According to German data protection law, German data controllers must appoint a Data Protection Officer (“DPO“) in several cases, for example when ten or more people are involved in the automated processing of personal data.
While an employee can be appointed as DPO, the appointee must be knowledgeable on data protection and must be reliable and independent. The latter two characteristics exclude the possibility of appointing someone who has an incompatible position.
The Bavarian Data Protection Authority (“BayLDA“) found such an incompatibility in the case of a company that appointed as DPO its IT manager. The problem here was that this person would be required to monitor himself, i.e. as a DPO he should have supervised on whether the IT department was run in compliance with the data protection law. Read more here.
The GDPR — to enter into effect in May 2018 – also requires the appointment of a DOP.
For more information: Francesca Giannoni-Crystal.