CEDPO introduces the GDPR watchdog which will focus on development regarding the DPO at Member State level:
The German Ministry of the Interior has published an extensive Draft Bill addressing the opening clauses for a specific implementation of the GDPR at Member State level on November 23rd 2016. Associations and Federal States (“Länder”) were requested to provide their opinion on the new Draft Bill until December 17th.
Art. 37 paragraph 4 of the GDPR allows Member States to stipulate other cases in which a DPO has to be designated than referred to in paragraph 1.
Following up on Sect. 4f of the German Federal Data Protection Act Controllers and Processors in the the non-public sector shall generally appoint a DPO according to Sect. 36 of the Draft Bill when at least ten persons are employed to carry out an automatic processing of personal data on an ongoing basis. Regardless of the number of employees being permanently employed for the processing of personal data, the designation of a DPO shall also be mandatory in cases where
- a Privacy Impact Assessment is required in accordance with Art. 35 of the GDPR,
- the Controller or Processor’s business purpose is to collect and store data commercially for the purpose of transfer in personalized or aonymized form,
- the Controller or Processor’s business purpose is to collect and store data commercially for the purposes of market or opinion research.
Furthermore the Draft Bill provides for a protection against dismissal (Sect. 5 paragraph 6). The termination of the employment relationship with a DPO shall only be lawful if facts are present on the basis of which the employer cannot reasonably be expected to continue the employment relationship to the end of the regular notice period or to the agreed end of the employment relationship.
Sect. 6 paragraph 4 of the Draft Bill provides that the DPO shall be bound to maintain secrecy on the identity of the data subject and on circumstances permitting conclusions to be drawn about the data subject, unless he/she is released from this obligation by the data subject.
In so far as the DPO obtains knowledge of data in the course of his or her activities in connection with which a right of refusal to give evidence applies on professional grounds to the head of the public or private body or a person employed at such a body, this right shall also apply to the DPO and his/her assistants. The person to whom the right of refusal to give evidence applies on professional grounds shall decide whether to exercise this right, except where it will not be possible to effect such a decision in the foreseeable future. To the extent to which the DPO’s right of refusal to give evidence applies, the DPO’s files and other documentation shall be subject to a prohibition of seizure (Sect. 6 paragraph 5).
The GDD comments on the Draft Bill are availabe here (DE).
Update 2017/07/15: The German Bundestag has adopted the Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 with no changes regarding the DPO in view of the Draft Bill. The Act can be downloaded here (EN).