Fachbücher zu Daten­schutz und IT-Sicher­heit finden Sie hier.
  1. Home
  2. Data protection
  3. Data protection officer

Criteria for selecting a data protection officer

The data protection officer (DPO) of a company is an internal supervisory authority or monitoring body that performs the tasks as defined by the GDPR.
The law therefore places special requirements on the person of the DPO. Art. 39 GDPR states: "The data protection officer shall be appointed on the basis of his or her professional qualifications and, in particular, the expertise he or she possesses in the field of data protection law and practice, and on the basis of his or her ability to perform the tasks referred to in Article 39".

 

An unsuitable data protection officer is considered "not appointed". This can have serious consequences for the responsible body, usually the company management. In addition to fines due to the formal omission, any technical deficiencies may also result in further violations that can be punished.

To date, several lawsuits have been conducted on the topics of expertise and persons to be appointed. Particularly noteworthy is the so-called "Ulm decision" (also known as the "Ulm judgment") of the Regional Court of Ulm (Ref.: 5T 153/90-01 LG Ulm). The requirements stated therein are considered to be trend-setting in data protection.

In addition to the basic statement that the work of a data protection officer corresponds de facto to a job description, special requirements were formulated for the holder of this position:

In order to be able to assess the subject area of automated data processing and its technical and organizational measures comprehensively, the officer should or must be a computer expert. He or she must also be able to apply the provisions of the federal and state data protection laws and all other legal provisions relating to data protection,

  • have knowledge of the company organization,
  • have the didactic skills to conduct training courses,
  • have psychological empathy,
  • be able to organize, and
  • be able to deal appropriately with conflicts concerning their person, function and task.

Although these requirements can often be fulfilled by internal staff, e.g. senior employees, a conflict of interest often arises. If, for example, the head of the HR or IT department is appointed DPO, he or she must also check his or her own requirements and decisions (sometimes unannounced!) and be exempt from instructions in his or her work as data protection officer.

As this is generally not objectively possible, managing directors and senior executives are excluded as data protection officers.

Another criterion for selecting an internal data protection officer is availability. In addition to the training required for basic training and testing, regular further training is mandatory. Officers who take on this demanding task alongside their actual area of responsibility often run into time bottlenecks if they are already heavily involved in their main job.

In many cases, external consultants are a good option as they can provide the appropriate experience and expertise from the outset. There is also no need for additional time and training or the special protection against dismissal that is customary for employees. In addition to specialist knowledge and personal suitability, external consultants must also be able to integrate themselves into the organizational structure.

© 2011–2024 GINDAT GmbH

About Cookies

This website uses cookies. Those have two functions: On the one hand they are providing basic functionality for this website. On the other hand they allow us to improve our content for you by saving and analyzing anonymized user data. You can redraw your consent to to using these cookies at any time. Find more information regarding cookies on our Data Protection Declaration and regarding us on the Imprint.
Mandatory

These cookies are needed for a smooth operation of our website.

Name Purpose Lifetime Type Provider
CookieConsent Saves your consent to using cookies. 1 year HTML Website
fe_typo_user Assigns your browser to a session on the server. session HTTP Website
PHPSESSID Temporary cookies which is required by PHP to temporarily store data. session HTTP Website
__cfduid missing translation: trackingobject.__cfduid.desc 30 missing translation: duration.days-session HTTP Cloudflare/ report-uri.com
Statistics

With the help of these statistics cookies we check how visitors interact with our website. The information is collected anonymously.

Name Purpose Lifetime Type Provider
_pk_id Used to store a few details about the user such as the unique visitor ID. 13 months HTML Matomo
_pk_ref Used to store the attribution information, the referrer initially used to visit the website. 6 months HTML Matomo
_pk_ses Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
_pk_cvar Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
MATOMO_SESSID Temporary cookies which is set when the Matomo Out-out is used. session HTTP Matomo
_pk_testcookie missing translation: trackingobject._pk_testcookie.desc session HTML Matomo