Although the General Data Protection Regulation (GDPR) came into force in 2018, many companies are unsure whether their data protection measures meet the current legal requirements. One aspect of the GDPR's package of obligations is the appointment of a data protection officer. This article will examine when a company is generally obliged to appoint a data protection officer and what consequences may arise if the person fails to do so.
Which companies usually have to appoint a data protection officer?
According to Art. 37 GDPR, a data protection officer must be appointed if the core activity of the company consists in carrying out processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects, or the core activity of the company consists in the extensive processing of special categories of data pursuant to Article 9 (personal data revealing racial/ethnic origin, political opinions, religious/ideological beliefs or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) or of personal data relating to criminal convictions and offences pursuant to Article 10. This means that in particular companies whose core activities are in the scoring, headhunting or profiling, market or opinion research, security and surveillance sectors fall under this category. But social media companies or insurance companies can also be included in this category. Data according to Art. 9 GDPR is processed primarily by doctors' offices, hospitals and laboratories. According to Section 38 of the Federal Data Protection Act (BDSG), non-public bodies must appoint a data protection officer if, as a rule, at least 20 people in the company are constantly involved in the automated processing of personal data. "Automated processing" means any IT-supported data processing. This includes computers, network systems, video surveillance systems, tablets, smartphones, etc. "As a rule" and "constantly" mean that it must be a permanent job that is not only carried out for a short time or temporarily, and therefore the "normal" professional state. This typically includes clerks, sales staff, IT staff and employees in the human resources and finance departments. Mere access to stored data for the purpose of use is sufficient. It should be noted that the law also stipulates an obligation to appoint a data protection officer under other, more specific conditions, but these would go beyond the scope of an initial overview.
According to Article 37, Paragraph 7 of the GDPR, the contact details of the data protection officer must be published and communicated to the supervisory authority.
What are the consequences if no registration is made in violation of the obligation?
According to Article 83(4) GDPR, infringements of the appointment of a data protection officer may be subject to fines of up to EUR 10.000.000 or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher.
The above information is intended only as initial information and to provide an overview of the topic. Depending on the individual case, the obligations and rights may change significantly. If you have any questions or need advice, please feel free to contact us.
Marc Conrad
Lawyer
E-Mail: Conrad@kmbpartner.de
0621 4250890
