The entry into force of the GDPR on 25 May 2018 also brought considerable changes to the tasks of a “group data protection officer”, which did not previously exist in a comparable form. For the first time, the GDPR explicitly states that a group of undertakings may appoint a single data protection officer (DPO). This results in consequences for matters such as data protection impact assessments, liability issues, and other issues that require strict compliance with the requirements of the GDPR. In contrast to the prior legal situation, which was covered by the Federal Data Protection Act (BDSG), the GDPR expressly provides for and thus facilitates the appointment of a data protection officer in a group of undertakings.
What’s different about a group data protection officer?
The provisions of Article 37 (2) of the GDPR state that a group of undertakings (group) may appoint a single data protection officer. As a consequence, it is no longer necessary for each single company within a group to appoint a separate data protection officer; instead, one data protection officer is responsible for all companies within the group.
What are the tasks of the data protection officer?
The appointed data protection officer’s tasks generally correlate with those of companies and supervisory authorities. He or she is responsible for complying with the data protection requirements set by the contracting company or group. Just like a DPO responsible for just one company, a group data protection officer is required to meet the requirements of the GDPR. He or she must therefore possess certain professional qualifications, the ability to discharge his or her tasks in compliance with the GDPR, and relevant experience of such matters. This makes the need to keep pace with a rapidly changing legal and technological field one of the primary tasks of a group data protection officer. Although the GDPR does not require any specific legal background for this role, it is hard to imagine anyone being in a position to manage the complex requirements of the GDPR without a legal background and practical experience of the law. The tasks of a group data protection officer thus also include familiarisation with the procedures involved in transferring data between individual companies and knowledge of internal processes.
Article 39 of the GDPR sets out his or her tasks in detail. His or her primary responsibility is to inform employees of a company or the overall group of the data protection requirements that apply under the GDPR. It may be expected that the group data protection officer is not just in possession of the necessary legal knowledge for this purpose but is also able to communicate it in a clear and coherent manner. Large groups of undertakings, in particular, may arrange for training sessions to be prepared and then conducted by selected employees. A key element of such training is that any language barriers are eliminated. It is also necessary for the group data protection officer to be given access, with no unreasonable barriers, to the individual companies, e.g. for the purpose of evaluating training. An unreasonable barrier may, for example, exist if the group data protection officer needs more than one day to travel to a specific company. The group must therefore ensure ease of access between its various locations, thereby allowing the group data protection officer to fulfil his or her duties. For the group data protection officer, this means that he or she must be located within the EU, even if the group has companies that lie outside the EU. In addition, the requirement of easy accessibility applies not only to the individual companies but also to the data subjects and supervisory authorities.
Language skills and easy accessibility are also required for the second key task of a group data protection officer: he or she is responsible for monitoring the implementation of the GDPR by the companies in the group. This additional task has consequences for liability issues, as in the event of a breach, and in contrast to the prior situation, the GDPR provides for high administrative fines. The contracting company, in this case the group, is generally liable for any breach of duty by the data protection officer. In addition, companies or groups may also be liable if they do not provide the data protection officer with sufficient support in the performance of his or her duties. If, then, the group data protection officer is not granted the opportunity to obtain an overview of the processes relevant to data protection within the individual companies, in particular the cooperation between the individual companies, and can therefore not adequately perform his or her duties, a liability risk to the company may arise on two counts.
In addition, the group data protection officer is responsible for cooperation with the supervisory authorities. In this context, it is important for him or her to complement their function within the company and thus work to achieve transparent cooperation with the supervisory authorities.
Further tasks of the group data protection officer include providing advice regarding the data protection impact assessment, which must be carried out in cases in which there is an increased risk to the rights of data subjects to data protection, i.e. when an intrusion into the privacy of the individual is particularly far-reaching. CCTV is a good example of this. A high risk of this type must always be assumed when particularly sensitive data (e.g. health data) is processed. By means of the data protection impact assessment, the group data protection officer should carefully consider whether the interests of data subjects override the interests of the group (or an individual company) or vice versa in a company, in several companies, or in the process of transferring data between individual companies in a group. If there is a risk to the interests and rights of data subjects, the group data protection officer must then initiate the action required to better protect the data of data subjects in advance. This may be done, for example, by providing information on how data will be processed in good time or by means of appropriate technical defaults (privacy by design).
What are the benefits of appointing a group data protection officer?
Similarly to an external data protection officer, a group data protection officer can easily obtain an overview of all issues relevant to data protection within a group of undertakings. The question of who is responsible for complying with GDPR requirements may frequently arise, in particular when processing personal data by means of transfer between individual companies; such matters can be transparently set out, thus ensuring compliance with the GDPR, by the group data protection officer. In addition, companies can use a group data protection officer to ensure compliance with their documentation obligations and thus comply with the burden of proof rules under the GDPR. Overall, a group data protection thus considerably reduces the risk of the high administrative fines provided for in the GDPR by creating uniform group standards. Companies can also make financial savings by appointing a single data protection officer. Standardized data protection requirements and structures that apply to the entire group of undertakings can also fulfil the transparency requirements of the GDPR.
Recommended action
Due to the efficiency and transparency benefits involved in appointing a group data protection officer, groups of undertakings are strongly urged to consider this route of action. The complex procedures relating to data transfer between companies and the involvement of processors, in particular, require a broad view of and method of handling issues relevant to data protection to avoid the high administrative fines provided for in the GDPR.