With regard to Para. 4 f German Federal Data Protection Act, companies, contractors or freelancers need to appoint a data protection official. This rule applies if at least a group of 10 people is processing personal data by means of data processing systems. Furthermore, this rule applies if a group of at least 20 people is processing data via a non-automated filing system (i.e., registries, any type of data collections using predefined formulas). In so far as private bodies carry out automated processing operations which are subject to prior checking or process personal data in the course of business for the purposes of transfer, anonymized transfer, or market or opinion research, they are to appoint a data protection official irrespective of the number of persons deployed to carry out automatic processing.
What qualities does a data protection official need?
The data protection officer (or also "official") can only be an individual, i.e. not a legal entity. It is not required by the German Federal Data Protection Act to have more than one data protection officer. To appoint the manager as the data protection official of his own corporation is not possible, even if he is interested in this subject area. This would run counter to the basic principle of the law according to which the data protection official is especially appointed to advising and supporting the management in questions regarding data protection ("staff unit" Para. 4 f section 3 Sentence 1 German Federal Data Protection Act). The data protection official should be appointed due to his specialized knowledge and reliability, thus he should gain specialized knowledge prior to his appointment.
What are the responsibilities of a data protection official?
The data protection official has a wide area of responsibility. His main responsibility is to ensure compliance with data protection provisions within his corporation. He can do that for example by a data protection juridical training of the staff of his organization. An understanding about the data processing operations is important as well to be able to monitor them in a transparent way.
When is it needed to register data processing?
Basically two business areas are subject to registration with the BayLDA as data protection supervisory authority: On the one hand the data storage for the purpose of transfer, i.e. to trade with personal data, as is the case with credit inquiry agencies and address traders, and on the other hand the data storage for the purpose of anonymized transfer, that is the activities of market research institutes, opinion research institutes and social research institutes. Under § 38 sect. 2 German Federal Data Protection Act the BayLDA maintains a register of the automated processing operations of data controllers based in Bavaria which are subject to obligatory registration in accordance with § 4d.
Where do I get more information about the job as data protection official
Further information regarding to the duties of an data protection officer can be found in the following documents: