ANALYSIS: German Data Protection Authorities’ Resolution On Minimum Requirements For Data Protection Officers
By Michael Schmidl, of Baker & McKenzie, Munich, and Michael Kalbfus, Assessor Iuris.
Section 4f (1) of the German Federal Data Protection Act (“FDPA”) specifies requirements for data protection officers (“DPOs”) concerning a minimum level of special knowledge of data protection legislation, data processing and information technology as well as concerning personal reliability, but it does not give any guidance. As a consequence, there has been considerable uncertainty concerning the minimum requirements a DPO has to fulfill.
To rectify this situation, the Düsseldorfer Kreis, the German data protection authorities for the non-public sector (“DPAs”), issued a resolution on minimum requirements for DPOs on November 24/25, 2010. Thereby, the DPAs published criteria which certainly fulfill the requirements of Section 4f (2) FDPA relating to the special knowledge, the personal independence and the necessary conditions within the body responsible for the technical qualifications and independence of the DPO.
This article undertakes firstly to summarize all important general information about DPOs that companies should know, and secondly to show criteria for the selection of DPOs in consideration of the resolution of the DPAs on the minimum requirements for DPOs.
General Information about DPOs
Obligation to Appoint a DPO
According to Section 4f (1) FDPA, any company (“Controller”) processing personal data automatically (e.g., using CRM, ERP or other database software) and having permanently deployed more than nine employees in the automated processing of personal data is legally required to appoint a DPO in writing within one month of the commencement of its activities. Companies below the threshold of nine employees involved in the automatic processing of personal data may also appoint a DPO. That can be an advantage, because a Controller with a DPO is not legally required to register any processing of personal data with the competent DPA. It is exempted from the majority of the notification obligations under the FDPA.
The DPO shall work to ensure the Controller’s compliance with the FDPA and with other data protection provisions. DPOs further the integrity of the company’s IT security. In this function, DPOs can help identify potential security threats at an early stage.
A Controller can either appoint an employee or an external person (arguably also a legal entity) as DPO. Both options have certain advantages.
Appointing an internal DPO avoids the situation whereby an external third party will gain detailed knowledge about the Controller. An internal DPO knows the Controller’s internal structure and is closer to the actual problems of the Controller.
The main advantage of an external DPO generally is the external DPO’s professionalism. An external DPO is specialized in rendering services as external DPO and can provide the benefits of broad experience. The specialization allows an external DPO to focus on the latest developments in data protection law and IT security.
Should a company have several affiliates in Germany, the appointment of an external DPO might be more cost-efficient than appointing several internal DPOs.
Also, the appointment of an internal DPO may be revoked for cause only, e.g., if there is proof that the DPO does not have the required knowledge and is personally not reliable. Furthermore, after an internal DPO has been recalled, he may not be terminated for a year following the end of his appointment, unless the Controller has just cause to terminate without notice. By contrast, revoking the appointment of an external DPO is much easier, and depends on the provisions of the relevant service contract; the legislation on termination protection for employees does not apply to an external DPO.
Duties of the DPO
DPOs have the task of overseeing the relevant company’s compliance with applicable data protection law. According to Section 4g FDPA, the DPO shall in particular:
- monitor the proper use of data processing programs used to process personal data; for this purpose, the DPO shall be informed in good time of projects for the automated processing of personal data; and
- take appropriate measures to familiarize persons employed in the processing of personal data with the provisions of the FDPA and other data protection provisions.
Furthermore, the DPO is under the obligation to notify the DPA if the DPO has doubts about the legality of data processing activities that bear particular risks for data subjects, under Section 4d (6) FDPA.
In case no general notification requirement exists (if a Controller appoints a DPO), the DPO shall, on request, provide everyone with a register of the processing procedures occurring in the company (Verfahrensverzeichnis). This register must consist basically of a list of data categories processed, the purposes of processing and the possible recipients of personal data. The DPO must produce the register on the basis of the internal register of processing procedures (internes Verfahrensverzeichnis), which the Controller has to make available to the DPO.
Finally, the DPO shall be responsible for the prior checking necessary insofar as automated data processing activities bear particular risks for the rights and personal freedom of the data subject (in this case, processing activities shall be subject to examination prior to the start of processing). This preliminary control shall be carried out once the DPO has received the data log mentioned above.
Minimum Requirements for DPOs
Section 4f (2) FDPA provides the minimum requirements for DPOs. It reads as follows:
Whether a DPO fulfills these requirements must be evaluated by the Controller and not by the authorities, which is a risk for the Controller, because if the DPO does not fulfill the requirements, the Controller would be regarded as not having a DPO. In such a case, a fine can be imposed on Controllers which have an obligation to appoint a DPO.
As noted above, the DPAs issued a resolution on minimum requirements for DPOs. Thereby the DPAs published the following criteria, which certainly fulfill the requirements of Section 4f (2) FDPA relating to the special knowledge, the personal independence and the necessary conditions within the body responsible for the technical qualification and independence of the DPO.
Technical Knowledge Required under Section 4f (2) FDPA
Section 4f (2) specifies that a DPO must have the necessary expertise and reliability. Thus, a DPO must have at least the following knowledge of data protection legislation, and he must provide the following technical and organizational skills. With the resolution on minimum requirements for DPOs, the Düsseldorfer Kreis concretized these requirements as follows:
Knowledge of Data Protection Legislation in General
- basic knowledge of constitutionally guaranteed privacy rights of individuals concerned and staff of the responsible entity
- comprehensive knowledge of the content and legal use of the relevant regulations of the FDPA, including technical and organizational nature
- knowledge of the scope of the relevant data protection and technical rules, data protection principles and data security requirements, especially according to Section 9 FDPA…