Many companies are obliged by the GDPR (and in Germany by the Federal Data Protection Act) to designate a Data Protection Officer (DPO).
The obligation applies if the economic activities require processing of personal data on a large scale or of personal data that is considered sensitive. Moreover, companies with an establishment in Germany which employs at least 10 persons with automated data processing (e.g. by using a computer) or which carries out data processing that is subject to a so-called data protection impact assessment will need to appoint a DPO.
Although an internal solution is possible under the GDPR, an outsourcing is more attractive to many companies. When an external DPO is appointed, companies can save resources:
- a full-time DPO is an expensive employee because of his necessarily high level of expertise
- above all, the DPO has to be independent which disqualifies him for many other tasks inside a company
- external service providers often have a vast experience regarding data protection practices and can optimize compliance more effectively
The main task of a DPO is to monitor the company’s compliance with data protection laws. The DPO has to inform and advise the company and its respective employees about their duties connected to the processing of personal data. Besides this, the DPO shall be the contact person for
- data subjects regarding all issues related to processing of their data and exercising their rights under the GDPR
- the data protection supervisory authority for any consultations concerning processing activities of the company.
If a company is obliged to appoint a DPO but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of the company’s annual group turnover, whatever is higher.
Furthermore, a DPO can prevent the company from even higher fines that can be imposed for violations of particular GDPR provisions.