Since the GDPR came into force, companies that process personal data have a number of obligations. In addition to taking technical and organizational measures to ensure the security of data processing (Art. 32 GDPR), those responsible must appoint a data protection officer (DSB) under the conditions of Art. 37 GDPR.
This is the case, for example, if the data processing is carried out by an authority or another public body or if the core activity of the person responsible or his processor consists of processing operations which, due to their nature, scope or purpose, require extensive regular and systematic monitoring required by data subjects.
Furthermore, the appointment of a DPO is required if the main activity of the person responsible or his processor is the processing of personal data of the special category (Art. 9 GDPR).
As clear as this legally regulated obligation to designate appears at first glance, difficulties arise in individual cases when it comes to the question of who is responsible in this sense or whether companies are even to be regarded as an “authority” due to the tasks assigned to them and therefore the obligation to appoint as described above Applies.
Difficulties in delimitation arise, for example, with so-called «loaned persons». These are professional groups that are organized under private law and offer craft and commercial services on the free market and at the same time, as entrusted, perform sovereign tasks for the state. Due to the obligation to appoint, it is therefore questionable whether these borrowers who, for example, the chimney sweep or workshops carry out vehicle suitability tests so that they have a dual nature, have to be classified as “authorities”.
The Independent Data Protection Center of Saarland has commented on this. In his opinion, certain activities are still reserved for the authorized district chimney sweeps, who act as “leased persons”. The reason for this is the Chimney Sweep Crafts Act, which assigns responsibility for certain activities to these borrowers. Therefore, district chimney sweeps are to be regarded as responsible within the meaning of Art. 4 No. 7 GDPR as part of this assigned task, since they decide on the purpose and means of data processing of personal data. In addition, it therefore meets the obligation from Art. 37 Paragraph 1 lit. a GDPR to appoint a data protection officer who has to perform the duties and tasks of Art. 38 ff. GDPR.
In addition to the chimney sweep, the same problem arises with vehicle workshops that carry out an operational suitability test such as the TüV.
Because according to the Road Traffic Licensing Regulations (StVZO, No. 1.1 Annex VIII c), they are recognized “AU workshops” which, in addition to the usual work services, offer exhaust emissions tests, which in turn do an independent part of the rest of the work by a recognized test engineer such as TüV , Dekra, GTÜ or KÜS – general inspection (HU) carried out (Annex VIII StVZO No. 3.1.1.1).
Here, too, these bodies act as entrusted to the state when they perform their statutory sovereign tasks, so that the appointment obligation of Article 37 (1) (a) GDPR also applies here.
The Independent Data Protection Center of Saarland has seen and taken into account that this appointment obligation is associated with a not inconsiderable organizational and financial effort, especially for smaller companies – regardless of whether an in-house DPO is set up or an external DPO is commissioned to perform the duties that this partial examination is only a subordinate part of the total (test) work that has to be carried out. The appointment of a joint DPO, for example by the respective professional guilds, as made possible by Art. 37 Paragraph 3 GDPR, should be a possible solution to remedy this problem.
Although there is ultimately no way around the appointment obligation, a joint DPO could prevail in practice. The future will have to show this.
Marc E. Evers
Lawyer
cert. Data protection officer
cert. Data protection auditor
–