If a person is appointed as data protection officer, this means that they must take on legally defined data protection tasks for the appointing company. These tasks are in particular:

1. Advising the company and its employees on existing data protection obligations
2. Working towards compliance with data protection regulations, raising awareness and training employees
3. Advice and review of the data protection impact assessment
4. Contact point for data protection oversight.

A data protection officer must be appointed in the following cases:

1. core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
2. core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10
3. processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

The data protection officer can either be an employee of the company (in which case it is referred to as an “internal data protection officer”) or an external expert, i.e. an external data protection officer, is appointed.

When selecting a data protection officer, care must be taken to ensure that he/she has sufficient legal, technical and organizational qualifications. Furthermore, the data protection officer must not have a conflict of interest with other activities that he/she performs in the company. A conflict of interest exists in particular if the person can make decisions regarding the existence or organization of data processing, as is regularly the case with managers. The task of the data protection officer is not to assume organizational responsibility for data processing, but rather to ensure that it is carried out in accordance with the relevant data protection laws.