8 June 2011
Many enterprises in Germany, including subsidiaries of international companies, are obligated to formally appoint a data protection officer (Datenschutzbeauftragter, or “DSB”). However, German law governing this area is not always clear, leaving many small and mid-sized companies wondering whether they are legally obligated to do so. Despite this ambiguity, failure to comply with the law can have significant ramifications, as mistakes made with regard to data protection can result in administrative fines and substantial damage to corporate reputation.
German data protection laws are also somewhat vague regarding the necessary qualifications and skills of DSBs. Further, the internal structures and support an enterprise must provide to its DSBs in order to comply with German law are not precisely specified. Appointing a DSB who is not sufficiently qualified, or failing to provide that person with adequate structures or resources, may result in fines of up to EUR 50,000.
German data protection authorities have published a resolution regarding minimum requirements for DSBs. The so-called “Duesseldorfer Kreis” has stipulated the required skills and framework for the proper work of DSBs in Germany. The Duesseldorfer Kreis is the joint coordination body of German data protection authorities at the state level, and its resolutions have considerable influence over enterprises operating in Germany.
Criteria for Appointing a DSB
Section 4f, Subsection 1 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, or “BDSG”) requires privately held companies to appoint DSBs if they permanently employ ten or more persons in the automated processing of personal data—the use of computers to process automated personal data is also covered. This obligation also applies to companies that employ 20 or more people to work with non-automated data processing or to process data that infringes so intensely on personal rights that, pursuant to Section 4d, Subsection 5 of the BDSG, the DSB is statutorily required to conduct a formal prior examination of the permissibility of this data processing. This can be the case when particularly complex processing systems or newer technologies are used.
Primary responsibility for adhering to the provisions of the BDSG lies with the company’s management. If, for example, the managing directors of a GmbH (Gesellschaft mit beschränkter Haftung, similar to a Limited Liability Company) do not fulfill the requirements for appointing a DSB, then each managing director risks administrative fines of up to EUR 50,000. While the responsible agencies do not normally impose the maximum fines, additional administrative fines can be imposed against the company itself pursuant to Section 130 of the German Administrative Offenses Act (Ordnungswidrigkeitengesetz).
Mandated DSB Responsibilities and Qualifications
The BDSG stipulates that the DSB must “work toward” fulfilling the provisions of the BDSG and other German data protection laws. One of the DSB’s many tasks is to advise the company’s management with regard to potential data privacy breaches or data protection compliance issues and to point out where data privacy could be improved.
Section 4f, Subsection 2 of the BDSG states that in order to adequately complete these tasks, the DSB must, at a minimum, fulfill several legal, technical and organizational qualifications. The BDSG does not clearly specify these qualifications, but the Duesseldorfer Kreis has made clear that DSBs must demonstrate competence in several key areas of practice.
Knowledge of Data Protection Law
Irrespective of the branch or size of the company in question, each DSB must have profound knowledge of Germany’s data protection laws. This includes knowledge of the constitutional rights of individual data subjects and of the company’s employees. Additionally, the DSB must be aware of those BDSG provisions that are applicable to her or his enterprise. Among other things, these provisions include specific technical and organizational stipulations regarding data security (e.g., Section 9 BDSG).
In addition, the DSB must be familiar with the accepted principles of data protection in Germany. These include: (i) the principle of adequacy and the obligation to avoid and restrict personal data where possible, pursuant to Section 3a of the BDSG; (ii) the principle that data may generally not be processed unless permitted by a legal justification under Section 4, Subsection 1 of the BDSG; (iii) the principle that personal data may only be collected for specified, explicit and legitimate purposes and may not be processed in a way incompatible with those purposes (Zweckbindungsgrundsatz); and (iv) the principle of transparency, according to which data subjects must, to the extent possible, be informed of the processing of their data.
Data protection regulators may require other qualifications of the DSB, depending on the business sector in which she or he operates, the employing company’s size or IT infrastructure and the nature and sensitivity of processed data.
Comprehensive knowledge of special legal provisions pertaining to data protection is required of the DSB if this is relevant to the employing company. For instance, the DSB of a financial institution should be aware of Section 25c of the German Banking Act (Kreditwesengesetz); in turn, the DSB of an insurance company must be well acquainted with Section 80d of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz).
Furthermore, the Duesseldorfer Kreis demands knowledge of information, telecommunications and data security technology. Among other things, these areas of knowledge refer to the physical security of IT structures, cryptography, network security, spyware and adequate protection measures. In some business sectors or companies, understanding of practical data protection management may be necessary as well.
The Duesseldorfer Kreis’s resolution lists examples of such practical skills, including executing controls, advising company management and coaching employees, providing data protection strategies and recording data protection-relevant company activities. Moreover, the resolution requires the creation of process registers (Verfahrensverzeichnisse) pursuant to Section 4g, Subsection 2, Sentence 2 of the BDSG. It also demands knowledge of log file analysis and risk management and of the analysis of security concepts, works agreements (Betriebsvereinbarungen) and video surveillance. Finally, the resolution requires the DSB to cooperate with employee representative bodies.
There may be scenarios in which a DSB must demonstrate basic economic knowledge. Unfortunately, the Duesseldorfer Kreis does not provide examples that specify when this qualification is applicable. Moreover, the data protection authorities stipulate that a DSB should have adequate knowledge of the enterprise’s technical and organizational structure. Hence, the DSB should be aware of relevant organizational and process charts and of the internal organization of the enterprise.
Regulated Data Processor Categories
Germany’s data protection regulators take a broad view when defining the categories of employees to which the BDSG applies. To a large extent, the definition encompasses every employee who works with a computer to compile, process or use personal data.
Thus, it is not only IT technicians who are included in this group, but also clerks who have computers available to them. Employees in personnel or financial areas, as well those who process orders, generally work with personal data in the scope of automated data processing and, consequently, fall under Germany’s data protection regulations.
This broad definition also applies to employees who, for example, enter personal data in a bank’s branch office, an insurance company’s office or an HR department. In this context, it is irrelevant whether the data is entered by a bank teller, by a customer service representative when opening a new account or placing an order, or by a person working in a client’s office. Automated data processing within the meaning of the BDSG also applies if a person enters data into his or her own computer and later transfers that data to the employer’s system.
If a company is uncertain whether it is obliged to appoint a DSB, it can seek advice from the responsible German state data protection supervisory authority. In case of doubt, this is the best procedure to follow.
When Managers Must Assume DSB Responsibilities
Regardless of the number of persons involved in an organization’s data processing functions, all companies that process data posing special risks to the rights and freedoms of their employees or business partners must appoint a DSB. According to specialized literature, examples of such risky functions include video surveillance and chip card use, as well as procedures that are generally non-transparent to the affected persons. Companies that are active in the areas of market or opinion research or that transfer data as a matter of business (e.g., credit information agencies) must always appoint a DSB.
The BDSG’s provisions are applicable even if a company’s data processing functions involve fewer than the minimum number of employees stipulated as a criterion for appointing a DSB. In this case, management must take on the DSB’s tasks. Furthermore, companies that are not required to appoint a DSB must report all automated data processing procedures to the responsible data protection supervisory authority prior to their implementation. If management does not abide by this obligation, then every manager is liable to receive an administrative fine of up to EUR 50,000. As the obligation to report all automated data processing procedures is fairly complex, it may be wise to appoint a DSB for that reason alone.
In essence, companies that have not yet appointed DSBs should thoroughly examine whether they are obligated to do so. Experience has shown that many companies are not aware of their statutory obligations. However, ignorance of the law is no defense; and German courts generally consider such ignorance to be legally unremarkable (because avoidable) mistakes of law. Conversely, if a company appoints a DSB prior to the supervisory authorities’ discovery of previous non-compliance issues, then it is extremely unlikely that a punishment will ensue.
Requirements Regarding DSB Independence
The DSB fulfills a special role in a German company. In order to enable the DSB to autonomously fulfill the role’s supervisory and advisory functions, she or he must report directly to the company’s management (Section 4f, Subsection 3, Sentence 1 BDSG). The DSB, moreover, must not be bound by company instructions regarding questions of data protection (Section 4f, Subsection 3, Sentence 2 BDSG). In addition, the DSB’s independence is safeguarded by mandatory dismissal protection.
Companies must enable their DSBs to fulfill their tasks and responsibilities without encountering conflicts of interest. Companies must safeguard this protection by implementing organizational and contractual provisions that are published both internally and externally.
Pursuant to the BDSG (Section 4f, Subsection 3, Sentence 3 et seq.), a company may not discriminate against an employed (internal) DSB based on the fulfillment of his or her functions. According to the data protection authorities, this protection also applies to the appointment of an external DSB (e.g., a specialized lawyer).
The DSB’s service contract must generally safeguard the autonomous fulfillment of her or his legal assignments. This can be accomplished by agreements between the company and its DSB on respective notice periods, payment modalities, disclaimers and documentation obligations. The Duesseldorfer Kreis recommends a contractual period of at least four years, or a minimum of two years when initially appointing an external DSB. Companies must ensure that external DSBs are enabled to provide their services in an adequate manner and, as appropriate or necessary, to deliver their services onsite at the company itself.
The BDSG provides that companies must generally pay for the training and continuing education of their DSBs. Hence, if a company appoints an employee as DSB, it must bear the expenses for the required training. However, where an external DSB is appointed, training costs may be part of the agreed contractual compensation. The considerable training and education requirements mandated by the data protection authorities may increasingly lead companies to appoint external DSBs, rather than internally employed DSBs, as a cost-saving measure.
Required Organizational Framework
The data protection authorities provide several specifications regarding internal corporate structures that are necessary to fulfill BDSG mandates. For example, the enterprise must authorize its DSB to enter all relevant locations and to have access to all documents necessary to complete the tasks. In addition, the DSB must be part of all data-related project proposals and decision processes. This could result in a development where the internal position and the relevance of the DSB may be increased.
Consequences of Noncompliance
The basic requirements of DSBs that are now set forth in the BDSG were not always fulfilled when data privacy controls were conducted in German enterprises by data protection authorities. Under current German law, however, minimum DSB qualifications and standards of independence have been defined more precisely.
Failure to meet these specifications may pose significant risks for enterprises operating in Germany. A company that appoints a DSB whose qualifications, reliability or position within the enterprise do not comply with the legal requirements may be punished with administrative fines pursuant to Section 43, Subsection 1, Number 2 of the BDSG. Moreover, German data protection authorities have a strong tendency to review corporate violators of the BDSG more closely for additional data protection infringements.
Summary and Recommendations
The demands of the German data protection authorities are extensive. In particular, the professional knowledge and skills required of DSBs mandates a high degree of specialization and training. If the qualifications of the DSB are deemed insufficient, high administrative fines and serious damage to the corporate violator’s reputation may ensue.
Germany’s data protection authorities have determined that the functions and responsibilities of a company’s DSB are influenced by a variety of factors, including company size and organizational structure, business- and sector-specific considerations, and the nature and sensitivity of the data that is processed. Consequently, large enterprises and companies that process sensitive data or considerable quantities of data must fulfill stringent regulatory standards.
Enterprises operating in Germany, then, are generally well-advised to appoint DSBs who fully satisfy the nation’s demanding legal requirements. Moreover, they should take vigorous and continuous action to ensure that their internal structures are compliant with the specifications issued by German data protection authorities.