Data breaches happen all the time and everywhere. Nevertheless, it comes as a great shock to companies when, despite all their caution, a data breach occurs in their own business. Data protection officers have the task of minimizing this risk and thus avoiding far-reaching financial and legal consequences. But who is liable in such a case? What should companies and compliance managers look out for? Internal or external data protection officer – what risks do the options entail? In this article, we answer the most important questions about the topic.
The General Data Protection Regulation (GDPR) which came into force in 2018 has resulted in stricter data protection requirements for companies. In particular, this concerns the principles of lawfulness, purpose limitation, and transparency of data and its processing. Violations of the GDPR can result in fines in the millions.
Data protection officers for companies (DPOs) are responsible for controlling and monitoring the data protection requirements of the GDPR. It is about the company’s self-monitoring, checking whether the regulations of the GDPR are being complied with to avoid claims for damages against the company.
In addition to monitoring and controlling the company, data protection officers also act in an advisory and informative capacity. They work closely with the management to ensure the agreed-upon level of data protection. Close cooperation also takes place with the responsible supervisory authority.
The introduction of the GDPR has significantly increased the scope of tasks and activities of data protection officers. This also leads to extended liability, so employees who take on this office have more extensive obligations.
In some cases, companies may be required to appoint internal data protection officers. In Germany, this is always the case if at least 20 persons are permanently entrusted with the automated processing of personal data.
In addition, the following cases make an internal data protection officer necessary (Art. 37 GDPR):
Accordingly, whether a data protection officer is required depends on the core activity and the scope of the processing. In addition, the data are divided into different categories (Art. 9 GDPR).
The question of the cost of a data protection officer understandably comes up more and more often. In particular, small and medium-sized companies usually have to get by on a manageable budget to meet the legal requirements.
In the case of in-house data protection officers, the costs depend on their previous salaries. A salary increase may make sense if employees take on additional tasks. In this case, however, you may have to adjust or extend the employment contract accordingly. In addition, the internal solution may incur additional costs for training and further education and the time investment in new tasks, which is then lacking elsewhere.
In the case of external data privacy officers, the fee depends on their personal knowledge, unique qualification, time commitment, and the company’s requirements for the service. The costs can also vary depending on market demand.
The external solution enables better cost calculation, as only monthly costs accrue for external data protection officers. There are no additional, less transparent costs, for example, for further training or operational restructuring.
In principle, any person may assume an activity as a data protection officer if they have the necessary professional qualifications, expertise in data protection law, and the ability to perform the tasks of a data protection officer (§ 37 Abs. 5 GDPR).
This is usually the case with external data protection officers with practical experience. On the other hand, it gets more complex with internal data protection officers. They must be sufficiently trained in data protection law and practice to have the necessary expertise. It must also be ensured that they are not subject to any conflict of interest and have the authority to perform their duties (e.g., access to necessary data and platforms).
Our tip: When appointing an internal data protection officer, consider the criteria listed and the existing prior knowledge of your employees.
If you have appointed an internal or external data protection officer, submit the information to your competent supervisory authority and publish it on your website.
In principle, data protection officers act on behalf of your company and advise it on compliance with data protection regulations. If these are not complied with, the damaged persons can take action against your company. In some exceptional cases, the damaged persons – or even you as a company – can take action against the data protection officer.
Data protection officers are liable to the company for damages primarily if they provide the company with incorrect advice or fail to comply with their duties of educating and informing the company, thereby causing a fine by the supervisory authority.
Our tip: if you don’t want to expose your employees to this risk, you can agree on a so-called release of liability with your data protection officer. Such an agreement excludes private liability and thus reduces it to the company’s liability. Otherwise, internal data privacy officers would be exposed to risk, which can make the position in your company very unattractive.
External data privacy officers do not enter into an employment relationship with your company, so no permanent position is required. The advantage here is that you bear little responsibility concerning the external data privacy officer.
There is a higher level of responsibility toward internal data protection officers. Internal data protection officers work within your company and usually take on the position of data protection officer in addition to their actual job. The limited liability protects the employees in your company:
The burden of proof can also be problematic. If an internal error occurs, your company bears the burden of proof to establish fault. Specifically, you are responsible for proving in court proceedings whether or not the act was committed with gross negligence or intent to exclude liability on your part.
Do you have open questions on this topic? Our legally trained staff will be happy to advise you comprehensively on all questions of data protection law. Don’t hesitate to get in touch with us at any time.
Certain positions in companies enjoy special protection against termination – including the role of the internal data protection officer. This means that the data protection officer cannot be effectively terminated unless there is good cause for the termination (§ 6 Abs. 4 GDPR).
If you issue an ordinary notice of termination, you must give sufficient reasons for it. This procedure protects data protection officers from being dismissed or disadvantaged if they perform their duties in a way that displeases the company.
This special protection against dismissal continues for one year even if the data privacy officers resign from office. That ordinary termination continues to require good cause within one year of resignation.
The situation is different for external data privacy officers. Because they do not have an employment relationship with your company, external data privacy officers are fully liable to the injured party, even in the case of slight negligence. The injured party can be a third party (e.g., customers) or you as a company.
Of course, a limitation of liability can be agreed upon between you and the external data privacy officers. Many external data protection officers offer a liability disclaimer for the company as part of their services. The exact liability standards can usually be found in the general terms and conditions or contracts or negotiated with the provider. Usually, the professional liability insurance of the data privacy officer will assume liability if they have provided you with inadequate or incorrect advice.
Another advantage of external data privacy officers is the avoidance of conflicts of interest. As an external service provider, you as a company can any time terminate the contracts and have no disputes or labor law conflicts within your company.
Companies with internal data protection officers are liable for all damage caused by their employees due to slight or normal negligence, either in whole or part. They are also liable if they cannot prove that the internal data protection officer themself is liable (e.g., in the case of gross negligence or intent).
In the case of external data protection officers, the decisive factor is the liability provisions in their service contracts. Everything can be stipulated here, from a limitation of liability to a complete exemption from liability. A release from liability in favor of companies is the most attractive for them and is therefore agreed upon in most cases.
Companies must also ensure that all data protection guidelines, particularly the GDPR, are complied with. If no data protection officer is appointed, although this is mandatory for your company, you will face sanctions and heavy fines.
Conflicts of interest must also be avoided. If, for example, the management appoints itself as a data protection officer or a tax advisor becomes active here, this appointment is invalid.
Although data protection officers provide advice and monitor data protection for your company, they are not required to implement data protection regulations themselves. This task is subject to the company itself.
Therefore, data protection officers cannot easily be held criminally liable for violations of data protection rules. But criminal liability for aiding and abetting data privacy violations is undoubtedly possible, e.g., if a violation is deliberately not prevented or reported.
As is true for all employees, data privacy officers must work carefully and conscientiously to protect themselves against potential claims for damages. In addition, they should always document their work to be able to present evidence of the work performed in case of doubt. This is possible by documenting activities in the Priverion platform.
Regular training courses should also be attended to keep one’s expertise and specialist knowledge up to date. Therefore, offer the opportunity to regularly participate in professional events and training courses.
If data protection officers become aware of violations of data protection law, they should, in case of doubt, consult the supervisory authority. The consideration of this decision should also be documented to be able to counter alleged claims by companies. The DPO should first discuss all steps with the respective company before reporting the case.
Since the GDPR holds out the prospect of turnover-related fines in the millions for violations, even limited liability can already have far-reaching financial consequences. In addition, there are non-material claims for damages by the persons affected.
To protect your employees, you can agree on a liability release. It is also possible to take out professional liability insurance. The respective companies may cover these costs.
It is always important to remember that conscientious and dutiful work is essential, even with a liability release or insurance, because none of them applies in the case of intent or gross negligence.
The tasks and duties of data protection officers have expanded considerably in the context of the GDPR. This leads not only to an increased workload but also to greater liability risk.
Many companies prefer to appoint internal data protection officers rather than leave this task to external service providers. It is understandable that many trusts their employees more than external service providers. After all, internal people are already integrated into the workflow and know the structures and processes within the company.
But this can also make it easier for them to overlook existing problems within the company. Potential conflicts of interest must also not get underestimated or ignored.
Remember: if you employ an internal data protection officer, you are exposing your company, as well as your staff, to legal risk. It takes time and incurs costs to professionally train and develop internal employees so that they can properly and reliably perform their new activities.
The time invested in introduction and training cannot be spent on any other activity in the company. The lack of practical experience in this field may result in the process being more inefficient than when an external data protection officer is employed.
An external expert for data protection is usually specially trained, has a neutral position, and often draws on years of experience in data protection law. In addition, they are not subject to any limitation of liability, so you are better protected against claims for damages.
Despite possibly slightly higher costs for external data protection officers, relying on external support may make more economic sense due to the risk reduction achieved. Especially since the cost comparison often does not correctly include all the costs of the company’s internal employee (training, ancillary wage costs, protection against dismissal).