Liability of the internal data protection officer

Date of publication

Management should keep an eye on their internal data protection officers and be informed about the current status of data protection. A sleepy head can quickly become a problem for management.

Image
Ein Buch mit einem gelben Postit

Competence

Exactly five months have passed since May 25, 2018, when the General Data Protection Regulation (GDPR) became applicable. One of my many lessons learned is that not all DPOs in companies are aware of their duties. It is possible that someone does not have the necessary expertise. Or perhaps one or the other person has simply been thrust into this role?

If a responsible party simply imposes the role of DPO on an employee, he should keep in mind that ultimately he himself always remains responsible according to the GDPR. Management is also responsible for the actions (or inactions) of the DPO.

With this legal obligation, every responsible party should ensure the competence of the DPO by providing him with continuous training. Only then will the DPO be able to implement his tasks in compliance with the GDPR.

Liability

Either way, the management is always the responsible person in the sense of the GDPR who is responsible for data protection-relevant events, not the DPO. The DPO is only responsible for ensuring that the GDPR and the BDSG are implemented in the company. Only if the DPO acts with gross negligence or intent is he or she subject to limited liability as an employee. Then the German Civil Code (BGB) applies. With an external DPO, the situation is quite different.

Liability of the external data privacy officer

The external data protection officer shall be liable for any fault in connection with the performance of his duties.

"The data protection officer shall be appointed on the basis of his professional qualifications and, in particular, the expertise he possesses in the field of data protection law and practice, as well as on the basis of his ability to perform the tasks referred to in Article 39 GDPR." Art. 37(5) GDPR

The DPO's responsibilities include:

  • Informing and advising the controller
  • Monitoring compliance with the GDPR
  • Raising awareness and training employees
  • Advice in connection with the data protection impact assessment

Conclusion

When it comes to liability issues, the advantage clearly lies with the appointment of an external data protection officer, who also has the necessary expertise per se.

Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user manfred.woeller

Manfred Wöller

Manfred Wöller is a TÜV-certified data protection officer who makes data protection requirements technically feasible as part of the team. He is also a passionate vegan cook who takes care of the physical well-being at community events.