Data protection law

Obligation to appoint a data protection officer

The obligation to appoint a data protection officer exists in any case if there are 10 employees in your company who are constantly dealing with the automated processing of personal data. These 10 persons also include trainees, so-called “freelancers”, etc. It is true that the terms “constantly engaged in automated processing” are open to interpretation. In today’s working reality, this should at least be assumed for anyone who uses a computer in the company.

Then there are some other groups of cases. Especially if you regularly process special categories of personal data – regardless of the number of persons mentioned above – you need a data protection officer. This concerns sensitive data, such as data concerning health, sexual self-determination, trade union membership, etc.

Of course, you are free to appoint a data protection officer independently of the above-mentioned obligations.

 Other obligations under the DSGVO/BDSG New

Irrespective of the appointment of a data protection officer, most companies must provide the following:

• Written commitment of employees to data protection law
• Securing technical and organisational measures for the protection of data (TOM)
• creation of an internal and external directory of processing activities (this regulates in particular which data you collect and where you store them)
• Contract with an order data processor, if you have data distributed by external companies
• Data protection and transparency declaration on your website
• consent for data processing that is not permitted without express consent

 Cookies and tracking procedures

Very often we are consulted about the legal position of cookies and tracking procedures (e.g. “Google AdWords”, “Facebook Pixel”). The question arises as to whether an explicit declaration of consent will be required for this in the future or whether the practice hitherto followed in Germany is sufficient. This question has unfortunately not yet been clarified. The new provision of Article 6 (1) (f) of the DSGVO could be relevant, but is formulated very vaguely and, in the absence of case law, it is not yet clear whether it will allow the use of cookies without express consent. In addition, the European Parliament has adopted the so-called ePrivacy Regulation, which stipulates that cookies may not be used in future without an explicit declaration of consent. However, this regulation has not yet been adopted by the European Council, and it is currently also not certain whether or with what amendments this will be done.

At the present time, we therefore believe that there are two options for those who want to use cookies and other tracking methods. Either this is only done with explicit consent – the safe way. Or one remains with the current German handling until either case law on the DSGVO exists or the ePrivacy Regulation has been ratified. However, we must point out that other EU countries already have stricter regulations than those in Germany, so that under certain circumstances, depending on who the website is aimed at, a distinction would have to be made here.