1. Requirements for an external data protection officer
An external data protection officer, like the internal one, must be selected according to the requirements laid down in Art. 37 Para. 5, 39 DS-GVO: Based on these legal regulations, he must already have the professional qualifications and the necessary specialist knowledge required to fulfill the tasks at the time of his appointment have, whereby the level of knowledge required should basically be determined by the scope of the data processing by the person responsible and the need for protection of the personal data processed.
Practical experience gained in advance, technical knowledge, training and further education and proof of special data protection training may be required. Candidates should also be expected to have IT qualifications so that they can understand the sometimes technically complex processes. In addition, he should have (at least a basic) legal understanding in order to be able to understand the large number of regulations that result from the General Data Protection Regulation, the ePrivacy Regulation and national law and to be able to apply the judgments that have been made .
2. Minimum Duties of the Data Protection Officer
The minimum tasks of the data protection officer result from Art. 39 DS-GVO, whereby the tasks can be specified or expanded by the employment or service contract concluded with him.
One of the primary tasks of the external data protection officer is to work towards compliance with all (data protection) regulations by the person responsible or the processor and his employees (by means of information and advice), Art. 39 (1) lit. a GDPR. For this purpose he is to be instructed in the processes of the data processing software programs as well as in the computer technology used. They should be regularly checked by him in the following. In addition, the external data protection officer must ensure that persons who handle personal data are made familiar with the data protection regulations and their duty of care. This should be done as part of regular training and (possibly repeated) further training.
A DPO regularly checks the technical and organizational measures of the company, provided that this task has been contractually assigned to him by the person responsible or the processor. For this purpose, at least access control, entry control, access control, transfer control, input control, order control and availability control must be checked. He also carries out regular audits.
He usually also monitors the automated processes used in the company, which he often reviews as part of the data protection impact assessment to ensure that the rights of those affected are adequately protected and that they are sufficiently informed. This seems urgently necessary with regard to the right to information, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object but also to respond to requests for information.
Furthermore, he often takes care of the management of the procedure registers, although it should be noted that there is no legal obligation to do so either. In addition, the DPO could be contractually required to develop a data protection manual with the necessary concepts, guidelines, guidelines and employee information.
The internal or external data protection officer must also represent the person responsible or the processor in his affairs as a contact person with the supervisory authority. However, it should be pointed out that the external data protection officer generally cannot have any decision-making authority; this lies solely with the person responsible and thus usually with the company management of his client.
3. Appointment / termination of a data protection officer
A DPO must be named in the cases of Article 37 GDPR or Article 38 BDSG new version. The designation should be in writing; According to Art. 37 Para. 7 DS-GVO, it must be published and made known to the supervisory authority (obligation to notify). The designation certificate should contain both the signature of the DPO and that of the responsible person’s management.
The external data protection officer is not subject to the instructions of the company management in his field of activity according to § 38 paragraph 3 BDSG new version. He can act freely within the legal limits. For this very reason, it should be considered in advance to what extent an internal employee can work independently: In principle, he may take on other tasks and duties in the company, Section 38 (6) sentence 1 BDSG; however, he should not hold any other position that could impair his decision-making authority (e.g. HR or IT management, general management, etc.).
According to § 38 paragraph 4 BDSG new version, a dismissal of the DPO is only permissible in corresponding application of § 626 BGB. His employment relationship can only be terminated if there are facts that allow termination without notice for good cause. Once the activity has ended, termination during the following year is not permitted unless there is good cause that would justify termination of the employment relationship without notice. The question of the extent to which this right of continued employment can be transferred to the external data protection officer has not been finally clarified. The possibility of termination for an external person who is working as part of an employment relationship could therefore be based either on Section 621 BGB or Section 627 BGB. Alternatively, an analogous application of § 626 BGB would be conceivable. The latter could make sense and probably come closest to what the legislator wants.
4. Internal or external DPO?
This raises the question of whether the role of data protection officer should be filled by an internal or an external person. While, as already mentioned, the cooperation with an internal employee can regularly run harmoniously due to the personal familiarity and the already existing knowledge of the company and the associated structures, on the one hand there is the danger, as can be seen in practice, that simply entire areas of responsibility are “overlooked” or, on the other hand, the risk is to be borne that the candidate lacks either technical expertise or legal skills. However, the most important reasons against the election of an internal employee are their liability and the fact that the external data protection officer can be terminated more quickly (which will probably also continue to apply if the GDPR applies). While the internal DPO is only liable to the company from the point of view of employee liability, the external data protection officer is regularly liable under Sections 280, 611 BGB and Section 823 BGB.
Depending on the controller’s or processor’s objectives, the better arguments are either for choosing an internal or an external DPO. A good argument for the external service provider is that they usually deal with data protection full-time.