Tag: DPO

The role of the DPOs under the new GDPR: the German reference

7. June 2016

The new GDPR, which will enter into force in May 2018, updates the current European Data Protection legislation. One of the key aspects of the Regulation is the obligation to appoint a Data Protection Officer (DPO) in the following cases:

  • If the processing is carried out by a public authority, except court acting in their judicial capacity
  • If the core activities of the controller or the processor consist of processing operations which according to their nature or scope require regular and systematic monitoring of data subjects on a large scale or
  • If the core activities of the controller or the processor consist of processing on a large scale of sensitive data

Currently, several jurisdictions mention the possibility to appoint a DPO, but Germany is the only EU member State that imposes the obligation to appoint a DPO if more than nine people within an organization handle with personal data. The DPO can be a member of the organization or an external expert.

According to German Data Protection law, DPOs are appointed by the management of the organization but fulfill their duties without being subject to any instructions of the data controller. Moreover, they have the obligation to report the management regarding the compliance status of the organization and, even if they recommendations are not followed, the DPO has fulfilled his/her duty. This DPO culture in Germany means also that not only people with legal backgrounds are DPO; furthermore, the role of the DPO is assumed by persons with different backgrounds, for example by engineers or HR employees that have been given this responsibility.

Thomas Spaeing, CEO of the German Association of Data Protection Officers, remarks the importance that the appointed person knows the processes and organization of the company and that he/her can integrate the legislation with the organizational data processing activities. The DPO should be seen as a person who helps businesses implementing data protection processes in interest of both, the data subjects and the company itself.

The GDPR mentions the possibility to appoint either an external or an internal DPO and describes their position in similar terms to those existing under German Data Protection law. In Germany, this will not mean a greater change in the local legislation, but other countries who do not even currently regulate the institution of the DPO, will have to make any necessary changes to be compliant with the requirements of the GDPR until May 2018.

Category: General Data Protection Regulation · German Law
Tags: ,