The data protection officer (DPO) of a company is an internal supervisory authority or monitoring body that performs the tasks as defined by the GDPR.
The law therefore places special requirements on the person of the DPO. Art. 39 GDPR states: "The data protection officer shall be appointed on the basis of his or her professional qualifications and, in particular, the expertise he or she possesses in the field of data protection law and practice, and on the basis of his or her ability to perform the tasks referred to in Article 39".
An unsuitable data protection officer is considered "not appointed". This can have serious consequences for the responsible body, usually the company management. In addition to fines due to the formal omission, any technical deficiencies may also result in further violations that can be punished.
To date, several lawsuits have been conducted on the topics of expertise and persons to be appointed. Particularly noteworthy is the so-called "Ulm decision" (also known as the "Ulm judgment") of the Regional Court of Ulm (Ref.: 5T 153/90-01 LG Ulm). The requirements stated therein are considered to be trend-setting in data protection.
In addition to the basic statement that the work of a data protection officer corresponds de facto to a job description, special requirements were formulated for the holder of this position:
In order to be able to assess the subject area of automated data processing and its technical and organizational measures comprehensively, the officer should or must be a computer expert. He or she must also be able to apply the provisions of the federal and state data protection laws and all other legal provisions relating to data protection,
Although these requirements can often be fulfilled by internal staff, e.g. senior employees, a conflict of interest often arises. If, for example, the head of the HR or IT department is appointed DPO, he or she must also check his or her own requirements and decisions (sometimes unannounced!) and be exempt from instructions in his or her work as data protection officer.
As this is generally not objectively possible, managing directors and senior executives are excluded as data protection officers.
Another criterion for selecting an internal data protection officer is availability. In addition to the training required for basic training and testing, regular further training is mandatory. Officers who take on this demanding task alongside their actual area of responsibility often run into time bottlenecks if they are already heavily involved in their main job.
In many cases, external consultants are a good option as they can provide the appropriate experience and expertise from the outset. There is also no need for additional time and training or the special protection against dismissal that is customary for employees. In addition to specialist knowledge and personal suitability, external consultants must also be able to integrate themselves into the organizational structure.