What is a data protection officer? DPO obligation or not?

A data protection officer (DPO) is mandatory for companies that employ 20 or more people in typical office work. The Bundestag recently debated this obligation. Why is the officer an officer? The answer to this question is also the solution to the arbitrary compulsory appointment of the DPO.

Introduction

Every company of a certain size needs a data protection officer. At least this applies if at least 20 employees are regularly engaged in digital (automated) data processing.

This limit of 20 employees is defined in § 38 BDSG (BDSG = German Law for privacy protection). Previously, the limit was 10 employees.

The legislator cannot be accused of drawing a limit that he considers sensible. A legally established limit is always arbitrary in itself. This also applies, for example, to the tax rate and the limits for tax rates as well as to the entire tax system itself.

Finding a border is cause for reflection. Especially when the border

a) did not initially exist at EU level (GDPR),

b) was then set at 10 employees in Germany,

c) was then set at 20 employees in Germany,

d) was then to be abolished, but was not abolished after all.

What would it be like not to have a border?

The data protection officer as an option rather than a constraint

The DPO is mandatory for many companies. This is good for the DPO and usually also good for data protection. In any case, it usually does no harm that the DPO exists. This should be stated in a somewhat differentiated way, because cases are known in which the wrong opinion of a DPO leads to bad results.

Whether it is this hopefully rare misinterpretation of DSB that is responsible for serious data protection violations on most German websites, or whether it is the consulting resistance of clients, is beside the point. Normally, the advisor is right, even if he is not an advisor but a representative.

If data protection officers were not mandatory, would companies still appoint them?

It can often be observed that even the smallest companies appoint a DPO even though they are not required to do so. It can also be assumed that larger companies appoint a DPO of their own accord, even if they are not required to do so. What would it look like if an authority (which does not actually impose fines) were to visit a company and see that no one there was taking dedicated care of data protection?

What does the DSB actually do?

A good question, which will only be answered in part here.

The DSB is primarily a consultant. Many DSBs provide their clients with an information package at the beginning of their activity, which often includes training offers that are provided via video, presentation or guidelines. Similarly, an initial interview usually takes place at the beginning. In this, the peculiarities of data processing by the client as responsible person are clarified.

In case of a data breach, the DSB is involved. Likewise, when those affected make use of their right to information (Art. 15 GDPR). The DSB is also a good point of contact for specialist questions and provides his client with hints if this is appropriate.

The data protection officer at least does not seem to be a commissioned processor (Art. 37 GDPR).

Proposal for motivation for DPO appointment

What would it be like if violations of binding data protection rules were finally sanctioned? Such rules can be found in the GDPR as a regulation and in the TDDDG (formerly TTDSG) and BDSG as laws. But nobody is really interested in what goes wrong on the internet. At least not in Germany.

Data protection authorities simply do not impose sanctions. The extremely few cases in which fines have been imposed in Germany are not worth mentioning.

In Germany, the most common breach in data protection has not been sanctioned once to date.

Not a single time = zero or epsilon environment.

The most frequent data protection violation, which is also easiest to prove, has been sanctioned exactly not a single time. It involves unlawful web tracking, including unlawful cookies. In case someone finds a case: Whether zero or five, it's the same as zero when considering millions of data breaches that occur in Germany every day on the internet. The fast mathematician would say: The number of sanctions lies within the epsilon environment of zero.

If it weren't for the consumer advice center and individuals like Max Schrems, who has brought about far-reaching ECJ rulings, it feels like nothing would happen in Germany. Except that the authorities would always issue new recommendations and announce that they would carry out audits, which they would then carry out and discover that things are not quite right. After that, the employees of the authorities go back to other, more pleasant activities. You don't want to make yourself unpopular. Or, like a head of unit at the Hessian Data Protection Commissioner, think about retirement, which is only the blink of an eye away (this information has been communicated first-hand and repeatedly). It is therefore not surprising that Google Analytics is regarded as harmless by this authority and that sexual preferences, expressed through the purchase of sex toys, are not seen as data worthy of protection.

Quiz question: What is the difference between a tax consultant and a data protection officer?

Some possible answers for this quiz question, leaving aside the technical focus of both professions:

1. The tax consultant is called a consultant, the data protection officer is called a representative.
2. The tax consultant is not mandatory, but the data protection officer often is.
3. The tax consultant is typically commissioned, although it is not mandatory, but the data protection officer is not.
4. There is rarely a “self-confident” discussion with the tax consultant, but there is with the data protection officer (“Can't we just integrate Google Analytics on our website? Nothing will happen anyway!”)

Tax consultant versus data protection officer