TASK´S OF A DATA-PROTECTION-OFFICER
The task´s of a data-protection-officer are defined by law. You can find them in articel 39 of the GDPR. Zusammengefasst bedeutet dies, dass einem Datenschutzbeauftragten folgende Aufgaben obliegen:
- information and advice to the company
- the monitoring of compliance with the GDPR
- act in an advisory capacity in data protection impact assessments pursuant to Art. 35 GDPR
- train company employees
- maintain cooperation with the supervisory authority and act as a contact for the authority
- be a contact person for those affected
At first glance these tasks of a data-protection-officer seem to be clear. Decisive for a judgement on the exact workload are facts like the company size and the field of activity. Therefore every company needs tob e rated differently.
INFORMING AND CONSULTING
THE COMPANY
MONITORING THE OBSERVANCE OF THE GDPR
DATA PROTECTION
IMPACT ASSESMENT
The data-protection-officer is consulting the company. This means he gives basic recommedations on specific questions regarding data security. Whenever the data-security-officer sees a risk in the processing of personal data he points those out to the controller. The controller stays in charge of processing personal data because the data-protection-officer is not authorized to give instructions. It is anyways task of the data-protection-officer to develope solutions for the controller of personal data.
Data protection is not a one-time or short-term issue. It is an ongoing process that must be constantly adapted and, if necessary, redesigned due to changes in the law, technical innovations or changing business areas. Accordingly, monitoring compliance with data protection requirements is an important, but at the same time one of the most complex tasks of the data protection officer.
No general statement can be made as to what such monitoring may look like. As with the determination of the workload of the data protection officer, the factors of company size and the field of activity of the company are decisive. At the same time, however, the subjective factor of the corporate culture is a decisive one here, since this can have a strong influence on the daily work processes.
For which procedures are data protection impact assessments necessary? How can they be implemented? For these and other questions, the data protection officer is always the first point of contact for the company.
TRAINING
OF EMPLOYEES
COOPERATION WITH THE
SUPERVISORY AUTHORITY
CONTACT PERSON
FOR DATA SUBJECTS
Informing employees and training employees is an important duty for companies. Often there are “deadlocked structures” which have to be changed, adapted or optimized due to increased requirements in data protection and IT security. If the employees of a company are appropriately trained and sensitized to the topic of data protection, an adjustment is usually easier to convey.
If data protection incidents occur in the company, the supervisory authority turns to the data protection officer. His task is to act as an interface and mediator between the responsible person and the respective authority.
At the same time, however, the supervisory authorities also advise and support the data protection officer with regard to their typical needs. This makes it clear that if questions arise which are not clear, help can always be sought from the supervisory authority.
Usualy the Data Protection Officer is the first point of contact for data subjects wishing to exercise their rights. In doing so, it is important to keep an eye on all deadlines and requirements that are defined in the law.
INFORMING AND CONSULTING
THE COMPANY
The data-protection-officer is consulting the company. This means he gives basic recommedations on specific questions regarding data security. Whenever the data-security-officer sees a risk in the processing of personal data he points those out to the controller. The controller stays in charge of processing personal data because the data-protection-officer is not authorized to give instructions. It is anyways task of the data-protection-officer to develope solutions for the controller of personal data.
MONITORING THE OBSERVANCE
OF THE GDPR
Data protection is not a one-time or short-term issue. It is an ongoing process that must be constantly adapted and, if necessary, redesigned due to changes in the law, technical innovations or changing business areas. Accordingly, monitoring compliance with data protection requirements is an important, but at the same time one of the most complex tasks of the data protection officer. No general statement can be made as to what such monitoring may look like. As with the determination of the workload of the data protection officer, the factors of company size and the field of activity of the company are decisive. At the same time, however, the subjective factor of the corporate culture is a decisive one here, since this can have a strong influence on the daily work processes.
DATA PROTECTION
IMPACT ASSESMENT
For which procedures are data protection impact assessments necessary? How can they be implemented? For these and other questions, the data protection officer is always the first point of contact for the company.
TRAINING
OF EMPLOYEES
Informing employees and training employees is an important duty for companies. Often there are “deadlocked structures” which have to be changed, adapted or optimized due to increased requirements in data protection and IT security. If the employees of a company are appropriately trained and sensitized to the topic of data protection, an adjustment is usually easier to convey.
COOPERATION WITH THE
SUPERVISORY AUTHORITY
If data protection incidents occur in the company, the supervisory authority turns to the data protection officer. His task is to act as an interface and mediator between the responsible person and the respective authority. At the same time, however, the supervisory authorities also advise and support the data protection officer with regard to their typical needs. This makes it clear that if questions arise which are not clear, help can always be sought from the supervisory authority.
CONTACT PERSON FOR
DATA SUBJECTS
Usualy the Data Protection Officer is the first point of contact for data subjects wishing to exercise their rights. In doing so, it is important to keep an eye on all deadlines and requirements that are defined in the law.
INTERNALLY OR EXTERNALLY DATA-PROTECTION-OFFICER?
The position of data protection officer within the company can be performed by an internal employee or externally by a service provider. Both variants have their advantages and disadvantages, which are outlined in the following table:
external data protection officer | internal data protection officer | |
---|---|---|
Expertise | Certified data protection officers with already existing expertise that can be called upon at any time and directly | Time-consuming and costly further training measures to acquire specialist knowledge |
Position in the company | Neutral person in the company towards internal (employees) and external (affected persons, supervisory authorities) | Possible conflicts of interest (e.g. “company blindness”, acceptance by other employees) |
Costs | Transparent cost structure through contractually fixed prices | Non-transparent cost structure. In addition to the regular salary of the employee, there are additional costs for the proof of expertise (e.g. regular further training) |
Liability | No application of the principles of limited employee liability | Liability within the scope of limited employee liability |
Protection against dismissal | The appointment of the external service provider as data protection officer may be terminated in due time in accordance with the respective contract. | Dismissal only in important reasons |
Instruction | Training period in the operating procedures necessary. | Operational procedures of the company are roughly known. |
The nomination of an employee in the company as data protection officer is linked to a number of requirements. First of all, the necessary working time must be created that the data protection officer can use for this activity. As a result, the employee will no longer be able to perform all the tasks previously assigned to his or her area of responsibility. In order to prove the required expertise, it is necessary that the employee is regularly trained and has access to specialist literature. At the same time, the employee receives special protection against dismissal.
In contrast, the external data protection officers are qualified, certified data protection experts whose specialist knowledge has been tested many times. They are available to the company as service providers. The expertise available guarantees the best protection for your company and thus protects you from high fines.
INTERNALLY OR EXTERNALLY
DATA-PROTECTION-OFFICER?
The position of data protection officer within the company can be performed by an internal employee or externally by a service provider. Both variants have their advantages and disadvantages, which are outlined in the following table:
external data protection officer | internal data protection officer | |
---|---|---|
Expertise | Certified data protection officers with already existing expertise that can be called upon at any time and directly | Time-consuming and costly further training measures to acquire specialist knowledge |
Position in the company | Neutral person in the company towards internal (employees) and external (affected persons, supervisory authorities) | Possible conflicts of interest (e.g. “company blindness”, acceptance by other employees) |
Costs | Transparent cost structure through contractually fixed prices | Non-transparent cost structure. In addition to the regular salary of the employee, there are additional costs for the proof of expertise (e.g. regular further training) |
Liability | No application of the principles of limited employee liability | Liability within the scope of limited employee liability |
Protection against dismissal | The appointment of the external service provider as data protection officer may be terminated in due time in accordance with the respective contract. | Dismissal only in important reasons |
Instruction | Training period in the operating procedures necessary. | Operational procedures of the company are roughly known. |
The nomination of an employee in the company as data protection officer is linked to a number of requirements. First of all, the necessary working time must be created that the data protection officer can use for this activity. As a result, the employee will no longer be able to perform all the tasks previously assigned to his or her area of responsibility. In order to prove the required expertise, it is necessary that the employee is regularly trained and has access to specialist literature. At the same time, the employee receives special protection against dismissal.
In contrast, the external data protection officers are qualified, certified data protection experts whose specialist knowledge has been tested many times. They are available to the company as service providers. The expertise available guarantees the best protection for your company and thus protects you from high fines.