EU: Will there be a Europe-wide obligation to appoint Data Protection Officers?
Category: NachrichtenBy: M. Schröder - 2B Advice GmbH - the privacy benchmark
Previous publications issued by the European Commission and the European Data Protection Supervisor as part of the revision of Directive 95/46/EC indicate that companies across Europe may be required to appoint a Data Protection Officer for the company in the future.
Both the Commission and the European Data Protection Officer believe this issue requires harmonization. In their national legislation dealing with data protection, Member States have made provision for widely diverging regulations regarding the obligation to appoint a Data Protection Officer. An obligation to make an appointment already exists in some countries, provided specific conditions have been fulfilled. In other countries, companies are permitted to appoint a Data Protection Officer. As a rule, an appointment involves the partial exemption from reporting obligations to the regulators, resulting in the lessening of the burden on both the companies and the regulators.
The extent to which the regulations in the Member States differ from each other is reflected in a comparison between France and Germany: While an obligation to appoint a Data Protection Officer exists within Germany under § 4f of the German Data Protection Act, as soon as the company employs more than nine persons continually entrusted with automated processing of personal data, no general obligation to make an appointment exists in France.
In France, a Data Protection Officer can be appointed. As Article 44 of Decree No 2005-1309 in France provides, the Data Protection Officer of a company employing more than 50 persons in automated processing, may only act on behalf of this one company – in comparison to Germany where there is no such limit.
Consequently, the Commission intends to investigate whether the appointment of a Data Protection Officer should be organized compulsorily, the limits that should apply in order not to burden companies and the regulations to be taken regarding the tasks and competence of the Data Protection Officer(2.2.4 Commission’s Communication). The European Data Protection Officer clearly advocates an obligation to make an appointment within certain limits (§ 105. EDPS’s Opinion)
What do you think? How should the future European data protection law address the obligation to make an appointment? If you are a member of XING, join in the discussion at:
https://www.xing.com/net/pric17630x/dataprotection-eu/
Sources:
www.cnil.fr/english/official-texts/
ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
(1221 times viewed)
Konzern-Datenschutzbeauftragte