Every company should have a For companies with at least 20 employees who regularly handle personal data on computers, this is even a legal requirement under Section 38 of the German Federal Data Protection Act (BDSG) data protection officer.
According to Art. 37 GDPR, the company has the choice of whether to appoint one of its own employees as data protection officer or an external service provider.
Requirements for the data protection officer data protection officer
For a company employee to be an internal data protection officer, new zealand business fax list that person must meet certain requirements. They must be qualified in the field of data protection law and practice and possess the expertise to fulfill the statutory duties of providing information and advice on data protection law and monitoring compliance with the regulations.
The data protection officer must keep an eye on data protection regulations and be familiar with the relevant case law and statements by supervisory authorities on data protection at national and European level.
Due to the complexity of the tasks of a, the question arises as to whether temporary employees can also be appoint as data protection officers.
Temporary or permanent? Both are possible
In principle, an appointment can be temporary or permanent. The GDPR does not specify this. In the negotiations between the EU institutions on the GDPR, how to properly optimize for voice? Parliament propos in Article 35(7) that an employee be appointed as internal for at least four years; the Commission propos two years. Ultimately, no provision for minimum terms was included in the negotiations. Apparently, the legislature did not want to stipulate a minimum term here.
But: The minimum duration of the fixed term is important
However, this does not mean that a minimum. Term of appointment is not legally requir, email data even if it does not arise directly from the text of the law.
The Hessian Data Protection Supervisory Authority comment on the. Previous legal situation, which also did not stipulate a minimum term for an appointment (see Hessian State Parliament.
At least two years of appointment
Based on this consideration, it can be assum that an appointment made for at least two years. This gives the designated person the opportunity to fulfill their duties under Art. 37 GDPR. Article 39 (2) GDPR requires companies to ensure that provides the necessary resources to fulfill their duties. This also includes the time a designated person needs to familiarize themselves with the task and effectively review processes.