S 2.502 Specification of the responsibilities for data protection
Initiation responsibility: Top Management
Implementation responsibility: Top Management
For all IT systems and procedures used in order to process personal data, data protection is of essential importance. Therefore, the data protection aspects must be integrated into security management when starting the planning phase regarding the introduction of an IT procedure. This is the only way to ensure that all important aspects are taken into consideration and that all tasks are performed efficiently and effectively.
A detailed list of tasks to be performed and provisions to be made that must be taken into consideration from a data protection law point of view can be found in S 2.1 Specification of responsibilities and provisions.
Appointing a corporate and/or official Data Protection Officer (bDSB) and his/her integration into the security management constitute a safeguard particularly suitable for the aforementioned. There is also the option of appointing an external bDSB.
The bDSB independently examines the compliance with data protection, but also constitutes the link between the autonomous application of the law by the data processing centre on the one hand and the official control on the other hand.
The appointment is required by law, except for a few exceptions:
- for public positions of the federal government and for non-public positions in the BDSG (§§ 4 f, g) and for the social insurance carriers in the social code (§ 35 SGB I, § 81 section 1 SGB X in connection with §§ 4 f, g BDSG)
- for public positions of the federal states, the appointment requirement is also specified in some state data protection acts.
The data protection requirements being complied with must also be ensured in those areas where no Data Protection Officer is appointed. This may be performed by security management. For this, at least internal IT auditing and data protection monitoring should be established (see also S 2.110 Data protection guidelines for logging procedures).
Appointment of a Data Protection Officer
Only persons disposing of the specialised knowledge and reliability required for fulfilling the tasks can be appointed as Data Protection Officer.
Fulfilling the task requires technical, organisational, and legal know-how. The bDSB must be familiar with and able to safely apply the statutory provisions such as the right to informational self-determination, the constitutional rights referring to data protection, the Federal Data Protection Act, division-specific data protection regulations, and the relevant special provisions of the specialised department. The bDSB should furthermore have good knowledge of the organisation and profound knowledge in the field of information technology.
If he/she lacks the technical qualification in sub-areas, he/she must be provided with the opportunity to gain this qualification. The bDSB should be very familiar with the tasks and modus operandi of his/her government agency and/or company, based on his/her own experiences, if possible, in order to be able to fulfil his/her control and counselling tasks.
The bDSB must not only be commissioned with the functions of a Data Protection Officer. Depending on the type and extent of the personal data processing and the related data protection problems, it may make sense to assign more tasks to him/her additionally. This will come into consideration particularly for smaller government agencies and/or companies once the training or start-up phase is complete.
Special care must be taken to ensure that no conflicts of interest or dependencies are created that could endanger his/her ability to perform the required tasks. Conflicts of interest may particularly occur if the bDSB simultaneously assumes responsibilities in the fields of personnel, information technology, or in organisational units with particularly comprehensive or sensitive processing of personal data or if he/she is the Confidentiality Officer. On the contrary, it is possible to merge the functions of the bDSB with those of the IT Security Officer. If the IT Security Officer has been implemented independently of the organisational unit responsible for IT from an organisational point of view, merging into one position is recommendable. The head or an employee of the departments Legal Advisors/Legal or Organisation is also suitable for this task.
In the interest of a subsequent trusting cooperation, the Personnel and/or Supervisory Board should be involved early-on in the appointment of the bDSB.
If the appointment is required by law, certain formal provisions are mostly applicable. In any case, the appointment as bDSB must be announced to all employees. In doing so, it must be indicated that each employee can turn directly to the bDSB regarding his/her private and official matters.
The independent and organisationally stressed position is decisive for an efficient workflow of the bDSB. He/she must not be subject to the instructions of the organisational units he/she must control when fulfilling his/her tasks. In his/her function as bDSB, he/she must be assigned to the site management, either by direct assignment or within the meaning of a staff function. The organisational chart must illustrate this for all employees.
The bDSB must have the direct right of recitation at any time with the Top Management and must be informed about the events in the government agency and/or company in a comprehensive and timely manner, insofar is these refer to his/her work. He/she must be involved in data protection-relevant processes and plans referring to handling personal data must be disclosed to him/her.
The bDSB must be supported by the Top Management and by all employees. If required, he/she must be provided with auxiliary personnel, as well as equipment, devices, and resources. If he/she requires more profound legal or technical advice, he must be informed of suitable contact persons of the corresponding specialised departments he/she may rely on when needed.
The bDSB must contribute to his/her government agency and/or company taking into account the requirements of data protection in a comprehensive manner. He/she must check the compliance with the data protection provisions in all areas. He/she performs his/her tasks mainly be counselling and inspections. His/her primary task is to provide advice. For the employees, the bDSB should be contact person regarding all questions in terms of data protection they can confidently turn to at any time.
In the event of vulnerabilities and omissions, he/she should initially seek constructive solutions together with the persons involved. Here, it is important to raise the employees' awareness that data protection is positive and useful. If implemented appropriately, data protection will promote workflows rather than making them more difficult. If a government agency and/or a company collects too many personal data, deletes personal data too late, or transmits personal data without authorisation, it not only violates the data protection law, but also causes an increased administrative workload and additional costs. Data protection is above all an important element of citizen- and customer-friendly behaviour, because it makes the procedures transparent.
The bDSB is entitled to perform unannounced inspections at any time. To this end, he/she is granted access to all rooms and all documents containing personal data or referring to handling personal data, insofar as this is required in order to fulfil his/her tasks. However, reading personnel files, medical documents, allowance files, and security incidents is only admissible with the consent of the person concerned.
When controlling and counselling the Personnel Representative, its independent position must be taken into consideration. However, this does not exclude the performance of inspections.
The bDSB supports the Top Management in assuming their responsibility for maintaining the protection of personality rights and in avoiding incidents detrimental to the reputation of the government agency and/or company. He/she should also establish and maintain contact with the Personnel and/or Supervisory Board. A good collaboration is not only desirable because of the sensitivity of personnel data processing.
The bDSB must educate himself/herself in order to properly perform his/her tasks. It is also very useful to exchange experiences with other bDSB of the business unit or from government agencies and/or companies with similar specialised tasks.
In the individual case, the specific customisation of the bDSB's tasks depends on the tasks to be performed, but also on the size, the design, and the structure of the respective government agency and/or company.
The following catalogue provides an overview of the tasks the bDSB may be commissioned with in every government agency and/or company.
Basic tasks:
- counselling of the management and the other employees regarding data protection-relevant questions
- implementation of announced and unannounced inspections
Overviews and registers:
- maintenance or monitoring of the maintenance of the register concerning the data processing system used
- maintenance of the overview of all files and procedures personal data is stored or processed in
- assumption of the statutory reporting obligations
Automated retrieval procedures and commissioned data processing:
- informing the competent data protection control agency of automated retrieval procedures
- checking compliance with the instructions of the customer when processing or using personal data on their behalf
Participation:
- drawing up or participation in drawing up policies, newsletters, service agreements, and further general announcements referring to handling personal data
- processing of or participation in information, correction, blocking, or deletion requests, in drawing up citizen information, as well as during general citizen petitions and enquiries regarding data protection
- participation in the analysis of the log files
- participation in the introduction of procedures for processing personal data by the specialised department
- participation in provisions regarding information security
Training and collaboration:
- training of the employees in data protection law-related aspects, as well as the implementation of data protection provisions
- regular or occasional reports to the site management regarding the status of data protection in the government agency and/or company
- collaboration with the IT Security Officer
- contact person of the external data protection control agencies, e.g. the Federal Commissioner for Data Protection and possibly the Data Protection Officers of the superior government agency and/or the company, of other government agencies and/or companies of the business unit, and public agencies with related tasks
Review questions:
- Was a Data Protection Officer appointed?
- Is the Data Protection Officer adequately qualified?
- Is the Data Protection Officer provided with sufficient resources?
- Are the tasks and competences of the Data Protection Officer clearly defined?