The legal basis for the appointment of an external data protection officer (DPO) is laid down in the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). These laws determine the conditions under which a company must appoint a DPO and the requirements for their qualifications and tasks.
General Data Protection Regulation (GDPR)
According to Article 37 GDPR, certain companies and organizations must appoint a data protection officer. This obligation applies in particular to:
- Public bodies and authorities : These must always appoint a DPO, regardless of the type of data processed.
- Companies whose core activities require the extensive, regular and systematic monitoring of data subjects : For example, companies that process large amounts of personal data or carry out extensive monitoring activities.
- Companies whose core activity consists in the processing of special categories of personal data on a large scale : These include data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, data concerning health and data concerning sex life or sexual orientation.
Federal Data Protection Act (BDSG)
In addition to the GDPR, Section 38 of the BDSG stipulates that companies that generally employ at least 20 people on a permanent basis to carry out automated processing of personal data must appoint a DPO. This regulation applies regardless of the type of data processed and supplements the requirements of the GDPR.
Qualification requirements
Article 37(5) GDPR stipulates that the data protection officer must be appointed on the basis of his or her professional qualifications and expertise in the field of data protection law and practice. This means that the DPO must have in-depth knowledge of the relevant data protection laws and practical experience in the implementation and monitoring of data protection measures.
Tasks of the Data Protection Officer
Article 39 of the GDPR sets out the tasks of the DPO, which include monitoring compliance with data protection regulations, advising the company and employees, conducting data protection impact assessments (DPIA) and cooperating with the supervisory authority.
In summary, the GDPR and the BDSG form the legal basis for the appointment of an external data protection officer. Companies must ensure that they meet the legal requirements, appoint a qualified DPO and clearly define their tasks and responsibilities.
