What is a data protection officer? DPO obligation or not?

A data protection officer (DPO) is mandatory for companies that employ 20 or more people in typical office work. The Bundestag recently debated this obligation. Why is the officer an officer? The answer to this question is also the solution to the arbitrary compulsory appointment of the DPO.

Introduction

Every company of a certain size needs a data protection officer. At least this applies if at least 20 employees are regularly engaged in digital (automated) data processing.

This limit of 20 employees is defined in § 38 BDSG (BDSG = German Law for privacy protection). Previously, the limit was 10 employees.

The legislator cannot be accused of drawing a limit that he considers sensible. A legally established limit is always arbitrary in itself. This also applies, for example, to the tax rate and the limits for tax rates as well as to the entire tax system itself.

Finding a border is cause for reflection. Especially when the border

a) did not initially exist at EU level (GDPR),

b) was then set at 10 employees in Germany,

c) was then set at 20 employees in Germany,

d) was then to be abolished, but was not abolished after all.

What would it be like not to have a border?

The data protection officer as an option rather than a constraint

The DPO is mandatory for many companies. This is good for the DPO and usually also good for data protection. In any case, it usually does no harm that the DPO exists. This should be stated in a somewhat differentiated way, because cases are known in which the wrong opinion of a DPO leads to bad results.

Whether it is this hopefully rare misinterpretation of DSB that is responsible for serious data protection violations on most German websites, or whether it is the consulting resistance of clients, is beside the point. Normally, the advisor is right, even if he is not an advisor but a representative.

If data protection officers were not mandatory, would companies still appoint them?

It can often be observed that even the smallest companies appoint a DPO even though they are not required to do so. It can also be assumed that larger companies appoint a DPO of their own accord, even if they are not required to do so. What would it look like if an authority (which does not actually impose fines) were to visit a company and see that no one there was taking dedicated care of data protection?

What does the DSB actually do?

A good question, which will only be answered in part here.

The DSB is primarily a consultant. Many DSBs provide their clients with an information package at the beginning of their activity, which often includes training offers that are provided via video, presentation or guidelines. Similarly, an initial interview usually takes place at the beginning. In this, the peculiarities of data processing by the client as responsible person are clarified.

In case of a data breach, the DSB is involved. Likewise, when those affected make use of their right to information (Art. 15 GDPR). The DSB is also a good point of contact for specialist questions and provides his client with hints if this is appropriate.

The data protection officer at least does not seem to be a commissioned processor (Art. 37 GDPR).

Proposal for motivation for DPO appointment

What would it be like if violations of binding data protection rules were finally sanctioned? Such rules can be found in the GDPR as a regulation and in the TDDDG (formerly TTDSG) and BDSG as laws. But nobody is really interested in what goes wrong on the internet. At least not in Germany.

Data protection authorities simply do not impose sanctions. The extremely few cases in which fines have been imposed in Germany are not worth mentioning.

In Germany, the most common breach in data protection has not been sanctioned once to date.

Not a single time = zero or epsilon environment.

The most frequent data protection violation, which is also easiest to prove, has been sanctioned exactly not a single time. It involves unlawful web tracking, including unlawful cookies. In case someone finds a case: Whether zero or five, it's the same as zero when considering millions of data breaches that occur in Germany every day on the internet. The fast mathematician would say: The number of sanctions lies within the epsilon environment of zero.

If it weren't for the consumer advice center and individuals like Max Schrems, who has brought about far-reaching ECJ rulings, it feels like nothing would happen in Germany. Except that the authorities would always issue new recommendations and announce that they would carry out audits, which they would then carry out and discover that things are not quite right. After that, the employees of the authorities go back to other, more pleasant activities. You don't want to make yourself unpopular. Or, like a head of unit at the Hessian Data Protection Commissioner, think about retirement, which is only the blink of an eye away (this information has been communicated first-hand and repeatedly). It is therefore not surprising that Google Analytics is regarded as harmless by this authority and that sexual preferences, expressed through the purchase of sex toys, are not seen as data worthy of protection.

Quiz question: What is the difference between a tax consultant and a data protection officer?

Some possible answers for this quiz question, leaving aside the technical focus of both professions:

1. The tax consultant is called a consultant, the data protection officer is called a representative.
2. The tax consultant is not mandatory, but the data protection officer often is.
3. The tax consultant is typically commissioned, although it is not mandatory, but the data protection officer is not.
4. There is rarely a “self-confident” discussion with the tax consultant, but there is with the data protection officer (“Can't we just integrate Google Analytics on our website? Nothing will happen anyway!”)

Tax consultant versus data protection officer

In terms of quality, a tax consultant has a lot in common with a data protection officer. Both are consultants, only one is called an officer. Both are supposed to do all sorts of stuff, which is communicated in the form of all sorts of documents. Both are not processors (there are certain activities that are to be assessed differently in the case of a tax consultant). Both are liable if they do not do their job properly, and especially if they do not advise their clients properly. Both cost money. Both contribute nothing to the productivity of a company, but “only” help to fulfill legal requirements.

Why does my company have a tax consultant even though it is not mandatory? Why does no company in the town (12 companies) have a data protection officer?

The answer is: Because the tax advisor is necessary to avoid getting into trouble with the tax office. But the data protection officer doesn't help you get out of trouble because there is no such trouble.

Who is afraid of the evil wolf?

Nobody, if the bad wolf is a data protection authority.

Everyone, if the bad wolf is the tax office.

DPO versus tax consultant.

The main difference between a voluntary tax consultant and often compulsory data protection officer is that handling tax data takes place within a threat scenario and the scope of personal data is without any consequences, as long as you don't act completely stupid.

Authorities in Germany do not sanction. The Hessian data protection authority has no desire to sanction. Hesse is a secure example, as statements from authority representatives can be taken personally and also from procedures directly at one's doorstep. Other authorities are more engaged but have very little personnel. In this context, one could again demand the abolition of federalism!

So the proposal in this article is:

• There should be no obligation to appoint data protection officers.
• Instead, the authorities should finally start imposing sanctions and fines for online violations.
• Subordinate, but a nice detail (DPO -> tax advisor): The data protection officer should be referred to as a data protection consultant or at least – analogous to a tax consultant – be regarded as a consultant and not as an officer.

This solves several problems at once:

• There is no virtual employee limit for an appointment requirement. The Bundestag has time for other tasks.
• Data protection officers are finally being taken seriously everywhere.
• Data protection becomes added value.
• Platforms such as Facebook or Instagram and plugins such as those from Google or Meta will finally be penalized, namely for those who use them illegally. It is likely that Google or Meta will soon have to take the fall too.

Conclusion

The data protection market is sick. That's due to missing sanctions and nothing else. The blame for all these cookies and cookie pop-ups, by the way, lies not with the GDPR, but with corporations like Google or Meta, which are also members of Bitkom (german IT lobby association), along with Microsoft and other suspects.

The GDPR supposedly gives data subjects many rights. But when it comes to claiming these rights, things become problematic.

For one thing, German data protection authorities either have no desire or no staff to impose sanctions.

On the other hand, every little thing has to be disputed in German courts as to whether the GDPR was really meant that way. In other words: Is it really intended that someone not only has the right not to have their data misused, but that this person can then also insist on it and demand an injunction?

So, some things really go too far. Where would we end up if everyone had rights? To top it all off, we could remove the obligation to appoint a data protection officer without anyone noticing. Or, just for fun, make tax advisors compulsory and rename them tax officers.