DATA-PROTECTION-OFFICER

Task´s of a data protection officer

DATA-PROTECTION-OFFICER

Task´s of a data protection officer

TASK´S OF A DATA-PROTECTION-OFFICER

The task´s of a data-protection-officer are defined by law. You can find them in articel 39 of the GDPR.  Zusammengefasst bedeutet dies, dass einem Datenschutzbeauftragten folgende Aufgaben obliegen:

  • information and advice to the company
  • the monitoring of compliance with the GDPR
  • act in an advisory capacity in data protection impact assessments pursuant to Art. 35 GDPR
  • train company employees
  • maintain cooperation with the supervisory authority and act as a contact for the authority
  • be a contact person for those affected

At first glance these tasks of a data-protection-officer seem to be clear. Decisive for a judgement on the exact workload are facts like the company size and the field of activity. Therefore every company needs tob e rated differently.

INFORMING AND CONSULTING
THE COMPANY

MONITORING THE OBSERVANCE OF THE GDPR

DATA PROTECTION
IMPACT ASSESMENT

The data-protection-officer is consulting the company. This means he gives basic recommedations on specific questions regarding data security. Whenever the data-security-officer sees a risk in the processing of personal data he points those out to the controller. The controller stays in charge of processing personal data because the data-protection-officer is not authorized to give instructions. It is anyways task of the data-protection-officer to develope solutions for the controller of personal data.

Data protection is not a one-time or short-term issue. It is an ongoing process that must be constantly adapted and, if necessary, redesigned due to changes in the law, technical innovations or changing business areas. Accordingly, monitoring compliance with data protection requirements is an important, but at the same time one of the most complex tasks of the data protection officer.

No general statement can be made as to what such monitoring may look like. As with the determination of the workload of the data protection officer, the factors of company size and the field of activity of the company are decisive. At the same time, however, the subjective factor of the corporate culture is a decisive one here, since this can have a strong influence on the daily work processes.

For which procedures are data protection impact assessments necessary? How can they be implemented? For these and other questions, the data protection officer is always the first point of contact for the company.

TRAINING
OF EMPLOYEES

COOPERATION WITH THE
SUPERVISORY AUTHORITY

CONTACT PERSON
FOR DATA SUBJECTS

Informing employees and training employees is an important duty for companies. Often there are “deadlocked structures” which have to be changed, adapted or optimized due to increased requirements in data protection and IT security. If the employees of a company are appropriately trained and sensitized to the topic of data protection, an adjustment is usually easier to convey.

If data protection incidents occur in the company, the supervisory authority turns to the data protection officer. His task is to act as an interface and mediator between the responsible person and the respective authority.

At the same time, however, the supervisory authorities also advise and support the data protection officer with regard to their typical needs. This makes it clear that if questions arise which are not clear, help can always be sought from the supervisory authority.

Usualy the Data Protection Officer is the first point of contact for data subjects wishing to exercise their rights. In doing so, it is important to keep an eye on all deadlines and requirements that are defined in the law.

INFORMING AND CONSULTING
THE COMPANY

The data-protection-officer is consulting the company. This means he gives basic recommedations on specific questions regarding data security. Whenever the data-security-officer sees a risk in the processing of personal data he points those out to the controller. The controller stays in charge of processing personal data because the data-protection-officer is not authorized to give instructions. It is anyways task of the data-protection-officer to develope solutions for the controller of personal data.

MONITORING THE OBSERVANCE

OF THE GDPR

Data protection is not a one-time or short-term issue. It is an ongoing process that must be constantly adapted and, if necessary, redesigned due to changes in the law, technical innovations or changing business areas. Accordingly, monitoring compliance with data protection requirements is an important, but at the same time one of the most complex tasks of the data protection officer. No general statement can be made as to what such monitoring may look like. As with the determination of the workload of the data protection officer, the factors of company size and the field of activity of the company are decisive. At the same time, however, the subjective factor of the corporate culture is a decisive one here, since this can have a strong influence on the daily work processes.

DATA PROTECTION
IMPACT ASSESMENT

For which procedures are data protection impact assessments necessary? How can they be implemented? For these and other questions, the data protection officer is always the first point of contact for the company.

TRAINING
OF EMPLOYEES

Informing employees and training employees is an important duty for companies. Often there are “deadlocked structures” which have to be changed, adapted or optimized due to increased requirements in data protection and IT security. If the employees of a company are appropriately trained and sensitized to the topic of data protection, an adjustment is usually easier to convey.

COOPERATION WITH THE
SUPERVISORY AUTHORITY

If data protection incidents occur in the company, the supervisory authority turns to the data protection officer. His task is to act as an interface and mediator between the responsible person and the respective authority. At the same time, however, the supervisory authorities also advise and support the data protection officer with regard to their typical needs. This makes it clear that if questions arise which are not clear, help can always be sought from the supervisory authority.

CONTACT PERSON FOR
DATA SUBJECTS

Usualy the Data Protection Officer is the first point of contact for data subjects wishing to exercise their rights. In doing so, it is important to keep an eye on all deadlines and requirements that are defined in the law.

INTERNALLY OR EXTERNALLY DATA-PROTECTION-OFFICER?

The position of data protection officer within the company can be performed by an internal employee or externally by a service provider. Both variants have their advantages and disadvantages, which are outlined in the following table:

external data protection officer internal data protection officer
Expertise Certified data protection officers with already existing expertise that can be called upon at any time and directly Time-consuming and costly further training measures to acquire specialist knowledge
Position in the company Neutral person in the company towards internal (employees) and external (affected persons, supervisory authorities) Possible conflicts of interest (e.g. “company blindness”, acceptance by other employees)
Costs Transparent cost structure through contractually fixed prices Non-transparent cost structure. In addition to the regular salary of the employee, there are additional costs for the proof of expertise (e.g. regular further training)
Liability No application of the principles of limited employee liability Liability within the scope of limited employee liability
Protection against dismissal The appointment of the external service provider as data protection officer may be terminated in due time in accordance with the respective contract. Dismissal only in important reasons
Instruction Training period in the operating procedures necessary. Operational procedures of the company are roughly known.

The nomination of an employee in the company as data protection officer is linked to a number of requirements. First of all, the necessary working time must be created that the data protection officer can use for this activity. As a result, the employee will no longer be able to perform all the tasks previously assigned to his or her area of responsibility. In order to prove the required expertise, it is necessary that the employee is regularly trained and has access to specialist literature. At the same time, the employee receives special protection against dismissal.

In contrast, the external data protection officers are qualified, certified data protection experts whose specialist knowledge has been tested many times. They are available to the company as service providers. The expertise available guarantees the best protection for your company and thus protects you from high fines.

INTERNALLY OR EXTERNALLY

DATA-PROTECTION-OFFICER?

The position of data protection officer within the company can be performed by an internal employee or externally by a service provider. Both variants have their advantages and disadvantages, which are outlined in the following table:

external data protection officer internal data protection officer
Expertise Certified data protection officers with already existing expertise that can be called upon at any time and directly Time-consuming and costly further training measures to acquire specialist knowledge
Position in the company Neutral person in the company towards internal (employees) and external (affected persons, supervisory authorities) Possible conflicts of interest (e.g. “company blindness”, acceptance by other employees)
Costs Transparent cost structure through contractually fixed prices Non-transparent cost structure. In addition to the regular salary of the employee, there are additional costs for the proof of expertise (e.g. regular further training)
Liability No application of the principles of limited employee liability Liability within the scope of limited employee liability
Protection against dismissal The appointment of the external service provider as data protection officer may be terminated in due time in accordance with the respective contract. Dismissal only in important reasons
Instruction Training period in the operating procedures necessary. Operational procedures of the company are roughly known.

The nomination of an employee in the company as data protection officer is linked to a number of requirements. First of all, the necessary working time must be created that the data protection officer can use for this activity. As a result, the employee will no longer be able to perform all the tasks previously assigned to his or her area of responsibility. In order to prove the required expertise, it is necessary that the employee is regularly trained and has access to specialist literature. At the same time, the employee receives special protection against dismissal.

In contrast, the external data protection officers are qualified, certified data protection experts whose specialist knowledge has been tested many times. They are available to the company as service providers. The expertise available guarantees the best protection for your company and thus protects you from high fines.

WE’D LOVE TO HEAR FROM YOU

Member of:

Logo BvD e.V.