The concept of a Data Protection Officer was created in Europe with the General Data Protection Regulation. The obligation to appoint a Data Protection Officer impacts companies depending upon their core activities which are essential to achieving their goals. This includes processing of personal data or data processing which is particularly decisive to those impacted. These companies must appoint an operational Data Protection Officer. In addition, the regulation to appoint a Data Protection Officer also has an escape clause for Member States. These States are free to decide whether to appoint an operating Data Protection Officer at a company under narrow conditions. If such an obligation exists under the General Data Protection Regulation or a national law, corporate groups can also appoint a joint operating Data Protection Officer. Their location must be easily reached by external stakeholders, supervisory authorities and employees.
Groups and companies have two possibilities to meet their obligation to appoint a Data Protection Officer. Either they name an employee as an internal Data Protection Officer, or they appoint an external Data Protection Officer. In selecting such a person, they must ensure that an internal Data Protection Officer is not subject to conflicts of interest, such as because he is an employee in the IT Department, HR Department or senior management, and must inspect himself. Regardless of which option is chosen, a Data Protection Officer must provide some professional knowledge in data protection law and IT security which includes the complexity of data processing and the size of the company.
Duties of the Data Protection Officer include: Acting on the compliance to all relevant data protection regulations, monitoring specific processes, such as data protection impact assessments, employee awareness and training employees, as well as collaboration with authorities. Therefore, the operating Data Protection Officer must not be recalled or disadvantaged due to his fulfilment of his tasks. Despite the monitoring function, the company itself remains responsible for compliance with data protection regulations. The Data Protection Officer is therefore bound to “properly and in a timely manner, in all issues which relate to the protection of personal data”. When the Data Protection Officer is appointed, his superior must publish his contact data, and communicate his appointment and contact data to authorities.
Wilful or negligent failure to appoint a corporate Data Protection Officer is an offence subject to fines.