On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act ("BDSG"). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer ("DPO"). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
Regulatory background and current situation
The General Data Protection Regulation ("GDPR") imposes extensive requirements and minimum standards on the position of DPOs, but requires only a few companies to formally designate a DPO. Companies have to designate a DPO only where the core activities of a company (acting as controller or processor) consist of
processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or processing special categories of personal data relating to criminal convictions and offenses on a large scale. However, an opening clause GDPR gives Member States discretion to require a broader range of companies to designate DPOs.
In Germany, consistent with German data protection requirements existing pre-GDPR, the BDSG primarily sets DPO designation requirements based on the number of employees who deal with the automated processing of personal data. Currently companies have to designate a DPO if they consistently employ at least 10 employees who deal with the automated processing of personal data. Even though it is not the total number of employees that count, but how many employees are involved in data processing, with the digital transformation, for many companies this number may be (close to) equal. The new legislation relaxes these requirements, applying them only to companies that consistently employ at least twenty employees dealing with the automated processing of personal data. In effect, many small companies may no longer be required to formally designate a DPO. Indeed, about 80% of the companies in...