Data protection: Who can be a Data Protection Officer?
Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer) and Alma Lena Fritz (attorney at law).
If a company has to appoint a company Data Protection Officer, then the question becomes who will be suitable to carry out the office? Apart from the question of whether an Internal Data Protection Officer or an External Data Protection Officer is more suitable for the company, this article will explain which employees in the company can perform the tasks of the Data Protection Officer and when difficulties may arise when determining the officer.
What skills does a Data Protection Officer need to have?
By law a Data Protection Officer must be able to expertly carry out his/her office. In particular, this makes it necessary for the Data Protection Officer to be familiar with methods and techniques of automated data processing and to know about the legal and business issues. A Data Protection Officer especially needs to understand the organization of the business and its roles. This includes an understanding of all specific business tasks for which personal data is processed.
Reliability of the Data Protection Officer
In addition, only those persons may be appointed as a Data Protection Officer who exhibit the necessary reliability to carry out their office. Reliability as a concept includes the ability to work under stress and learn quickly, being loyal and conscientiousness, and having a diligent and thorough work style. The term reliability also refers to compatibility between the Data Protection Officer’s task and his/her other primary and secondary duties.
Independence of the Data Protection Officer
In order for a Data Protection Officer to perform his/her duties in compliance with the law, he/she must be independent in terms of making decisions about and evaluating circumstances. The European Court of Justice has already confirmed this year that independence plays a large role precisely in the field of data protection. You can read about this in greater detail here.
Which professions involve a conflict of interest?
Legal scholarship considers some professional groups to have a potential conflict of interest that places in doubt the independence of the Data Protection Officer and hence his/her ability to work effectively. The prevailing opinion is that – apart from members of management, who may not be appointed as Data Protection Officers on the basis of § 4f paragraph 3 sentence 1 German Federal Data Protection Act – owners of a company, data processing and human resources managers, and IT administrators are included in this group.
For these reasons, appointing close relatives of management and similar persons should be avoided.
Which persons can be considered for the position of an Internal Data Protection Officer?
Employees in the audit department, legal department, and organizational department can be appointed as a Data Protection Officer unless there is a conflict of interest. A director from the internal audit department and data processing audit department are generally considered suitable for the position in the literature.
Avoiding conflicts of interest by using an External Data Protection Officer
An internal conflict of interests can be avoided in practice by appointing an External Data Protection Officer.
Legal counsel as External Data Protection Officer
In-house lawyers who support the company both in general legal matters and as an External Data Protection Officer are generally susceptible to a conflict of interest because they are required to protect the interests of the client and – objectively as it were – to perform the duties of a Data Protection Officer.
However, an attorney is prohibited by professional codes under section 43 German Attorney Regulation in conjunction with section 43a paragraph 4 German Attorney Regulation, § 3 German Professional Code for Attorneys from representing contrary interests. The prohibition against representing contrary interests according to § 3 paragraph 2 sentence 1 German Professional Code for Attorneys also applies to all attorneys affiliated with an attorney in the same professional or office group. If contrary interests are represented, then all mandates in the same legal matter must be relinquished immediately. Such a conflict of interests can also result in the Data Protection Officer’s appointment being illegal, which in turn leads to revocation by data protection regulators (along with the risk of fines for the company).
Summary
If an Internal Data Protection Officer will be appointed, it is important that he/she be able to satisfy his/her legal duties independently while avoiding any conflicts of interest. Even when External Data Protection Officers are appointed who need to perform their duties independently, it is necessary that they not be susceptible to any conflicts of interest. Attorneys who in general are especially well-suited for work as an External Data Protection Officer should therefore not at the same time provide general legal advice to companies in order to preserve their independence as a Data Protection Officer.