| Legal bases: Germany | ||
Data protection officer supervisory authority
(1) Private bodies which process personal data automatically and regularly employ at least five permanent employees for this purpose shall appoint in writing a data protection officer within one month of the commencement of their activities. The same shall apply where personal data are processed by other means and at least 20 persons are permanently employed for this purpose. (2) Only persons who possess the specialized knowledge and demonstrate the reliability necessary for the performance of the duties concerned may be appointed data protection officer. (3) The data protection officer shall be directly subordinate to the owner, managing board, managing director or other lawfully or constitutionally appointed manager. He shall be free to use his specialized knowledge in the area of data protection at his own discretion. He shall suffer no disadvantage through the performance of his duties. The appointment of a data protection officer may only be revoked at the request of the supervisory authority or by section 626 of the Civil Code being applied mutatis mutandis. (4) The data protection officer shall be bound to maintain secrecy on the identity of the data subject and on circumstances permitting conclusions to be drawn about the data subject, unless he is released from this obligation by the data subject. (5) The private body shall support the data protection officer in the performance of his duties and in particular, to the extent needed for such performance, make available assistants as well as premises, furnishings, equipment and other resources.
(1) The data protection officer shall be responsible for ensuring that this Act and other provisions concerning data protection are observed. For this purpose he may apply to the supervisory authority in cases of doubt. In particu-lar he shall 1. monitor the proper use of data processing programs with the aid of which personal data are to be processed; for this purpose he shall be informed in good time of projects for automatic processing of personal data; 2. take suitable steps to familiarize the persons employed in the processing of personal data with the provisions of this Act and other provisions concerning data protection, with particular reference to the situation prevailing in this area and the special data protection requirements arising therefrom; 3. assist and advise in the selection of persons to be employed in the processing of personal data. (2) The data protection officer shall receive from the private body a list on 1. data processing systems used, 2. designation and type of data files, 3. type of data stored, 4. business purposes the fulfilment of which necessitate a knowledge of these data, 5. their regular recipients, 6. groups of persons entitled to access or persons exclusively entitled to access. (3) Paragraph 2, Nos. 2 to 6 above shall not apply to data files which are kept only temporarily and are erased within three months of being set up.
(1) The supervisory authority shall check in a particular case that this Act and other data protection provisions governing the processing or use of personal data in or from data files are observed if it possesses sufficient indications that any such provision has been violated by private bodies, especially if the data subject himself submits evidence to this effect. (2) If personal data are in the normal course of business 1. stored for the purpose of communication, 2. stored for the purpose of depersonalized communication or 3. processed by service enterprises commissioned to do so, the supervisory authority shall monitor observance of this Act or other data protection provisions governing the processing or use of personal data in or from data files. The supervisory authority shall keep a register in accordance with section 32 (2) of this Act. The register shall be open to inspection by any person. (3) The bodies subject to monitoring and the persons responsible for their management shall provide the supervisory authority on request and without delay with the information necessary for the performance of its duties. A person obliged to provide information may refuse to do so where he would expose himself or one of the persons designated in section 383 (1), Nos. 1 to 3, of the Code of Civil Procedure to the danger of criminal prosecution or of proceedings under the Administrative Offences Act. This shall be pointed out to the person obliged to provide information. (4) The persons appointed by the supervisory authority to exercise monitoring shall be authorized, in so far as necessary for the performance of the duties of the supervisory authority, to enter the property and premises of the body during business hours and to carry out checks and inspections there. They may inspect business documents, especially the list under section 37 (2) of this Act as well as the stored personal data and the data processing programs. Section 24 (6) of this Act shall apply mutatis mutandis. The person obliged to provide information shall permit such measures. (5) To guarantee data protection under this Act and other data protection provisions governing the processing or use of personal data in or from data files, the supervisory authority may instruct that, within the scope of the requirements set out in section 9 of this Act, measures be taken to rectify technical or Organizational irregularities discovered. In the event of grave irregularities of this kind, especially where they are connected with a specific impairment of privacy, the supervisory authority may prohibit the use of particular procedures if the irregularities are not rectified within a reasonable period contrary to the instruction pursuant to the first sentence above and despite the imposition of a fine. The supervisory authority may demand the dismissal of the data protection officer if he does not possess the specialized knowledge and demonstrate the reliability necessary for the performance of his duties. (6) The Land governments or the bodies authorized by them shall designate the supervisory authorities responsible for monitoring the implementation of data protection within the area of application of this Part. (7) The Industrial Code shall continue to apply to commercial firms subject to the provisions of this Part.
|