Aspects of daily life
- Who needs to appoint a data protection official?
- Personal requirements
- Duties of the data protection official
- Position, rights and obligations of the data protection official
- Legal basis
Private authorities who automatically collect, process or use personal data for non-personal or family activities must appoint a "business" data protection official (bDSB) in writing if they employ at least ten persons for the automated data processing process or alternative processing method. In particular, the following are obliged
- natural persons
(e.g. doctors, chemists, lawyers, tax advisors, trade-, skilled craft- and industrial companies)
- legal persons
(e.g. limited liability company (GmbH) forms of info centres, market research and polling institutes, call centres, address relocation, private detectives, trade-, skilled craft- and industrial businesses, banks as Limited partnerships clinics operating as banks, registered associations capable of holding rights civil law foundation)
(e.g. construction company in form of civil law association, a dispatch centre or service data centre in the form of a limited liability company (GmbH & Co. KG), solicitors offices or film distribution in form of OHG)
- Associations not capable of holding rights
(e.g. parties, trade unions and professional associations)
Irrespective of the number of persons involved in the processing of data, private authorities are required to appoint a data protection official if they perform automated data processing which presents particular risks to the rights and liberties of those involved. In this case, the processing requires inspection ("prior checking") before processing is carried out by the data protection official. The same applies when using or processing personal data commercially for the purposes of transfer or anonymised transfer. A (natural) person external to the responsible authority can also be assigned the duty of data protection official (external data protection official).
The data protection official must be appointed within a month of the private authority taking up the activity. If the data protection official is not appointed or not appointed in good time intentionally or through negligence, this can be punished with a fine of up to Euro 25,000.
Only persons who possess the specialised knowledge and demonstrate the dependability necessary for the performance of the duties concerned may be appointed a data protection official.
- The requisite specialist knowledge not only involves a basic understanding of data protection law but also a basic understanding of the methods and techniques of automated data processing as well as a knowledge of the business context. The data protection official must also be familiar with the organisation and functions of his or her business and have a good overview of all the specialist tasks for the purpose of which personal data is processed.
- Here, the idea of dependability not only involves a careful and thorough manner of working, resilience, learning aptitude, constancy and conscientiousness as well as the incompatibility of the duty of data protection official with other full-time duties of the data protection official. A conflict of interest may arise if the person performs the duties of the data protection official in a secondary capacity. Moreover, persons should not be appointed data protection officials who would in this capacity enter into a conflict of interest which goes beyond an unavoidable extent. It would not be appropriate to appoint the owner, board of directors, managing director or other managers appointed under law or in terms of the company's constitution, as they cannot check themselves effectively. One should also avoid appointing persons as data protection officials who by virtue of their position in the company are responsible for data processing (works manager, IT manager). On the other hand the data protection official can be an employee from the auditing or legal departments and organisation.
- The appointment of a data protection official can also be revoked by demand made by the relevant supervisory authorities, if he or she does not (no longer) possess the specialist knowledge and dependability required to perform his or her duties.
The data protection official
- is required to ensure compliance with the Federal Data Protection Act and other data protection regulations,
- to monitor the correct use of data processing programs used to process personal data,
- to train persons involved in processing personal data, This may for example take place in written form, via training seminars or also through providing tips and information during the course of company meetings,
- to carry out a prior check on automated processing, which involves risks for the rights and liberties of the data subject (prior checking),
- to provide to anyone upon request information about automated data processing methods in an appropriate manner,
- to investigate complaints, if the person affected (e.g. employee of the private authority, customers, suppliers, borrowers) informs him or her that the private authority's processing of personal data is a violation of his or her rights.
- The position of the data protection official shall be immediately beneath that of the Managing Director of the private authority. He or she shall be free to use his or her specialist knowledge in the area of data protection and should not be placed at a disadvantage through the performance of his or her duties.
- The data protection official may also access personal data in order to perform the aforementioned duties, even in the event of the data is subject to a special obligation to maintain secrecy (e.g. a doctor's professional discretion). The same also applies to external data protection officials.
- The data protection official must maintain secrecy on the identity of the person who made contact with him or her and on the circumstances which allow conclusions to be drawn about this person, unless he is released from this obligation by the complainant.
- The data protection official can be punished under the terms of Section 203 of the Penal Code (StGB) if he or she discloses an outside secret without permission, which was entrusted to a nominee under Section 203 of the Penal Code (e.g. a doctor) in his or her professional capacity. The same applies if the outside secret is otherwise disclosed, of which he or she became aware during the performance of his or her duties as data protection official.
- The data protection official has the right of refusal to give evidence if he becomes aware of data during the course of his activity for which the manager of the private authority or a person employed at the private authority is entitled to a right of refusal to give evidence for professional reasons. Where the right of refusal to give evidence of the data protection official is sufficient, his or her files and other written correspondence shall not be able to be seized.
- The data processing authority is obliged to assist the data protection official in the performance of his or her duties and in particular provide him or her with staff, office space, equipment and funds if these are required to perform his or her duties.
- The data protection official must be informed in good time of forthcoming projects for automated processing of personal data.
- The responsible authority must provide the data protection official with certain information on the automated processes, which are to be reported to the supervisory authority for data protection in the private sector. It must also make available persons entitled to access.
- In the event of doubt, the data protection official can consult the relevant supervisory authority for data protection in the private sector.
Tip: Additional information about the training and further training options for data protection officials, educational establishments and academies as well as the groups set up for the exchange of ideas at the Chambers of Industry and Commerce can be found in the Information leaflet produced by the Innenministerium. The Innenministerium has also made available a sample form (in German) used to appoint data protection officials.
- § 4d Bundesdatenschutzgesetz (BDSG) (Meldepflicht)
- § 4f Bundesdatenschutzgesetz (BDSG) (Beauftragter für den Datenschutz)
- § 4g Bundesdatenschutzgesetz (BDSG) (Aufgaben des Beauftragten für den Datenschutz)
- § 38 Bundesdatenschutzgesetz (BDSG) (Aufsichtsbehörde)
- § 43 Bundesdatenschutzgesetz (BDSG) (Bußgeldvorschriften)
- § 203 Strafgesetzbuch (StGB) (Verletzung von Privatgeheimnissen)
Release noteThe German original version of this text was drafted in close cooperation with the relevant departments. The Innenministerium released it on 28.07.2015. Only the German text is legally binding. The Federal State does not assume any liability for the translated texts.
In cases of doubt or if you have any questions or problems, please contact the relevant authorities directly.