An external data protection officer (DPO) has various legal obligations under the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). These obligations are designed to ensure data protection compliance within the company and to protect the rights and freedoms of the data subjects. The most important legal obligations of an external data protection officer are described in detail below:
Advice and information
The DPO has the duty to advise and inform the company and employees on data protection issues. This includes clarification of data protection obligations and support in the implementation of the GDPR and the BDSG. The DPO must ensure that all parties involved are informed of their rights and obligations when dealing with personal data (Article 39 paragraph 1 letter a GDPR).
Monitoring compliance with data protection regulations
The DPO must monitor compliance with data protection regulations and internal data protection policies. This includes regular reviews of the company’s data protection measures and processes. The DPO must ensure that data processing is carried out in accordance with legal requirements and that all necessary technical and organizational measures are taken to ensure the security of personal data (Article 39 paragraph 1 letter b GDPR).
Conducting data protection impact assessments (DPIA)
For data processing operations that are likely to result in a high risk to the rights and freedoms of data subjects, the DPO must carry out a data protection impact assessment (DPIA). This obligation includes identifying and evaluating the risks and determining appropriate measures to minimize the risks. The DPO must ensure that the DPIA is properly documented and updated when necessary (Article 35 GDPR).
Cooperation with the supervisory authority
The DPO is obliged to cooperate with the competent data protection supervisory authority. This includes communication and coordination with the authority in the event of requests, audits and investigations. The DPO must ensure that the company responds to requests from the supervisory authority in a timely and comprehensive manner and provides all necessary information (Article 39 paragraph 1 letter d GDPR).
Documentation and reporting
The DPO has the obligation to document all data protection-relevant processes and measures. This includes the creation and maintenance of the register of processing activities, the documentation of data protection impact assessments and the recording of all data protection audits and monitoring. The documentation serves as proof of compliance with data protection regulations and must be presented to the supervisory authority upon request (Article 30 GDPR).
Support in safeguarding the rights of data subjects
The DPO must ensure that the rights of the data subjects are protected. These include the right to information, rectification, erasure, restriction of processing, data portability and objection. The DPO must process requests from data subjects promptly and ensure that the statutory deadlines are met (Articles 15 to 22 GDPR).
Development and implementation of data protection strategies
The DPO has the duty to develop and implement data protection strategies and concepts. This includes defining policies and procedures for handling personal data and implementing technical and organizational measures to protect the data. The DPO must ensure that data protection is an integral part of the company’s strategy and processes (Article 24 GDPR).
Regular review and adjustment of data protection measures
The DPO must regularly review the existing data protection measures and adapt them if necessary. This includes the ongoing evaluation of the effectiveness of the data protection measures and the identification of opportunities for improvement. The DPO must ensure that the data protection measures comply with current legal requirements and technological developments (Article 32 GDPR).
Raising awareness and training employees
The DPO has the duty to regularly train and sensitize employees in the company. This includes conducting training courses and workshops to raise awareness of data protection issues and inform employees about their obligations when handling personal data. Well-informed employees are an essential part of effective data protection management (Article 39 paragraph 1 GDPR).
In summary, an external data protection officer has numerous legal obligations aimed at ensuring data protection compliance within the company and protecting the rights of the data subjects. Compliance with these obligations is crucial to minimising legal risks and strengthening the trust of the data subjects in the handling of their data.
