relating to information security and data protection in your company.
Herr Goslar bringt 18 Jahre Berufserfahrung als HR- Businesspartner, Account Manager und Führungskraft mit. Darüber hinaus hat er sich in Schnittstellenfunktionen zwischen IT Sicherheit und Datenschutz umfangreiches Know – How angeeignet. „Als zertifizierter Datenschutzbeauftragter, betreue und berate ich sie gerne bei der Umsetzung der DSGVO.“
This post is also available in: German