Out-Law / Your Daily Need-To-Know

Germany to adjust data protection officer exemption

Out-Law News | 04 Sep 2019 | 10:19 am | 2 min. read

Fewer small businesses in Germany will be required to appoint a data protection officer (DPO) under plans outlined by the government.

According to the plans published by the Federal Ministry of Economics and Energy (Bundesministerium für Wirtschaft und Energie), businesses will generally not need to appoint a DPO where fewer than 50 of their employees are involved in automated processing of personal data. The current threshold is 20 employees.

However, data protection law expert Christina Kirichenko of Pinsent Masons, the law firm behind Out-Law, explained that not all SMEs with fewer than 50 employees involved in such data processing would be eligible for the new DPO exemption.

"The obligation to appoint a DPO arises in a variety of cases under German data protection law, regardless of the number of people who are employed in an organisation carrying out data processing activities," Kirichenko said. "This includes for data processing activities that are subject to data protection impact assessments, for example large-scale processing activities, or where they commercially process personal data for the purpose of transfer, of anonymised transfer or for the purposes of market research."

"So, the loosening of the existing '20 employee' exemption would rather apply to SMEs that do not focus on data processing. In their case, it is likely that SMEs receive fewer data protection queries and issues with day-to-day compliance, such as having to deal with data subject access requests, than data-heavy businesses," she said.

The Federal Ministry of Economics and Energy's proposal to extend the '20 employee' threshold to 50 was set out in a new policy paper designed to support Germany's extensive number of SMEs.

In its paper, the department acknowledged that some SMEs view the General Data Protection Regulation (GDPR) as a "bureaucratic burden". In addition to its plans to increase the '20 employee' DPO exemption threshold to 50, the ministry said it would pursue a Europe-wide revision to data protection laws to better serve medium-sized companies' interests.

The '20 employees' DPO exemption threshold was only set in June. New data protection laws introduced in Germany in 2017 ahead of the GDPR taking effect required every business with 10 or more employees that permanently processed personal data to appoint a DPO.

Kirichenko of Pinsent Masons said federal and state data protection authorities in Germany had expressed mixed views on the move to increase the '10 employee' threshold to 20. Loosening the exemption further will not lighten the underlying obligations SMEs have under the GDPR, but it could prompt them to procure compliance tools available on the market rather than appoint a DPO, Kirichenko said.

"Criticism that the loosening of the DPO appointment obligation will lead to a fall in data protection standards within the SME community are unfounded," Kirichenko said. "As the data protection authority of Baden-Wurttemberg rightly pointed out, the threat of considerable fines is the most effective means to prevent GDPR violations. Raising the threshold for obligatory DPO appointments does not mean that SMEs falling below the threshold can avoid the GDPR rules. Instead, SMEs that fall below the planned threshold will have an opportunity to choose from various GDPR compliance tools and services available on the market – ones that would best fit SMEs’ individual needs."

"The enhanced competition between such tools as well as an opportunity to combine in-house solutions with outsourcing may well result in reducing GDPR compliance costs for SMEs," she said.

The GDPR sets out the circumstances in which organisations are obliged to appoint DPOs, and further provides scope for each EU country to specify other circumstances in which a DPO would need to be designated. 

The GDPR is also explicit about the duties DPOs are required to perform and it also sets out conditions on the way in which DPOs should be allowed to perform them.