Data Protection Officer in Germany and in Switzerland
machCon provides you with a certified, experienced external data protection officer in the Lake Constance region and in Switzerland. Currently, there is always uncertainty regarding the question of when a data protection officer must be appointed:
- there is a personal data processing by a public body or authority (exception here are courts) [Art.37 1a GDPR].
- the core activity of the controller (your company) consists in carrying out processing operations with personal data on a large scale [Art.37 1b GDPR].
- the core activity of the controller is the processing of special categories of data on a large scale (e.g. health data, ethnic data) [Art.37 1c GDPR].
- a voluntary appointment is of course also possible at any time, because if no data protection officer has been appointed in the company, it is still the duty of the management to operate data protection according to the regulations of the GDPR [Art.37 para.4 GDPR]
- due to the opening clause of the GDPR, the legislation of the FDPA-New also applies: a data protection officer must be appointed if, as a rule, at least 20 persons are permanently employed with the automated processing of personal data [§38 FDPA-New].
- processing operations are carried out that are subject to a data protection impact assessment [Art. 35 GDPR] or personal data are processed for the business purpose of transmission or for the purpose of market and opinion research
If one of the above points applies to you, there is a legal obligation to appoint a data protection officer. If not, you still have to comply with the data protection requirements, but you can do this yourself.
Corporations and group of companies
Since the introduction of the GDPR, it has been possible to appoint a group data protection officer. This also applies to a group of companies (Art. 37 (2) GDPR). The group of companies is defined as an association of several companies which are dependent on a controlling company (Art.4 para.19 GDPR). This definition therefore corresponds to that of a group of companies (§18 AktG).
Therefore, a group of companies is free to appoint a joint data protection officer. However, care must be taken to ensure that the data protection officer is "easily accessible" from each branch office - which should not be a problem in today's world.
In the public sector, too, several offices can appoint a joint data protection officer. However, the organizational structures and the size of the respective public bodies or authorities must be taken into account.
What a data protection officer must have:
The GDPR dictates that a data protection officer (whether internal or external) must have professional qualifications and, in particular, expertise in the area of data protection law and relevant practices. Likewise, he must be able to fulfill the required tasks of Art. 37 GDPR. According to §38 FDPA-New, it must also be ensured that a data protection officer (e.g., internal) does not get into a conflict of interest (this would be the case, for example, with the IT manager or the personnel management).
Any further questions?
We are happy to assist you personally with any further questions.