External Data Protection Officer
Under certain circumstances, companies shall designate a data protection officer. The best known is probably the obligation to designate a data protection officer in the event that ten or more persons are constantly engaged in the automated processing of personal data. In any case, it should be checked whether a company requires a data protection officer, which must finally be reported to the competent supervisory authority.
The task of an (external) data protection officer according to the legal model is mainly characterised by monitoring and verifying compliance with certain requirements. MORGENSTERN’s consultants advise clients as external data protection officers and perform the following tasks in particular:
- Legal audits on data processing (e.g. transfer to other companies, publication of data on the Internet)
- Planning data protection impact assessments (e.g. GPS tracking, video surveillance, electronic time recording and other high-risk processing)
- Personnel and works council training
- Drafting of records of processing activities (on-site appointments are expedient)
- Drafting of regulations on privacy (e.g. guidelines on the use of operational means of communication, guidelines on the handling of data breach)
- Review or preparation of contracts for processing
- Auditing of potential processors with regard to the technical and organisational measures and documentation
- Auditing of websites with regard to privacy and telemedia law requirements
- Advice on all privacy issues
Depending on the type of personal data processed by a company, technical requirements for a data protection officer can be categorised as different. In particular, medium-sized and large companies often have to deal with complex IT infrastructures, extensive contractual structures and risky software applications. Hence, these tasks can no longer be performed by one’s own employee. Such companies should, therefore, rely on an attorney specialised in privacy law to identify and solve legally complex issues. If no attorney is available in your own company, the designation of an external data protection officer is necessary.