1

ExpertOpinion

onamendmentstothestatusoftheDataProtectionOfficerduetotheGeneralDataProtectionRegulation

onbehalfofthe

BerufsverbandsderDatenschutzbeauftragtenDeutschlands(BvD)e.V.[ProfessionalAssociationofDataProtectionOfficersofGermany(BvD)e.V.]BudapesterStrasse3110787Berlin

compiledby

Derra,Meyer&PartnerRechtsanwältePartGmbB

incooperationwiththelawyers

StefanEßerKonradMenzProf.Dr.jur.JürgenMeyerChristianeSchrader-KurzNilsSteffen

www.derra.eu

DERRA,MEYER&PARTNERRechtsanwältePartGmbB

2

Foreword

The following expert opinion (hereinafter referred to as "expert opinion") is based on theframework conditions thatweredefinedwhen theexpertopinionwas commissionedon27February2017.Inseveraldiscussionswiththeclient,thecontentoftheseconditionshasbeensupplementedwithregardtothestructureoftheexpertopinion.

Inaccordancewiththetaskcommissioned,theauthorsoftheexpertopiniononlyansweredthequestionsposedbytheBerufsverbandderDatenschutzbeauftragtenDeutschlands(BvD)e.V. [Professional Association of Data Protection Officers of Germany]. Therefore,consequential considerations directly or indirectly connectedwith thequestionswerenotaddressed.

ThecompilationisbasedontheGeneralDataProtectionRegulationwhichenteredintoforceon 25 May 2016 and is directly applicable from 25 May 2018 and the Data ProtectionAdaptation and Implementation Act (DSAnpUG-EU; hereinafter referred to as "AdaptationAct")passedbytheFederalCouncil(andpreviouslybytheBundestag[Germanparliament])on12 May 2017. Article 1 of the Adaptation Act (AnpassungsG) passed a new Federal DataProtection Act (BDSG) (hereinafter referred to as “BDSG-new”), even though the EUCommission had criticised the previous draft of the EU Adaptation Act (DSAnpUG-EU). TheBDSG-new will enter into force on 25 May 2018 after it has been signed by the FederalPresidentandpublishedintheFederalLawGazette.

TheFederalDataProtectionActinitscurrentversionisabbreviatedinthisexpertopinionto“BDSG”withoutanyaddition.

Thisexpertopinionisbasedonthelegalsituationasof30June2017aswellasthecaselawandliteraturepublisheduptothisdate.Achangeinthelegalsituationorjudicialrulingsmaynecessitate a different assessment in the future. Literature on the new developments andchanges associated with the General Data Protection Regulation is only just beginning toemergetoacertainextentandthelegalissuesraisedinthisexpertopinionmustbeexaminedinadifferentiatedmanner.Aconclusiveandall-encompassinganswer to the legalquestionscontainedinthisexpertopinioncannotthereforebeguaranteed.

Theexpertopinionrefersexclusivelytodataprotectionofficersinthenon-publicsector.Inthefollowing,theterm"dataprotectionofficer"isconsideredgenderneutral.Themalepronounisusedthroughoutintheinterestsofeasierreadability.

Onthesepremises,thestructuralorganisationofthisexpertopinionispresentedasfollows:

- Tableofcontents- Bibliography- Practice-orientedsummaryofkeyfindings- Detailedansweringofthedefinedquestions- Appendixes(recommendationsforaction,sampleappointmentcertificate(old),sample

consultancyagreement(old)

3

TABLEOFCONTENTS

Foreword 2

Tableofcontents 3

Bibliography 7

Summaryofkeyfindings 10

Expertopinion

1. StatusofthedataprotectionofficerintheGDPRfromalabourlawperspective 111.1 Labourlawevaluationofoldcasesinrelationtointernaldataprotectionofficers 11

1.1.1 Question:"DoesanappointmentmadebeforetheGDPRenteredintoforceautomaticallyendwhentheGDPRbecomeseffective?” 12

1.1.2 Question:"DoesemploymentthatwasinplacebeforetheGDPRcameintoforceautomaticallyendwhentheGDPRbecomeseffective?” 14

1.1.3 Question:"DoestheexistingprotectionagainstdismissalforoldcasespursuanttotheBDSGcontinuetoexistundertheGDPRordoonlythenewprovisionsoftheGDPRapply?“ 15

1.1.3.1 Question: "Can it be assumed that the old BDSG regulationhas been "incorporated" into the contract when anappointmentismadeduringthevalidityoftheBDSG,sothattheoldlegalprotectioncontinuestoexistcontractually,eveniftheBDSGregulationisnolongerapplicable.“ 19

1.1.4 Question:"DoestheentryintoforceoftheGDPRprovidegroundsforrevocation”20

1.1.4.1 Question:“...iftheGDPRnolongerrequiresadesignation?“ 20

1.1.4.2 Question:“…eveniftheGDPRimposesadesignationrequirement?“ 23

1.1.5 Question:"DoestheentryintoforceoftheGDPRprovideextraordinaryorordinarygroundsforterminationoftheemploymentrelationship 24

1.1.5.1 Question:“..iftheGDPRnolongerrequiresadesignation?“24

1.1.5.2 Question:“…eveniftheGDPRrequiresadesignation?” 25

4

1.2 ContractualstatusoftheexternaldataprotectionofficerinrelationtoappointmentspriortothedateofapplicabilityoftheGDPR 25

1.2.1 Question:"DoesanappointmentmadebeforetheGDPRenteredintoforceautomaticallyendwhentheGDPRbecomeseffective?”

26

1.2.2 Question:"DoesthecontractingofpersonsbeforetheGDPRenteredintoforceautomaticallyendwhentheGDPRbecomeseffective?

28

1.2.3 Question:"DoestheentryintoforceoftheGDPRconstitutegroundsforrevocation

29

1.2.3.1 Question:...iftheGDPRnolongerrequiresadesignation?“ 29

1.2.3.2 Question:“…eveniftheGDPRrequiresadesignation?”29

1.2.4 Question:"DoestheentryintoforceoftheGDPRprovideextraordinaryorordinarygroundsforterminationoftheemploymentrelationship30

1.2.4.1 Question:“...iftheGDPRnolongerrequiresadesignation?“30

1.2.4.2 Question:“…eveniftheGDPRrequiresadesignation?” 30

1.3 ProtectionoftheappointeddataprotectionofficerpursuanttotheGDPR 31

1.3.0 Forewordto1.3.1:Basicprinciplesofcivilliabilityofthedataprotectionofficer

1.3.0.1 Liabilityofthedataprotectionofficerintheeventofnon-preventionofadataprotectionbreachinthecompany 38

1.3.0.1.1 MonitoringsystemandsystemofactionoftheGDPR

1.3.0.1.2 Legalstatusofthedataprotectionofficer43

1.3.0.1.3 ”Monitoring“ 44

1.3.0.2 Result

1.3.1 Question:"Underwhatconditionscanthedesignatedemployeddataprotectionofficerbeheldliable? 46

1.3.2 Question:“Underwhatconditionscantheexternal(contracted)designateddataprotectionofficerbeheldliable?“ 51

1.3.3 Question:“ThedataprotectionofficeristaskedwithmeetingcompliancewiththeGDPR.Isliabilityconceivableintheeventofsanctionsduetoinsufficientmonitoring?Whataretheconditionsforthis?“ 53

1.3.4 Question:"Couldcontractuallimitationsofliabilityapply?“55

1.4 Annexquestions 561.4.1 Question:"Arethereanydifferencesbetweeninternal(employed)and

external(seesamplecontract)dataprotectionofficers?“ 57

1.4.2 Question:"Areimpliedappointmentspossiblethroughcontinuingtoperformthetask?“ 57

5

2. CriminalstatusofthedataprotectionofficerundertheGDPR

2.1 PreliminaryquestionsontheGDPR 58

2.1.1 Question:“Doesthedataprotectionofficerhaveadutytoinformhimselfofdataprotection-relevantprocesses?“ 58

2.1.2 Question:“Doesthedataprotectionofficerhaveadutytomonitor,orevenensure,theimplementationofhisinstructions/stipulations?”59

2.1.3 Question:“Doesthedataprotectionofficerhaveadutytohaveadataprotectionorganisationforhisactivitiesinadditiontotheonewhichthecompany(cf.Articles5,12,24GDPR)isrequiredtosetup.“ 60

2.2 Criminalliability 60

2.2.1 Question:"Isitpossibleforthedesignateddataprotectionofficertobeheldcriminallyliable?”61

2.2.2 Question:"IsthedesignateddataprotectionofficerliableforpenaltiesimposedbytheGDPR?WhichofhisdutiesarepenaliseddirectlybytheGDPR?“ 64

2.2.3 Question:“Isthedesignateddataprotectionofficersubjecttoageneraldutytopreventinfringementsofdataprotection?“ 67

2.2.4 Question:“Doesthedesignateddataprotectionofficerhaveadutytopreventcertaindataprotectionbreacheswithinthecompany?“68

2.2.5 Question:"Monitoringtasksareoneofthemainobligationsformulatedfordataprotectionofficers.Candirectpenaltiesresultfrominsufficientmonitoringwithinthecompany?“ 68

2.2.6 Question:"Doesthedesignateddataprotectionofficerhaveanobligationtopreventdataprotectionbreacheswithinthecompanyifhepreviouslydrewattentiontotheunlawfulness?“ 69

2.2.7 Question:"Doesitmakeadifferencewhetherthedataprotectionofficerisanemployeeofthecompanyoranexternalserviceprovider?“69

2.3 Delegatedtasks 69

2.3.1 Question:"Wherecriminalliabilityisconcerned,isadistinctionmadebetweenthefundamentaltasksofthedataprotectionofficer,ontheonehand,anddutiesthatareassumedbyvirtueofdelegation,ontheother?”

2.3.2 Question:“Whendoesthedataprotectionofficerincurcriminalliabilityfordelegatedtasks?Isthenatureofthedelegationoftasksrelevantforthispurpose?“ 70

6

Appendix1-Recommendationsforaction

Appendix2–Sampleappointmentcertificate(old-nottobeused)

Appendix3–Sampleconsultancyagreement(old-nottobeused)

7

Bibliography

Albrecht,JanPhilipp;Jotzo,Florian,„DasneueDatenschutzrechtderEU“,publisherNomosVerlagsgesellschaft,2017

Behling,Thorsten,ZIP2017,697-706,„DiedatenschutzrechtlicheCompliance–VerantwortungderGeschäftsleitung"

Bergt,Matthiasin:Kühling,Jürgen(Pub.);Buchner,Benedikt(Pub.),„Datenschutz-Grundverordnung:DS-GVO“,publisherC.H.BeckOHG,2017

Bongers,Frank;Krupna,Karsten,ZD2013,594-599,„HaftungsrisikendesinternenDatenschutzbeauftragten–ZivilrechtlicheHaftung,BußgelderundStrafen".

Eisele,Jörgin:Rotsch,Thomas(Ed.),CriminalCompliance,publisherNomosVerlagsgesellschaft,2015

Ettig,Diana;Bausewein,Christophin:Wybitul,Tim(Pub.),HandbuchEU-Datenschutz-Grundverordnung,FachmedienRechtundWirtschaft,2017

Franzen,Martinin:Müller-Glöge,Rudi(Pub.);Preis,Ulrich(Pub.);Schmidt,Ingrid(Pub.),ErfurterKommentarzumArbeitsrecht,17thEdition,publisherC.H.BeckOHG,2017

Gola,Peter;Brink, Stefan inBoecken,Winfried (ed.);Düwell, Franz Josef (ed.);Diller,Martin(Pub.); Hanau, Hans (Pub.), Gesamtes Arbeitsrecht, Volume 1, publisher NomosVerlagsgesellschaft,2016

Gola,Peter;Klug,Christoph;Körffer,Barbarain:BDSG:BundesdatenschutzgesetzKommentar,12thedition,VerlagC.H.BeckOHG,2015

Gola,Peter;Klug,Christoph,NJW2007,118-122,„NeuregelungenzurBestellungbetrieblicherDatenschutzbeauftragter“

Grüneberg,ChristianinPalandt–BürgerlichesGesetzbuch,76thEdition,publisherC.H.BeckOHG,2017

Hamann,Christian,BB2017,1090-1097,„EuropäischeDatenschutz-Grundverordnung–neueOrganisationspflichtenfürUnternehmen“.

Heberlein,Horstin:Ehmann,Eugen(ed.);Selmayr,Martin(Pub.),DS-GVO-Datenschutz-Grundverordnung,publisherC.H.BeckOHG,2017

Heermann,PeterW.in:Henssler,Martin(Ed.),MünchenerKommentarzumBGB,Volume6,6thEdition,publisherC.H.BeckOHG,2012

Herbst,Tobiasin:Kühling,Jürgen(Pub.);Buchner,Benedikt(Pub.),Datenschutz-Grundverordnung:DS-GVO,publisherC.H.BeckOHG,2017

Hesse,Dirkin:Henssler,Martin(Ed.),MünchenerKommentarzumBGB,Volume6,6thEdition,publisherC.H.BeckOHG,2012

8

Jaspers, Andreas; Reif, Yvette, RDV 2016, 61 - 68, „Der Datenschutzbeauftragte nach derDatenschutz-Grundverordnung:Bestellpflicht,RechtsstellungundAufgaben"

Klug, Christoph, ZD2016, 315 - 319, „DerDatenschutzbeauftragte in der EUMa0gabenderDatenschutzgrundverordnung“

Kort, Michael, ZD 2017, 3 - 6, „Was ändert sich für Datenschutzbeauftragte,Aufsichtsbehörden und Betriebsrat mit der DS-GVO? Die zukünftige Rolle der InstitutionenrundumdenBeschäftigtendatenschutz“.Kühling, Jürgen;Martini,Mario, EuZW2016, 448 - 454, „DieDatenschutz-Grundverordnung:RevolutionoderEvolutionimeuropäischenunddeutschenDatenschutzrecht?“Lepperhoff, Niels; Müthlein, Thomas, Leitfaden zur Datenschutz-Grundverordnung,Datakontext,2017

Marschall, Kevin, ZD 2014, 66 - 71, „Strafrechtliche Haftungsrisiken des betrieblichenDatenschutzbeauftragten?NotwendigeHandlungsempfehlungen“

Marschall, Kevin; Müller, Pinkas, ZD 2016, 415 - 420, „Der Datenschutzbeauftragte imUnternehmen zwischenBDSGundDS-GVO -Bestellung,Rolle,AufgabenundAnforderungenimFokuseuropäischerVeränderungen“Nemitz, Paul in: Ehmann, Eugen (Pub.); Selmayr, Martin (Pub.), DS-GVO - Datenschutz-Grundverordnung,publisherC.H.BeckOHG,2017

Oetker,Hartmutin:Krüger,Wolfgang(Red.),MünchenerKommentarzumBGB,Volume2,6thEdition,publisherC.H.BeckOHG,2016

Paal,BorisP.(Pub.);Pauly,Daniel(Pub.),GeneralDataProtectionRegulation:GDPR,publisherC.H.BeckOHG,2017

Piltz, Carlo, K&R 2016, 709 - 715, "„Die Datenschutz-Grundverordnung – Teil 3: Rechte undPflichtendesVerantwortlichenundAuftragsverarbeiters“.

Roßnagel,Alexander,MMR2015,359-264,„DerAnwendungsvorrangdereIDAS-Verordnung- Welche Regelungen des deutschen Rechts sind weiterhin für elektronische Signaturenanwendbar?“Sachs,Andreas;Kranig,Thomas;Gierschmann,Markus,Datenschutz-CompliancenachderDS-GVO:HandlungshilfefürVerantwortlicheinklusivePrüffragenfürAufsichtsbehörden,publisherBundesanzeigerVerlag,2017

Schantz, Peter, NJW 2016, 1841 - 1847, „Die Datenschutz-Grundverordnung – Beginn einerneuenZeitrechnungimDatenschutzrecht“Schneider, Jochen, Datenschutz nach derDatenschutz-Grundverordnung, publisher C.H. BeckOHG,2017

Simitis,Spiros(Pub.),Bundesdatenschutzgesetz,8thEdition,publisherNomosVerlagsgesellschaft,2014

9

Thode, Jan-Christoph, CR 2016, 714 - 721, „Die neuen Compliance-Pflichten nach derDatenschutz-Grundverordnung“Von dem Bussche, Axel Freiherr in: Plath, Kai-Uwe (Pub.), BDSG DS-GVO: Kommentar zumBDSGund zurDSGVOsowiedenDanteschutzbestimmungendesTMGundTKG,2ndEdition,publisherDr.OttoSchmidt,2016

Wybitul,Tim,CCZ2016,194-198,„WelcheFolgenhatdieEU-Datenschutz-GrundverordnungfürCompliance?“

10

Summaryofthemainfindings:

• Data protection officers appointed under the current Federal Data Protection Act remain inoffice even after the General Data Protection Regulation has come into effect. Theappointmentsremaineffectiveasdesignations;however,asof25May2018,theGeneralDataProtectionRegulationisdirectlyapplicable.

• Nor do the employment contracts of the internal data protection officers automatically end

whentheGeneralDataProtectionRegulationentersintoforce.

• The requirements for the mandatory appointment of a data protection officer and also forprotection against dismissal and discrimination are regulated differently in the General DataProtectionRegulationthaninthecurrentlyapplicableFederalDataProtectionAct,whichwillnolongerbeapplicableoncetheGeneralDataProtectionRegulationbecomeseffective.However,the provisions on protection against dismissal and compulsory appointment will largely beretainedinaformadaptedtotheGeneralDataProtectionRegulationfollowingtheadoptionofBDSG-new.

• Neither the appointment or designation of the external data protection officer nor his

appointment shall endautomatically because this is notprovided forby lawor in the samplecontractsubmitted.

• Thedataprotectionofficerhasnogeneralduty topreventbreachesofdataprotectionwithin

the company. Hemonitors the company's organisational structure under data protection lawandreportshisfindingstoseniormanagement.Theintensityofhisreportingmustfollowarisk-basedapproach.Activeinterventiontoeliminateorpreventindividualinfringements,however,isnottheresponsibilityofthedataprotectionofficerintheabsenceofappropriateauthoritytoissuedirectives.

• The external data protection officer is not liable for every breach of data protection in the

company.Inaccordancewithgeneralprinciplesofcivillaw,heisliableforculpablebreachesofanobligationwithoutbenefitting from liabilityprivileges - as is the casewithan internaldataprotectionofficer.

• Thereisnodirectresponsibilityundersanctionslawforthedataprotectionofficerpursuantto

Article 83 GDPR. A responsibility of this nature also does not result from an affirmativeobligation in the context of an assignment (differently than for the Compliance Officer),providedthathistasksareorientatedalongthelinesoftheoriginalspecificationsoftheGeneralDataProtectionRegulation.However,anaffirmativeobligationmayariseifthedataprotectionofficerisdelegatedfurtherdutiesandpowers.

11

1. StatusofthedataprotectionofficerpursuanttotheGDPRfromthepointofviewoflabourlaw

Explanationofthequestioner:"Inthecaseofinternaldataprotectionofficers,adistinctionmay have to be made between the employment relationship and the appointment ascompanydataprotectionofficer.Itshouldalsobeborneinmindthatinternaldataprotectionofficers - i.e. salaried employees - often spend only part of their working time on theiractivities as data protection officers and, in addition, perform (mainly) other tasks in thecompanythansalariedemployees".

1.1 Labourlawevaluationofoldcasesinrelationtotheinternaldataprotectionofficer

In the course of preparing this expert opinion, we first examined what consequences theentryintoforceoftheGeneralDataProtectionRegulation(GDPR)willhaveforinternaldataprotection officers already appointed at the time of its entry into force. Internal dataprotection officers are those data protection officers who are employed by a company.According to the settled case law of the Federal Labour Court, they are generally to beregarded as employees.1 The company data protection officer is a core element of theGeneralDataProtectionRegulation.2

Furthermore, in accordance with the provisions of the currently applicable Federal DataProtection Act (BDSG) and also in accordance with the provisions of the General DataProtectionRegulationandtheDSAnpUG-EUpassedbytheBundesrat[upperhouseofFederalparliament] (and previously by the Bundestag [Federal parliament]) on 12 May 2017, adistinctionmustbemadebetweenthebasicrelationshipandtheappointmentrelationshipintheactivitiesofthedataprotectionofficer.TheAdaptationActpassedtheBDSG-new,whichwill replace the BDSG and contain the relevant national regulations on data protectionofficers.Theunilateralappointmentofadataprotectionofficermustbeseparatedfromthecontractual basis on the basis of which the data protection officer is obligated by law toassumethetaskofdataprotectionofficer.Inthecaseofanemployee,thebasicrelationshipisusuallyanemploymentrelationship.Iftheemployeeagreestohisappointment,therightsandobligationsundertheemploymentcontractexpandwiththeappointmentfortheperiodforwhichheisappointed.Nevertheless,adistinctionmustbemadebetweenthetwolegalrelationships.3

TheGeneral Data Protection Regulation entered into force on 25May 2016, the 20th dayafter its publication in the Official Journal of the European Union (Article 99(1) GDPR).However, it only applies after 2 years havepassed since it entered into force, i.e. from25May 2018 (Article 99(2) GDPR). The comments in this expert opinion concern the legalsituationwithregardtotheGeneralDataProtectionRegulationasofthedateofapplicabilityoftheGeneralDataProtectionRegulation.

1FranzeninErfurterKommentarzumArbeitsrecht[Erfurtcommentaryonlabourlaw],17thedition2017,Article4fBDSG,marginal82HeberleininEhmann/Selmayr,Datenschutz-Grundverordnung[GeneralDataProtectionRegulation],2017,Article37marginal13soalreadyBAG,rulingdated13March2007-9AZR612/05

12

1.1.1 Question:"DoesanappointmentmadebeforetheentryintoforceoftheGeneralDataProtectionRegulationautomaticallyendwiththeentryintoforceoftheGeneralDataProtectionRegulation?

TheGeneral Data Protection Regulation also places the legal entity of the data protectionofficer,whichhassofarfoundits legalbasis inArticle4fBDSG,onanewlegalbasis.Withthe General Data Protection Regulation, the European legislator has adapted the dataprotectionofficer,whohasbeenmainlyknowninGermanytodate,anddecidedthatadataprotectionofficermustbeappointedundertheconditionsofArticle37(1)GDPR.AccordingtotherecitalstotheRegulation,'thecontrollerorprocessorshouldbeassistedinmonitoringinternalcompliancewiththeprovisionsofthisRegulationbyanotherpersonwithexpertiseinthefieldofdataprotectionlawandprocedures.'4

According to Article 288(2) sentence 1 of the Treaty on the Functioning of the EuropeanUnion(TFEU),anEUregulationhasgeneralvalidity.Thismeansthat it isdirectlyapplicableandhasdirectlegaleffects.PursuanttoArticle288(2)sentence2TFEU,itisbindinginallitspartswithouttheneedforanationalactoftranspositionineachMemberState.AEuropeanregulationisthereforedirectlybindingonUnioncitizensandpublicauthorities.5

IfthereisacontradictionbetweenthenationallawsoftheindividualmemberstatesandtheprovisionsofanEUregulation,theEUregulationtakesprecedence.Therespectivenationallawsarenot ineffective.However, theEU regulation is appliedasamatterofpriority. Thenational regulation that contradicts it - for example a German law - may not be applied.Applicationprecedenceisan"unwrittennormofprimaryUnionlaw."6

AgainstthebackgroundofthesignificanceandregulatoryeffectofanEUregulationoutlinedabove, it must therefore be examined whether the entry into force of the General DataProtection Regulation will lead to the legal concept of the data protection officer beingplaced on a new basis in such a way that, from the entry into force of the General DataProtectionRegulation,allofficesofdataprotectionofficersappointedonthebasisofArticle4fBDSGwillhavetoend.Ifnecessary,theofficesofdataprotectionofficerscouldalsoendforonly a so-called "legal second"and then "resume"under the conditionsof theGeneralDataProtectionRegulationandtheBDSG-new.

The legal classification of the appointment of the data protection officer is essential foransweringthequestion.TheFederalDataProtectionActhasalwaysusedtheterm"appoint"(“Bestellung”)todesignateadataprotectionofficer inacompanyorenterprise.TheBDSG-new, on the other hand, in Article 5(1) and Article 38(1) respectively, speaks of the"designation" (“Benennung”) of thedata protectionofficer. In this respect, its terminologycorrespondstothatoftheGeneralDataProtectionRegulation,whichalsodoesnotrefertotheappointmentbut to thedesignationof thedataprotectionofficer (Article37(1)GDPR).Despitethedifferentterms,however,itcanbeassumedthattheterm"designation"under

4Recital97toRegulationEU2016/6795Roßnagel,MMR2015,3596Roßnagel,loc.cit.;BVerfG,rulingof22.10.1986-2BvR197/83

13

European lawcorresponds to the term"appointment"previouslyused inGermany. Inanycase,thejurisprudenceandliteratureconsultedbytheauthorsofthisexpertopiniondonotcontainanyopinionthatshouldbeunderstoodasmeaningthatthedesignationofthedataprotectionofficerconstitutesadifferentlegalactfromthehithertocustomaryappointment.Onthecontrary,asarulethereisnodifferentiationbetweenthetwoterms.Bothtermsareoftenusedcongruently.7

As an interim result, it should therefore be noted that the amended terminology of theGeneralDataProtectionRegulationandtheBDSG-newdoesnotmeanthatanappointmentas such should no longer be valid on the basis of the directly applicable General DataProtectionRegulation.

In the opinion of the authors of this expert opinion, the change in the legal basis for theappointment/designation of the data protection officer should not result in an automatictermination of the appointments made under the currently applicable Federal DataProtectionAct.This issupported inparticularbythefactthattheautomaticterminationoftheofficeofDataProtectionOfficerissofarcompletelyunknown.Evenintheeventthatthestatutory requirementof a compulsoryappointment is abolished, the relevant literature inthis respectassumes that there isonlyone reason for thedismissalof thedataprotectionofficer,butnotaterminationofofficebyoperationoflaw.EvenundertheapplicationoftheBDSG, an explicit revocation was required both to clarify the labour law situation and toclarify the status of the data protection officer. Such a declaration by the employermightalso be necessary in the future, because a "voluntary" appointment/designation of a dataprotectionofficerisalwayspossible.8Thisassessmentisnotchangedbythecase-lawonthetermination of the office of data protection officer in the event of a transfer of businesspursuanttoArticle613aBGB9.Thetransferofabusinessrepresentsaspecialcaseinwhichemploymentrelationshipsaretransferredtoanewownerof thebusiness for legalreasonswithouttheneedforanexpressagreementbetweentheemployeesandthepurchaserofthebusiness. It cannotbecomparedwith theconstellationofachange in the legalbasis tobeexaminedhere.

IncontrasttoArticle4f(1)BDSG,theGeneralDataProtectionRegulationandtheBDSG-new(Articles5,38)donotprovide forany formal requirement for theappointmentof thedataprotectionofficer.Infuture,theappointmentofthedataprotectionofficercanalsobemadeorally; written form is no longer required. However, for reasons of legal certainty, it isstronglyrecommendedthatappointmentscontinuetobemadeinwriting.10

7Thus,vondemBusschespeaksinPlathBDSGGDPR,2ndedition,Article37(2),ofanobligationtoappointalsowithregardtotheGeneralDataProtectionRegulation

8Gola/Klug,NYW2007,118,1199LAGBerlin-Brandenburg,rulingof15.10.2013-3Sa567/14

10HeberleininEhmann/Selmayr,loc.cit.,Article37,marginal17;Lepperhoff/Müthlein,LeitfadenzurDS-GVO[GuidetotheGDPR],2017,p.82

14

Forthedesignation, itremainsthecaseatanyratethatadesignationactofanykindmusttake place, especially since Article 37(7) GDPR provides that the data controller or theprocessormustpublishthecontactdataofthedataprotectionofficerandcommunicatethisdatatothesupervisoryauthority.

ThefactthattheGeneralDataProtectionRegulationinArticle38(3)explicitlydepartsfroma"dismissal”–orrevocation-thelegalopinionexpressedbytheauthorsofthisexpertopinioncorrespondstothefactthatanautomaticendtotheofficeofdataprotectionofficershouldnot be brought about by the effectiveness and entry into force of the General DataProtection Regulation. According to the wording of Article 38(3) GDPR, the Europeanlegislator itself assumes that the office of the designated data protection officer must beterminatedbyafurtherlegalactofthecontroller,namelydismissal.

Mirroringtherequirementofdesignation,therequirementofrevocationofthedesignation(dismissal)will continue toapply in the future. In theopinionof theauthorsof this expertopinion, an "automatic" end of the office of data protection officer cannot be justified bylegaldogma.However,itshouldbepointedoutthat-alsoinverselytothenolongerexistingformalrequirementfortheappointment-thedismissalofthedataprotectionofficercaninfuturetakeplaceinformally,i.e.includinginanunwrittenform.Asarule,thecontrollerwillprefertocarryoutadismissalinwritinginordertobeabletoprovethisifnecessary.Itisalsoconceivable,however,thataverbaldismissalmaytakeplaceinthepresenceofwitnesses.Inthis respect, it is also advisable for dismissal for reasons of legal certainty to contractuallyagree to a written form as a formal requirement between the controller and the dataprotectionofficer.

A corresponding notification to the supervisory authority must in any case be made inaddition; this results conversely from the disclosure requirement pursuant to Article 37(7)GDPR.

On the basis of the above, the answer to the question must therefore be that anappointmentmadebeforetheentry intoforceoftheGeneralDataProtectionRegulationdoes not automatically end with the entry into force/effectiveness of the General DataProtectionRegulation.

1.1.2 Question:"DoesanappointmentmadebeforetheentryintoforceoftheGeneralDataProtectionRegulationautomaticallyendwhentheGeneralDataProtectionRegulationcomesintoeffect?

AnessentialbasicprincipleofGermanlabourlawisthataworkoremploymentrelationshipcannot end automatically. An exception in this context is an effectively fixed-termemployment relationshipwhichendsmerely through thepassageof time.All other (open-ended) employment relationships end exclusively through giving notice or concluding adissolutioncontract.

15

According to Article 623 BGB [German Civil Code] the termination of employmentrelationships by termination or dissolution contract also requires the written form to beeffective.

AnautomaticterminationoftheemploymentrelationshipofadataprotectionofficerwiththeentryintoforceoftheGeneralDataProtectionRegulationisthusexcludedinprinciple.

TheregulationofArticle623BGB[GermanCivilCode]isalsonotaffectedorinapplicablebytheregulationsofthedataprotectionbasicregulation.Despitetheabove-mentionedpriorityapplication of the provisions of an EU regulation, it should be noted that legislativecompetenceinthefieldoflabourlawliesexclusivelywiththememberstates.Article623ofthe German Civil Code (BGB) establishes a basic labour law principle in Germany. It isthereforeexcludedthatthisbasicprinciplemayberemovedornotbeapplicablebytherulesoftheGeneralDataProtectionRegulation.

ItshouldalsobenotedthatthewordingoftheGeneralDataProtectionRegulationdoesnotindicatethatthelabourlawprovisionsoftheindividualMemberStatesshouldnotbeappliedtotheemploymentrelationshipsoftheinternaldataprotectionofficers.ThebasicRegulationondataprotectiondoesnotcontainanyprovisionsontheemploymentrelationshipsofdataprotection officers and is therefore in line with the provisions of the Treaty on theFunctioningoftheEuropeanUnion(Articles3to6TFEU).

1.1.3 Question:"DoestheprotectionagainstdismissalexistingundertheBDSGforoldcasesalso

continuetoapplyundertheGDPRordoonlythenewprovisionsoftheGDPRapply?

Also,forthepurposeofansweringthisquestion,the"triad"tobenotedbetweentheFederalDataProtectionActinforceatthetimethisexpertopinionwasprepared,theGeneralDataProtectionRegulationandtheBDSG-newmustbeconsideredinthisexpertopinion.

The Federal Data Protection Act in its version valid at the time of the preparation of thisexpert opinion standardises the well-known far-reaching protection against dismissal forinternaldataprotectionofficers.However,thisprotectionagainstdismissal isonlyavailabletodataprotectionofficersforwhomanobligationtoappointthemexists(Article4f(3)S.5BDSG).Inparticular,Article4f(3)BDSGprovidesforextremelyextensiveprotectionagainstdismissal and against disadvantageousmeasures by the employer compared to the rest ofEurope.TheprovisionsofArticle4f(3)BDSGare-expressedinageneralizedway-orientedalong the protection of works councils in accordance with the Betriebsverfassungsgesetz(BetrVG) [Works Constitution Act]. In principle, an internal data protection officer is notbound by orders issued by the controlling body, i.e. usually the employer, as far as theexercise of the office of data protection officer is concerned. Furthermore, the dataprotection officer shall not be penalised due to the performance of his/her duties. TheappointmentofadataprotectionofficercanberevokedinaccordancewithArticle626BGB[GermanCivil Code]. The sameapplies to the terminationof theemployment relationship,whichisalsoonlypermissibleifevidenceispresentwhichentitlesthecontrollertoterminatethe employment relationship for important reasons without observing a period of notice.After his dismissal as data protection officer, the data protection officer enjoys so-called

16

"follow-up"protectionforoneyearagainstfairdismissaloftheemploymentrelationship.

Ontheotherhand,theGeneralDataProtectionRegulationcontainsaninitiallymuchlowerlevelofprotectionforthedataprotectionofficerinitswording.WhileGermanlawhassofarbeencharacterisedbythefactthattheindependenceofthecompanydataprotectionofficeris guaranteedby theprotectionofhisperson,which isbasedon theprotectionof officersunderworks constitutional law suchasworks councilmembers, this doesnotapply to thesameextentintheGeneralDataProtectionRegulation.11

TheprovisionsgoverningtheprotectionofthedataprotectionofficeraretobefoundintheprescriptionsofArticle38(3)GDPR.Thesestate that thecontrollerandtheprocessor 'shallensure that, in theperformanceof his duties, the dataprotectionofficer doesnot receiveordersregardingtheperformanceofthoseduties'.Furthermore,thedataprotectionofficermaynotbedismissedorpenalisedbythecontroller"duetotheperformanceofhisduties".

It istruethattheGeneralDataProtectionRegulationprovidesforsafeguardmechanismsinArticle38toensuretheindependenceofthecompanydataprotectionofficer,namelywithregard tohis freedom fromorders andprotection against dismissal.However, theGeneralDataProtectionRegulationdoesnotcontainanyprotectionforthecompanydataprotectionofficer,withaviewtoguaranteeinghis independence,comparable to theprovisionsof thecurrently applicable Federal Data Protection Act.12 In particular, the pure wording of theGeneralDataProtectionRegulationdoesnotincludeanyprotectionagainstdismissalofthedataprotectionofficer.

As stated above, the General Data Protection Regulation, as an EU Regulation within themeaningofArticle288TFEU,takesprecedenceovernationallaw.

The competence of the European Union to adopt the General Data Protection Regulationderives in particular from Article 16 TFEU. Pursuant to Article 16(2) TFEU, the EuropeanParliament and Council, acting in accordancewith the ordinary legislative procedure, shalladoptprovisionson theprotectionof individualswith regard to theprocessingofpersonaldatabytheinstitutions,bodies,officesandagenciesoftheUnionandbytheMemberStatesintheexerciseofactivitieswithinthescopeofUnionlawandonthefreemovementofsuchdata. In view of the fact that the competence to legislate in the area of labour law liesexclusively with the member states on the basis of the provisions of the treaties of theEuropeanUnion,inparticulartheTFEU,onecouldconsiderwhethertheextensiveprotectionof data protection officers against dismissal under the currently applicable Federal DataProtection Act can be eliminated at all by the provisions of the General Data ProtectionRegulation. In this context, however, it shouldbenoted that the legal conceptof thedataprotectionofficerclearlyfalls

11Kort,ZD2017,312Cort,loc.cit.

13SeealsovondemBusscheinPlath,BDSGGDPR,2ndedition,Article38,marginal914KortZD2017,3,4

17

withinthelegislativecompetenceoftheEuropeanUnionunderArticle16TFEU.Accordingly,theEuropeanUnion'slegislativecompetenceoughttoalsocoveressentialprovisionsrelatingtohistasksandposition.Otherwise, itwouldhardlybepossible fortheEuropeanUniontolegislateinastructuredandcompletemannerintheindividualthematicareasassignedtoit.It shouldalsobeborne inmind that theprotectionof thedataprotectionofficerdoesnotexist for its own sake, but serves to achieve and safeguard the respective purposes of thestatutoryprovisionsbothundertheprovisionsoftheFederalDataProtectionActandundertheprovisionsoftheGeneralDataProtectionRegulation.13

With the BDSG-new, the German legislator has passed a new legal regulation to adapt itsnationallawtotherequirementsoftheGeneralDataProtectionRegulation.ThetextofthelawprovidesforprotectionexceedingthatoftheGeneralDataProtectionRegulation(Article38)againstrecallanddismissalofthedataprotectionofficer,beingverymuchbasedontheprovisionsofthecurrentlyapplicableFederalDataProtectionAct.

Article 6(4) BDSG-new provides that dismissal of the data protection officer is onlypermissibleincorrespondingapplicationofArticle626BGB.Terminationoftheemploymentrelationship is inadmissible unless evidence existswhich entitles the public sector body toterminatetheemploymentrelationshipforanimportantreasonwithoutobservingaperiodofnotice.Aftertheendofthetaskofdataprotectionofficer,itisinadmissibletoterminatetheemploymentrelationshipwithinoneyearunlessthepublicbodyisentitledtoterminateit for an important reason without observing a period of notice. Article 6(4) BDSG-newappliesaccordingtoArticle38(2)BDSG-newtodataprotectionofficersofnon-publicbodiesaswell,butonlyiftheirdesignationismandatory.

ComparedtotheprovisionsoftheGeneralDataProtectionRegulation,BDSG-newthereforecontainsaclearaugmentationoftheprotectionofthedataprotectionofficeragainstrecallanddismissal. In this respect, theGerman legislator seems tocontinue tomakeuseof thepossibility of aligning the protection of the company's data protection officer with worksconstitutionalfunctionariessuchasworkscouncilmembers.14

Asan interimresult, it shouldbenoted thatBDSG-newprovides forprotectionof thedataprotection officer against recall and dismissal corresponding to that of the currentlyapplicableFederalDataProtectionAct.

However, the "new"protectionagainstdismissalunderBDSG-newwillonlyapply fromthedateonwhichthenewnationalstatutoryregulationcomesintoforce(25May2018).

In this respect, itmustbe clarifiedhow the changes to the statutory regulations are tobeclassifiedinregulatoryandtemporalterms.Thefollowingapplieshere:

18

• Under the General Data Protection Regulation, a lower level of protection of the dataprotection officer against revocation and dismissal applies compared to the previousFederalDataProtectionAct(Article4fBDSG).AccordingtotheprovisionsoftheGeneralDataProtectionRegulation,theDataProtectionOfficermustnotbepenalisedbecauseoftheconscientiousperformanceofhisdutiesunderArticle38GDPR.Also,adismissal "for the performance of his duties" is not permitted. Conversely, it should be assumedthatadismissalorordinaryorextraordinaryterminationoftheemploymentrelationshipof the internal data protection officer is fundamentally possible at any time for otherreasons,suchaseconomicoroperationalreasons.15

Even if the purpose of Article 38 GDPR certainly requires protection againstcircumvention, i.e. the ineffectivenessof adismissalor termination ifother reasonsaremerely used as an excuse,16 the wording of Article 38 GDPR, evenwith a far-reachinginterpretation based on the meaning and purpose of the provision, constitutessignificantly reduced protection against dismissal in comparison with the currentlyapplicable Federal Data Protection Act. This applies from the time the General DataProtectionRegulationbecomeseffective,sothatoperationaldismissalsofdataprotectionofficersduetothediscontinuationoftherequirementtodesignatethem(alsoonlyafterGDPR)wouldbe conceivable.Here, however - and thiswill have tobeexplained in thefollowing – it is essential for the purposes of a practice-relevant consideration that theBDSG-newistakenintoaccount.

• According to the case law of the Federal Labour Court and the Federal Constitutional

Court,there isnogeneralprincipleaccordingtowhichprotectionagainstdismissalonceacquired in thepastasa resultofearlierstatutory regulationmustcontinuetoapply inthefuture.Evenconstitutionalprinciplesorfundamentalrights,suchasthefundamentalrighttofreedomofoccupationalfreedomunderArticle12oftheBasicLaworthegeneralprinciple of equality before the law under Article 3 of the Basic Law, do not result inalready appointed data protection officers enjoying a kind of "statutory follow-up"protectionagainstdismissalaccordingtotheearlierornolongerapplicableprovisionsofthe Federal Data Protection Act due to the removal of protection against dismissalresultingfromtheintroductionoftheGeneralDataProtectionRegulation.17

• With the BDSG-new on 25May 2018, the national German legislator will enact a legal

regulationwhichwill lead to protection against dismissal of the data protection officerthatcorresponds to thatof thecurrentlyapplicableFederalDataProtectionAct.This is,moreover, also extremely welcome, since the ability of an employed data protectionofficer to perform tasks independently without orders is ultimately only constructivelyconceivable if the data protection officer enjoys extensive protection against dismissal.Similarly to themembersof aworks council, dataprotectionofficersmust also assumefunctionsinthecompanywhich,inindividualcases, conflictwiththedirectinterestsoftheemployer.

15vondenBusscheinPlathBDSGGDPR2ndedition,Article38,GDPRmarginal1016vondenBussche,loc.cit.17Cf.alsoBAG,judgementof21.9.2006-2AZR840/05;BVerfG,rulingof27.1.1998-1BvL15/87

19

Designatedpersonsmust thereforebeprotectedfrommeasureswhichcould jeopardisethe purpose of the rules laid down in theGeneral Data Protection. In this respect, theactivityofadataprotectionofficerwithoutcomprehensiveprotectionagainstdismissalispractically inconceivable. Practical considerations also support this view. Thecircumventionprotection(seeabove),whichisundoubtedlyalsorequiredbythewordingof theGeneral Data Protection Regulation, can in practice be achievedmost easily andunproblematicallyifthereisstillextensiveprotectionagainstdismissal.Thisviewissharedbythenationallegislator,eventhoughthereareoccasionallyvoicesthatwanttoreducetheprotectionagainstdismissaloftheBDSG-newandleaveitatthepurewordingoftheGeneralDataProtectionRegulation.18

• TheadoptedprovisionsofArticles5,6,38BDSG-newwillenter intoforcetogetherwith

the entry into force of the General Data Protection Regulation on 25 May 2018. Thismeansthatthedataprotectionofficerwillcontinuetobeprotected inthefuture inthesame way as the protection against revocation and dismissal previously provided forundertheFederalDataProtectionAct.Evenifoneweretoproceedfromtheconstructofaso-called"legalsecond"occasionallyusedinlegaldoctrine,inwhichtheoldprotectionagainstunfairdismissalunderthecurrentlyapplicableFederalDataProtectionActwouldbedroppedandthenewonewouldcome intoforceundertheGeneralDataProtectionRegulationandtheNewFederalDataProtectionAct,itwouldnotbepossibletoassumethattheprotectionagainstunfairdismissalfordataprotectionofficersalreadyappointedunder the currently applicable Federal Data Protection Act would be dropped eventemporarily. Neither the fact that different terminology is used (designation instead ofappointment) nor the fact that in a large number of employment contracts orappointmentdocuments reference ismade to theprovisionsof thecurrentlyapplicableFederalDataProtectionAct,inparticularArticle4fBDSG,changethis.

Onthebasisoftheaboveexplanations,thequestionmustthereforebeansweredinsuchaway that the protection against dismissal existing under the FederalData ProtectionActdoesnotcontinuetoapplyforoldcasesundertheGeneralDataProtectionRegulation.TheGeneral Data Protection Regulation contains its own protection regulations for the dataprotectionofficer,butnoexplicitprotectionagainstdismissal(Article38GDPR).WiththeBDSG-new, the German legislator will introduce more extensive protection againstdismissalfordataprotectionofficersevenunderthevalidityoftheGeneralDataProtectionRegulation.Thiswillalsoapplytooldcases.

1.1.3.1Question:"CanitbeassumedinthecaseofanappointmentduringthevalidityoftheBDSG

thattheoldBDSGregulationhasbeen"incorporated"intothecontract,sothattheoldlegalprotectioncontinuesinthecontract,eveniftheBDSGregulationisnolongerapplicable?

In view of the above, a discussion on the inclusion of protection against unfair dismissalunder the currently applicable Federal Data Protection Act on the basis of the BDSG-newshouldnotbenecessaryinthecontextofacontractualagreement.Nevertheless,itshouldbepointedout

18BDAstatementontheAdaptationAct-Edated14.03.2017,page7

20

herethattheinclusionoflegalprovisionsinthecontentofacontractualrelationship,suchasanemploymentcontract,isonlylikelytohaveoccurredinexceptionalcases.Forthiswouldrequire an explicit agreement on the statutory termination provisions. References tostatutoryprovisions,suchasanagreementunderwhichtheemployeeisappointedas"dataprotectionofficerpursuanttoArticle4fBDSG",wouldnotbesufficientforthispurpose.

Forthecontractualagreementofprotectionagainstunfairdismissalresultingfromthelaw,itmustbeclearfromthecontractitselfthattheprotectionagainstunfairdismissalprovisionsof Article 4 f (3) BDSG shall apply even if the law itself is no longer applicable. A merereference to paragraphs or provisions is not sufficient. Rather, it must be clear that theprotectionagainstdismissalshouldalwaysapplytotheparties irrespectiveof thestatutoryprovisions.Hereitisthereforenecessaryforthepartiestoexpresslyagreetothisinthetextof theemploymentcontract.Only intherarestofcases issuchanagreementbetweenthepartieslikelytoexist.

As already explained above, no constitutional principles or fundamental rights under theBasicLawresultinanearlierprotectionagainstdismissalcontinuingtoapplyintheeventofanewstatutoryprovision.

ThereisnoautomatismaccordingtowhichtheoriginalprotectionagainstdismissalundertheFederalDataProtectionActcontinuestobeeffectiveasacontractuallyagreedrightofdismissalinthedataprotectionofficer’scontract.An'incorporation'cannotbeassumedasarule.

1.1.4 Question:"DoestheentryintoforceoftheGeneralDataProtectionRegulationconstituteareasonfordismissal

1.1.4.1 Question:...ifdesignatingaDPOisnolongerarequirementunderGDPR?"

Thequestionastowhetherthestatusofadataprotectionofficerintermsofdataprotectionlaw or labour law (more on this under 1.1.5) is changed or can be changed with theintroduction of the General Data Protection Regulation by an act of the controller or theemployer is also to be assessed in principle on the basis of the "triad" of the currentlyapplicable Federal Data Protection Act, the General Data Protection Regulation and therecentlyadoptedBDSG-new.

Theauthorsofthisexpertopinionandprobablyalsothepredominantviewinjurisprudenceanddoctrineassumethat-iftherequirementsofArticle626BGBarenotfulfilled-areasonforthedismissalofadataprotectionofficercanonlybeconsideredifthelegalrequirementsforthemandatoryappointmentofadataprotectionofficerhavechanged.Itmustthereforebe possible to envisage a case in which, under the previous legal situation, there was arequirementtoappointadataprotectionofficer,butinwhichthisnolongerexistsasaresultof thenew legal situation, inparticular theentry into forceof theGeneralDataProtectionRegulation. In this respect, the prerequisites for the mandatory appointment of a data

21

protection officer under the General Data Protection Regulation in conjunction with theBDSG-newmustfirstbesetout.

Forthesakeofcompleteness,wewould liketopointoutagainherethattheofficeofdataprotectionofficerdependsontheappointment(inoldterms)ordesignation(innewterms)oftherespectivedataprotectionofficer,bothunderthecurrentlegalsituationandundertheprovisionsoftheGeneralDataProtectionRegulation.Thesameappliestotheterminationofoffice.Asalreadyexplainedabove,theGeneralDataProtectionRegulationinitsArticle38(3)also assumes that a data protection officermust be dismissed. The conceivable approachthat the office of data protection officer would in practice be abolished by law if theconditionsforthemandatoryappointmentofadataprotectionofficerweretoberemovedasaresultofachangeinthelawcannotbeapplicableinthisrespect.19

AccordingtotheregulationofthecurrentlyvalidFederalDataProtectionAct,thethresholdforrequiringcompaniestoappointanin-housedataprotectionofficerissetlow(Article4fBDSG). It is sufficient thatmore than9personsare constantlyengaged in automateddataprocessingorhaveprocessingoperationsisdonewhichissubjecttopriorchecking.20

Ontheotherhand, theGeneralDataProtectionRegulation initiallychanges thecriteria fortherequirementtoappointthecompanydataprotectionofficerinanotinconsiderableway.InsteadofthethresholdvalueprovidedforintheFederalDataProtectionActforinstitutingthe requirement to appoint a DPO where more than 9 persons in the company arepermanentlyemployedinautomateddataprocessinginthecompany,theprovisioninArticle37(1) GDPR now takes effect. Accordingly, a requirement to appoint a company dataprotectionofficerinitiallyonlyexistsifthecompanypursues"coreactivities"withregardtodata processing (Article 37(1) lit. b and lit. c General Data Protection Regulation).21 Acomprehensive requirement to appoint a data protection officer exists pursuant to Article37(1)lit.aGeneralDataProtectionRegulationonlyfortheprocessingofdatabyanauthorityor a public body with the exception of courts which act within the scope of their judicialactivity.

In contrast to the currently applicable Federal Data Protection Act, the General DataProtectionRegulation thuspursuesapurely risk-relatedapproach.22 Itdoesnotdependonthe scopeof dataprocessing and, in particular, onhowmanypersons in the company areinvolvedindataprocessing.DuetothedifferentapproachesoftheFederalDataProtectionActand theGeneralDataProtectionRegulation, theauthorsof thisexpertopinionbelievethatitisquiteobviousthatapracticableregulationisneededtoclarifythelegalsituationandtherequirements fortheappointmentofadataprotectionofficer.Thispossibility is in factalso provided for in theGeneralData ProtectionRegulation (Article 37 (4)GDPR), and theGermanlegislatorhasmadeuseofitintheBDSG-new.

19LAGBerlin-Brandenburg,judgementdated15.10.2013-3Sa567/14,accordingtothisparty’sassessment,supportsthislegalviewbecausethestatusofthedataprotectionofficerthereisalsolinkedtoanappointmentactbythecontroller/employer(seeNo.36ofthereasonsforthejudgment).20KortZD2017,321HeberleininEhmann/Selmayr,loc.cit.,Article37,marginal1022Schneider,(DatenschutznachderDatenschutz-Grundverordnung)DataProtectionaccordingtotheGeneralDataProtectionRegulation,p.190

22

ThefactthatArticle37(4)oftheGeneralDataProtectionRegulationexpresslygrantsnationallegislatorstherighttoindependentlydefinetheconditionsfortherequirementtoappointadataprotectionofficerhasmadeitunnecessaryinthelegaldiscussiontoclarifywhetheranextension or redefinition of the conditions of the requirement to appoint a DPO may bepermissibleonthebasisofthepriorityofapplicationoftheEURegulation.Nevertheless, itmustbeexaminedwhethertheprovisionsoftheBDSG-newareconsistentwiththoseoftheGeneralDataProtectionRegulation.This isbecausetheprovisionsoftheBDSG-newshouldnotbeapplied if they contradict theprovisionsof theGeneralDataProtectionRegulation,wherebythisassessmentmustalwaysbeviewedagainstthebackgroundoftheauthorisationbasisinArticle37(4)GDPR.

The authors of this expert opinion do not assume that the provisions of the BDSG-newcontradict the provisions of the General Data Protection Regulation. It is true that theprovisions of the currently applicable Federal Data Protection Act could not simply beincorporated into the BDSG-new because harmonisation of the provisions is urgentlyrequired(seeabove).Nevertheless,withtheBDSG-new,theGermanlegislatorhasmadetheattempttomoveawayfromthedifficult-to-handlecriteriafortherequirementtoappointaDPOunderArticle37(1)(b)and(c)oftheGDPR,whichisultimatelytobewelcomedintheinterestsoflegalclarity.

AccordingtotheregulationsoftheBDSG-newfornon-publiccompanies(Article38(1)BDSG-new) the controller and the processor appoint a data protection officer if they normallyemployatleast10personspermanentlywiththeautomatedprocessingofpersonaldata.Ifthe controller or processor carries out processing operations which are subject to a dataprotectionimpactassessmentpursuanttoArticle35GDPR,oriftheyprocesspersonaldatacommerciallyforthepurposesoftransfer,anonymisedtransferorforthepurposesofmarketoropinionresearch,theymustappointadataprotectionofficer irrespectiveofthenumberof persons involved in the processing. Thewording of the BDSG-new therefore ultimatelycorresponds to the previous provisions of the Federal Data Protection Act. The thresholdvalueforstaffinvolvedintheprocessingofpersonaldataisstill10,despitetheslightchangeinthewording.

Forthesakeofclarification,itshouldbenotedthattheauthorsofthisexpertopinionbelievethat the term 'employment' should not be understood in the sense of employment undersocial insurance law.Thethresholdvalue is thereforereached ifatallanumberofpersonswho reach the threshold value are involved in data processing, regardless of their socialsecurityclassification.

InsteadofthepriorcheckmentionedinthecurrentlyapplicableFederalDataProtectionAct,theBDSG-newprovidesforarequirementtoappointadataprotectionofficerforprocessingoperations that are subject to a data protection impact assessment pursuant to Article 35GDPR. This in itself is system-compatible. Prior checking has been replaced in the GeneralDataProtectionRegulationbythedataprotectionimpactassessmentpursuanttoArticle35GDPR.

23

The consequence of the provisions of the BDSG-new, which the authors of this expertopinionbelievearetobeappliedinfullinthisrespectislikelytobethatacaseconstellationinwhichadataprotectionofficerhad tobeappointedasobligatoryunderprevious law inwhich this obligation is now removed by the new law, is hardly conceivable. Article 38(1)BDSG-newtiesinwiththeprovisionsoftheFederalDataProtectionAct.Article37(1)(b)and(c)oftheGDPRcontainsadditionalprovisionswhichmaywellraisequestionsinthefutureastowhethertheprovisionsoftheGeneralDataProtectionRegulationwillresultinevenmoreextensive appointment obligations than hitherto. However, the requirements for the dataprotection officers already appointed under the validity of the previous law have notchanged. Therefore, there shouldbeno reason todismiss a dataprotectionofficer on thebasisofthenewlegalsituation.

Thequestionmust thereforebeansweredtotheeffect that thenew legalsituationdoesnotimplyanyreductionindesignationobligationsaftertheentryintoforceoftheGeneralData Protection Regulation and the BDSG-new. In this respect, the entry into force andcomingintoeffectoftheGeneralDataProtectionRegulationdoesnotconstituteareasonforthedismissalofadataprotectionofficer.

If, however, the BDSG-new version does not enter into force in its current version, it isquiteconceivablethattherecouldbecasesinwhichareasonfordismissalcouldexistifthepreviousprerequisitesforacompulsoryappointmentnolongerapply.

1.1.4.2 Question:"...evenifthereisadesignationrequirementundertheGDPR?"

Thisquestionmustbeanswered in the samewayas thepreviousone,with theproviso,however,thatevenintheabsenceofBDSG-new,theentryintoforceoftheGeneralDataProtectionRegulationcouldnotconstituteareasonforthedismissalofadataprotectionofficer, if he is also subject to an appointment requirement under the provisions of theGeneralDataProtectionRegulation.

Atthispoint,itwouldbeconceivableatbesttohaveatheoreticaldiscussiononthequestionofwhethertheentryintoforceoftheGeneralDataProtectionRegulationandtheBDSG-newcould,fora"logicalmoment",leadtotheeliminationoftheprerequisitesforthemandatoryappointmentofadataprotectionofficeroreven to the removalof the legalbasis fordataprotectionofficerswhohavealreadybeenappointed.Ultimately, it is inconceivable fortheauthorsof thisexpertopinion that thechange in the legalbasisalonewouldmeanthatallthebasicrequirementsfordataprotectionofficersalreadyappointedcouldbeeliminated.Inparticular, this would not be consistent with the spirit and purpose of the General DataProtection Regulation. Themain objective of the General Data Protection Regulation is toprotectdatasubjectsfromimproperandunjustifiedprocessingoftheirdata.Ifoneweretogrant controllers a right to extraordinary dismissal of data protectionofficers appointed inaccordance with old law solely on the basis of the fact that the legal basis for the legalconcept of the data protection officer henceforth results primarily from the General DataProtectionRegulation,thisobjectivewouldbejeopardisedtoahighdegree.

24

1.1.5 Question:"DoestheentryintoforceoftheGeneralDataProtectionRegulationconstituteanextraordinaryorordinaryreasonforterminationoftheemploymentrelationship

1.1.5.1 Question:...ifundertheGDPRthereisnolongerarequirementtodesignateaDPO"?

IthasalreadybeenstatedinthecontextofthisexpertopinionthattheentryintoforceoftheGeneral Data Protection Regulation on the basis of the provisions of Article 623 of theGermanCivilCode(BGB)cannotinanycaseleadtoan"automatic"endtotheemploymentoremploymentrelationshipofanemployeddataprotectionofficer (1.1.2).Eventhestatusrelationship, which must be strictly separated from the employment relationship of theinternal data protection officer, does not end automatically or on the basis of a statutoryregulation,butalwaysonlyonthebasisofaunilateralact,namelythedismissalofthedataprotectionofficer(cf.Article38(3)sentence2GDPR),bothunderthepreviouslegalsituationandundertheprovisionsoftheGeneralDataProtectionRegulation.

AssumingthattheBDSG-newwillcomeintoforceon25May2018,theauthorsofthisexpertopiniondonotbelievethatacaseconstellation isconceivable inwhich,undercurrent law,there isanobligation toappointaDPOwhichwouldno longerapplydue to thenew legalsituation. An existing right of termination due to the entry into force of theGeneral DataProtectionRegulationcouldatmostbejustifiedbythefactthatthereisacaseinwhichthenewlegalsituationwouldnolongerrequireanappointmentoradesignation.However,duetotheBDSG-newlegislationpresentedbytheGermanlegislator,thisishardlyconceivable,ashasalreadybeenstatedseveraltimes.Forthesereasons,theentryintoforceoftheGeneralData Protection Regulation will not constitute extraordinary or ordinary grounds forterminating the employment of the internal data protection officer, if the General DataProtectionRegulationnolongerrequirestheappointmentofadataprotectionofficer.

Analogous to the above remarks under 1.1.3, however, it should be pointed out that aterminationof theemployment relationshipof thedataprotectionofficer foreconomicoroperationalreasonscouldcertainlybeconsiderediftheBDSG-newshouldunexpectedlynotenter into force and if the General Data Protection Regulation no longer requires anappointment.

However,adistinctionshouldbemadeherebetweendataprotectionofficerswhoareactiveassuchthroughouttheirworkingtimeandthosewhodevoteonlypartoftheirworkingtimeto their activities as dataprotectionofficers. In the caseof dataprotectionofficers in full-time employment, it would be easier to justify dismissal for operational reasons if theobligation to appoint staff ceased to apply than in the case of part-time data protectionofficers,forwhomitwouldstillhavetobeexplainedindetailthattheirentireworkplacehasceasedtoexistasaresultofthelegalchange.

Thequestionmust thereforebeanswered in suchaway that theentry into forceof theGeneral Data Protection Regulation does not constitute a reason for the ordinary orextraordinarydismissalofthedataprotectionofficeriftheBDSG-newentersintoforceasexpected.

25

Otherwise,duetothepartialeliminationoftheobligationtodesignateaDPO,dismissalsforoperationalreasonscouldwellbepronounced.

1.1.5.2 Question:"...evenifthereisarequirementtodesignateaDPOundertheGDPR?"

Inordertoavoidrepetitions,referenceismadetotheaboveremarks,inparticularunder1.1.5.1. It would be conceivable, if at all, that the entry into force of the General DataProtection Regulation would constitute a reason for the termination of the employmentrelationship of the internal data protection officer if, on the basis of the provisions of theGeneralDataProtectionRegulationinconjunctionwiththeBDSG-new,apreviouslyexistingrequirement todesignate (or appoint)wouldbeeliminated.However, ashas alreadybeenpointedoutseveraltimes,thiscannotbeassumed.

For this reason, the entry into force of theGeneralData ProtectionRegulation does notconstitute an extraordinary or ordinary reason for the termination of the employmentrelationship of the internal data protection officer, even if there is a requirement todesignate a GDO under the General Data Protection Regulation. A different assessmentwouldnotariseeveniftheBDSG-newdidnotenterintoforce.

1.2 Contractualpositionoftheexternaldataprotectionofficerwithregardtoorderspriorto

thedateofapplicationoftheGDPR

Explanationofthequestioner:"Thecustomerprovidesanexampleofatypicalcontractforthe appointment of an external - i.e. not employed - data protection officer. This exampleservesthewriterasareferenceforansweringthequestions."

Externaldataprotectionofficersarethosedataprotectionofficerswhodonotworkwithinacompany themselves. In addition to the internal data protection officer, the General DataProtectionRegulationalsoprovidesfortheexternaldataprotectionofficer.Thisresultsfromthe wording of Article 37(6) GDPR. It states that the data protection officer may be anemployeeofthecontrolleroroftheprocessor"orperformhisdutiesonthebasisofaservicecontract".

When appointing a data protection officer, a distinctionmust bemade between the basicrelationshipof theactivity and theappointment relationship, as alreadyexplained inpoint1.1.1. In contrast to an internal DPO, the basic relationship of an external DPO is theconsultancy agreement. This is legally independent of the appointment.23 Thismeans thatthere are two different aspects to consider. These are, on the one hand, appointmentsaccordingtotheFederalDataProtectionActordesignationsaccordingtotheGeneralDataProtection Regulation and, on the other hand, the civil law contract on which theappointmentordesignation isbased. Ifthere isonlyanappointmentordesignationofanexternal data protection officer, then a civil law consultancy agreement has neverthelessbeentacitly

23Recital97GDPR(oldversion)

26

concluded.Conversely,however,theconclusionofthecivillawconsultancyagreementdoesnotconstituteanappointmentordesignation,asaseparateact isalwaysrequiredfor this.ThisappliesevenifadesignationundertheGeneralDataProtectionRegulationcanalreadybemadeverbally.24

UndertheFederalDataProtectionAct,theperformanceofthedutiesofthecompanydataprotection officer was regarded as a paid agency service. A contract such as this ischaracterisedby the fact that theserviceproviderundertakes tocarryoutan independentactivityofaneconomicnatureinordertoprotectthefinancialinterestsofthirdparties.25

Although the General Data Protection Regulation, when appointing an external dataprotectionofficer, isbasedon thewordingofa servicecontract,anagencyagreementwillnevertheless exist here. This results from the tasks of the external data protection officer.The tasks regulated in Article 39 GDPR describe an independent activity of an economicnatureintheinterestsofathirdparty.EvenaftertheGeneralDataProtectionRegulationhascomeintoforce,itremainsthecasethattheprovisionsofArticles675,662ff.,611ff.oftheGerman Civil Code (BGB) apply to the appointment of an external data protection officer.Nevertheless, it should be noted that the only necessary act is the appointment ordesignationofthedataprotectionofficer.Thereismuchtosuggestthattheconsentofthedata protection officer to be appointed or designated is a necessary prerequisite foreffectiveness.26Inanycase,itisadvisabletoobtainthis.

1.2.1 Question:"DoesanappointmentmadebeforetheentryintoforceoftheGeneralDataProtectionRegulationautomaticallyendwhentheGeneralDataProtectionRegulationcomesintoeffect?

It should be made clear in advance that the following remarks only apply if nomodifications have been agreed in the basic relationship of the consultancy agreement.The following explanations therefore only apply if either no modifying consultancyagreement has been concluded or the model of a consultancy agreement provided hasbeenused.

RegardingthequestionofwhetheranappointmentmadebeforetheentryintoforceoftheGeneral Data Protection Regulation automatically ends when the General Data ProtectionRegulationcomesintoeffect,referencecanessentiallybemadetopoint1.1.1ofthisexpertopinion, since the legal basis for the appointment of a company data protection officer isindependentofwhetherhe isan internalorexternaldataprotectionofficer. Inbothcases,the appointment is the legal act by which the position of the data protection officer isjustified.Inthelegalassessmentaccordingtotheaboveremarks,thechangedterminologyofreferring toadesignation insteadofanappointmentdoesnot result inanappointmentnolongerbeing

24Jaspers/tireRDV2016,61,62f25HeermanninMünchKommBGB,6thedition2012,Article675marginal326Thus,derivingfromthewrittenformrequirementoftheorder,SimitisFederalDataProtectionAct,8thedition2014,Article4fRd-No.57.

27

valid and automatically ending on the basis of the directly applicable General DataProtection.

TheFederalDataProtectionAct,takingintoaccounttheprohibitionofdiscriminationinconjunctionwiththefreedomtoissueorderspursuanttoArticle4f(3)sentences2and3BDSG,ageneraltimelimitontheappointmentwaslargelyrejectedandtheappointmentwasregardedasbasicallyunlimited.27

According to the applicable provisions of the General Data Protection Regulation, theappointment of a data protection officer according to the provisions of the General DataProtectionRegulationisalsotoberegardedasbasicallyunlimitedintime.InaccordancewithitswordinginArticle37(6)GDPR,thisprovisionassumesthatthedesignationmayalreadybebased on an (unlimited) employment relationship. Although this does not exclude thepossibility of a fixed-term appointment, it does, however, initially mean an unlimitedappointment.28

In theopinionof theauthorsof thisexpertopinion, theappointmentordesignationof anexternal data protection officer does not lead to an automatic termination of theappointments made under the previous Federal Data Protection Act, since - as alreadyexplained -anautomatic terminationof theofficeofdataprotectionofficer isunknown inthestatutoryprovisions.TheFederalDataProtectionActdidnotprovideforterminationofthe office by operation of law, nor does the General Data Protection Regulation, theAdaptationActortheBDSG-newprovideforsuchtermination.

Adifferentsituationmayapplyifsomethingtothecontraryiscontractuallyregulated.Fromthesamplecertificateofappointmentprovidedconcerning theappointmentofanexternaldata protection officer,29 the appointment is a consequence of the agreements in theconsultancyagreementand is toendautomaticallywith the terminationof this contract.30Theprovisionistobeinterpretedinsuchawaythatnootherautomaticterminationoptionsagreedundercivil lawareprovided for.Automatic terminationof theappointment foranyreasons other than termination of the underlying consultancy agreement is not apparent.The question of automatic termination of the assignment will be dealt with below underpoint1.2.2.

An appointment made before the entry into force of the General Data ProtectionRegulation does not automatically end when the General Data Protection Regulationcomesintoeffect.

27Cf.resolutionoftheDüsseldorferKreisof24/25November2010,p.228AlsoMarschall/MüllerZD2016,415,41629Hereafterreferredtoas'certificateofappointment’30Cf.section5oftheappointmentdocument

28

1.2.2 Question:"DoesanorderplacedbeforetheentryintoforceoftheGeneralDataProtectionRegulationautomaticallyendwhentheGeneralDataProtectionRegulationcomesintoeffect?

In principle, the termination of the civil law contract is governed both by the consultancyagreement, which always forms the basis of the assignment, and by the statutoryterminationprovisionsofservicelaw.Asaresult,theprovisionsgoverningtheterminationofanemploymentrelationshippursuanttoArticles620 ff.BGB (GermanCivilCode)apply.This isbecause,asalreadyexplainedat thebeginning of point 1.2, the exercise of the activity of the operational officer for dataprotectionrepresentsapaidbusinessarrangementandthusamixedcontractualrelationshipconsistingofaservicecontractandamandate,wherebyaccordingtoArticle675(1)BGBtheprovision for revocation of themandate is not applicable since Article 671 BGB does notapply.According to Article 620(1), (2) BGB (German Civil Code) the mandate ends either byexpirationoftimeorbyachievementofthecontractpurposeagreed inadvance.However,the change in the legal basis for the designation of a data protection officer when theGeneralDataProtectionRegulation comes intoeffect doesnot constitute an intrinsic timelimitation.ThisalreadyresultsfromthegeneralprincipleofArticle620(1)BGB,accordingtowhichacontinuingobligationendsattheendoftheperiodforwhichitwasenteredinto.31

Thisthereforereferstoafixedtermofthecontractagreedinadvance.Atimelimitdoesnotexist if the legal basis for the appointment or designation of the data protection officerchanges.Nor can the achievementof thepurposeof the contractbe seen in the fact that the legalsituationchangesaccordingly. Inorder toavoid repetitions, reference ismade towhathasbeensaid inpoints1.1.1and1.2.1.Thebusinesspurposeofappointingthedataprotectionofficer isnotachievedbytheentry into forceof theGeneralDataProtectionRegulation.Amentaldistinctionmustbemadebetweentheattainmentofthepurposeandtheremovalofthepurpose. Inthecaseoftheformer,theobjectiveofthemandate,whichwasdefinedinadvance,hasbeenachieved;inthecaseoftheremoval,theobjectivehasnotbeenachieved,butitshouldnolongertobeachievedduetoaparticularchangeincircumstances.ThepurposeoftheassignmentaccordingtoArticle1ofthesampleconsultancyagreementprovided32 is the performanceof the functionof operational data protectionofficer in thesenseofArticle4f(1)BDSG.ThiswillremaininplaceevenaftertheentryintoforceoftheGeneralDataProtectionRegulation.Thesamepurposewouldalsoexistwithoutaseparatecontractualprovision, since thepurposeof theappointmentofanexternaldataprotectionofficer can be readily inferred from Article 4 f (1) BDSG. Again, the purpose of theappointmentwouldnotbeachievedbytheentry intoforceoftheGeneralDataProtectionRegulation.AnautomaticlegalterminationoftheappointmentisneithergovernedbytheFederalDataProtectionActnor theGeneralDataProtectionRegulationnorArticle620 ff.BGB (GermanCivilCode)sothat,intheopinionofthepersonsresponsibleforthisexpertopinion,alegal

31HesseinMünchKommBGB,6thedition2012,Article620marginal132Hereinafterreferredtoas'theconsultancyagreement’

29

basis for the appointment made before the General Data Protection Regulation does notautomaticallyendwiththeentryintoforceoftheGeneralDataProtectionRegulation.

AremovalofthebusinessbasisinaccordancewithArticle313BGB(GermanCivilCode)maybeconsiderediftherequirementtodesignateadataprotectionofficerceaseswiththeentryintoforceoftheGeneralDataProtectionRegulation. Inthiscase,thepremiseunderwhichthe consultancy agreement was concluded changes fundamentally. However, the legalconsequenceofthisisnottheautomaticterminationoftheconsultancyagreement.

Theappointmentofanexternaldataprotectionofficerbeforetheentry intoforceoftheGeneral Data Protection Regulation does not automatically end when the General DataProtectionRegulationcomesintoeffect.

1.2.3 Question:"DoestheentryintoforceoftheGeneralDataProtectionRegulationconstituteareasonfordismissal

1.2.3.1 Question:...ifthereisnolongerarequirementundertheGDPRtodesignateaDPO"?

Thisquestionhasalreadybeenansweredinthecontextofthecommentsinpoint1.1.4.1.Asalreadystatedinthisexpertopinion,theappointmentordesignationofthedataprotectionofficerdoesnotdistinguishbetween internal andexternal dataprotectionofficers, so thattheaboveremarksalsoapplytotheexternaldataprotectionofficer.Asalreadymentioned,the appointment or designation must be logically separated from the assignment of theexternaldataprotectionofficer.

According to the authors of this expert opinion, a reason for the dismissal of a dataprotection officer can only be considered if the legal requirements for the mandatoryappointment of a data protection officer have changed and a duty to appoint no longerexists.Intheopinionoftheauthorsofthisexpertopinion,however,thisisnotthecasewithregardtotheAdaptationAct(AnpassungsG)andtheBDSG-new.

As a result, the entry into force of the General Data Protection Regulation does notconstitutea reason fordismissinganexternaldataprotectionofficer if theGeneralDataProtectionRegulationnolongerrequirestheappointmentofadataprotectionofficer.

1.2.3.2 Question:"...evenifthereisarequirementtodesignateaDPOundertheGDPR?"

This question was also answered in the comments in points 1.1.4.1 and 1.1.4.2. In theopinion of the authors of this expert opinion, there is no reason for the revocation of theexternal data protection officer as a result of the entry into force of the General DataProtectionRegulation,evenifthereisarequirementtodesignateaDPO.

Thequestionmustthereforebeanswered inthesamewayasquestion1.2.3.1,provided,however,that-eveniftheBDSG-newshouldnotcomeintoeffect-theentryintoforceoftheGeneral

30

Data Protection Regulation would not give rise to a revocation of the external dataprotectionofficer ifarequirementtodesignateaDPOalsoexistsundertheprovisionsoftheGeneralDataProtectionRegulation.

1.2.4 Question:"DoestheentryintoforceoftheGeneralDataProtectionRegulationconstituteanextraordinaryorordinaryreasontoterminatethecontract

1.2.4.1 Question:...ifthereisnolongerarequirementundertheGDPRtodesignateaDPO?"?

IthasalreadybeenestablishedintheprecedingcompilationthattheentryintoforceoftheGeneral Data Protection Regulation cannot lead to an automatic termination of theappointmentoftheexternaldataprotectionofficerduetotheprovisioninArticle620BGB.Thesameappliestothestatusrelationshipoftheappointmentordesignation.Thisalsodoesnotendautomaticallyorduetoalegalregulation.Rather,italwaysrequiresrevocationasaunilateralactinaccordancewithArticle38(3)sentence2GeneralDataProtectionRegulation.

Article621BGB(GermanCivilCode)appliestoaterminationoftheconsultancyagreement,unlessotherwisecontractuallyagreedandtheregulationistherebywaived.Theconsultancyagreementsubmittedregulatesaterm,sothattheterminationprovisionofArticle621BGBdoesnotapply.Inthepresentanalysis,terminationisbasedonthecontractualagreements.Article8oftheconsultancyagreementstipulatesacontracttermoftwoyears,includinganautomatic extension of two years, unless terminated in advance. A regular termination isthereforeonlypossiblewithinthisframework.

Anexisting rightof terminationdue to theentry into forceof theGeneralDataProtectionRegulationcouldatmostbejustifiedbythefactthatthereisacaseinwhichtherewouldnolongerbeanobligationtoappointortodesignateaDPOduetothethennewlegalsituation.DuetotheBDSG-newthathasnowbeenpassed,however,thisishardlyconceivable,ashasalreadybeenstatedseveraltimes.

As a result, the entry into force of the General Data Protection Regulation does notconstituteanextraordinaryorordinaryreasontoterminatetheconsultancyagreementofthe external data protection officer if the General Data Protection Regulation no longerimposesanobligationtodesignateaDPO.

1.2.4.2 Question:"...evenifthereisarequirementundertheGDPRtodesignateaDPO?"

Thisquestionhasalreadybeenansweredinthecommentsinpoint1.2.4.1.Inordertoavoidrepetition,referenceismadetotheaboveremarks.

If at all, it would be conceivable that the entry into force of the General Data ProtectionRegulationwouldconstituteareasonfortheterminationoftheconsultancyagreementwiththe external data protection officer if, on the basis of the provisions of the General DataProtectionRegulation inconjunctionwiththeBDSG-new,apreviouslyexistingobligationto

31

appoint or designate a DPO were no longer to apply. However, as has already beenmentionedseveraltimes,thiscannotbeassumed.

For the aforementioned reason, the entry into force of the General Data ProtectionRegulationdoesnotconstituteanextraordinaryorordinaryreasonfortheterminationofthe consultancy agreement of the external data protection officer even if there is arequirementtodesignateaDPOundertheGeneralDataProtectionRegulation.

1.3 ProtectionofthedesignateddataprotectionofficerintheGDPR

Question: 'Does the provision in the second sentence of Article 38(3) of the General DataProtectionRegulationconstituteprotectionagainstdismissalfortheappointedsalarieddataprotectionofficer?(Alsoinconnectionwithlastsentenceofrecital97.)"

According to itswording, theGeneralDataProtectionRegulation contains significantly lessprotectionofthesalarieddataprotectionofficeragainstsanctionsbytheemployerthantheprovisionsofthecurrentlyapplicableFederalDataProtectionActortheBDSG-new.

Article38(3)sentence2GDPRprovidesthatthedataprotectionofficermaynotberemovedorpenalisedbythecontrollerortheprocessor"duetotheperformanceofhisduties".

Intherecitals(ErwG97)totheGeneralDataProtectionRegulation,theEuropeanlegislatorhas inparticularstatedthatdataprotectionofficers,whetherornottheyareemployeesofthecontroller,"mayexercisetheirdutiesandtasksfullyindependently".

The General Data Protection Regulation therefore does not provide protection againstdismissalforthedataprotectionofficerbyitsactualwording.33ThetextoftheGeneralDataProtection Regulation merely provides for protection against dismissal and a generalprohibitionofdiscrimination.Asalreadymentioned,withregardtothelegalclassificationofthe data protection officer, a distinction must be made between his status(designation/revocation) and the basic relationship of his activity (employmentrelationship/agencycontract).However,inlargepartsoftheliteraturetheviewisexpressedthatadataprotectionofficerwhohasbeendismissed (under labour law)andwhohasnotyetbeenrecalledcanhardlyfulfilhisdutiesasdataprotectionofficerinameaningfulway.34

For this reason, the legal literature takes the view that the above-mentioned wording ofArticle 38(3) GDPR is to be understood in such a way that not only dismissal and otherdiscrimination,butalsoterminationoftheemploymentrelationshipofthedesignateddataprotectionofficer"duetothefulfilmentofhisduties"shouldnotbepermissible.35

33Ehmann/Selmayr,loc.cit.,Article37,marginal14;Ettig/BauseweininWybitul,HandbuchEU-DS(HandbookEU-GDPR),Article38marginal2134BergtinKühling/Buchner,Datenschutz-GrundverordnungKommentar(GeneralDataProtectionRegulationCommentary)2017,Article38marginal32;similarlyprobablytotheBusscheinPlath,BDSGGDPR,Article38marginal10f35BergtinKühling/Buchner,GeneralDataProtectionRegulationCommentary,2017,Article38marginal33

32

Asalreadymentioned,theBDSG-newcontainsprovisionsonprotectionagainstdismissalofthedesignateddataprotectionofficer.Ingeneral,itshouldbenotedthattheappointeddataprotection officers, who are also employees of the controller, can only be dismissed ifevidenceexistswhichentitlesthepublicbody(Article6BDSG-new)orthecontroller(Article38(2) BDSG-new) to pronounce dismissal for good cause without observing a period ofnotice.Thisspecialprotectionagainstdismissalofthedataprotectionofficeronlyappliestonon-publicbodies if thedesignationofadataprotectionofficer ismandatory (Article38(2)BDSG-new).TheprovisionsoftheBDSG-newarethusverycloselyalignedwiththeprovisionsofthecurrentlyapplicableFederalDataProtectionAct.Theterminationoftheemploymentrelationship within one year is inadmissible even after the end of the activity as dataprotection officer, unless the public body or the controller is entitled to terminate theemploymentrelationshipforan importantreasonwithoutobservingaperiodofnotice(so-calledfollow-onterminationprotection).36

As a result, thismeans that it follows from theGeneralData Protection Regulation and inparticular also from Article 38(3) GDPR as well as recital (ErwG) 97 that data protectionofficers enjoy at most limited protection against dismissal, which according to the clearwordingofArticle38(3)GDPR is limited in this respect to the fact that thedataprotectionofficer may not be dismissed "due to the performance of his duties". Other reasons fortermination, suchasoperational reasons for terminationor reasons for termination,whichare based on the person of the data protection officer, are not covered by the protectionagainstdismissaloftheGeneralDataProtectionRegulation.

Oncloserexamination,theprotectionofthedataprotectionofficeragainstdismissalbytheemployer as standardised in the General Data Protection Regulation thus proves to berelativelyweak.Itisdoubtfulwhetheradataprotectionofficerwhoisonlyprotectedbytheprovision in Article 38(3) GDPR is able to carry out his activities with the independencerequiredbytheGeneralDataProtectionRegulation itself. Inthisrespect,withreferencetorecital(ErwG)97,anattemptcouldbemadetoextendtheprotectionagainstdismissalunderArticle 38(3) GDPR beyond its mere wording. Such a "further development" of protectionagainstdismissalonthebasisof themeaningandpurposeoftheprovisionsof theGeneralDataProtectionRegulationwouldnotbe intooblatantacontradictiontothegeneral legalinterpretation regulations either, because in European Union law in particular so-calledteleological interpretation, i.e. interpretation according to the meaning and purpose of alegalregulation,isofparticularimportance.Insomecases,teleologicalinterpretationwithinthe framework of European law is given "supreme weight".37 Starting from interpretationbasedonthemeaningandpurposeofaregulation,theEuropeanCourtofJustice(ECJ)hasoftenalsoresortedtotheso-calledprincipleofeffectiveness(effetutile).Indoingso,ithasregularly preferred the interpretation that promises the greatest possible practicaleffectiveness of the European rules.38 However, it must be clearly pointed out that anyinterpretation of the General Data Protection Regulationmust not exceed its limits in theprovisionsonthelegal

36Bergt,loc.cit.37Albrecht/Jotzo,DasneueDatenschutzrechtderEU(ThenewEUdataprotectionlegislation),Part1,marginal3038Albrecht/Jotzo,loc.cit.,part1marginal31

33

competenceoftheUnionandtheMemberStates.Thepowertoregulatesubstantivelabourlaw lies with the individual member states, so that in the end it will depend on nationalregulationssuchastheBDSG-new.39

Thequestionmustthereforebeansweredasfollows:

ItcanbestatedwithgoodargumentsunderEuropean lawthatArticle38(3)of theGDPRgoes beyond itsmerewording and provides for extensive normalised protection againstdismissalbythedataprotectionofficer.Thisisinline,inparticular,withthestatementsofthe European legislator in recital (ErwG) 97. The question, however, is what scope this"extended"protectionagainstdismissalshouldhave.Thereisa lackofconcreteguidanceanditisnotclearfromtherecitalsortherulesoftheGeneralDataProtectionRegulationitself. It therefore remains, as a (safe) assessment, that the General Data ProtectionRegulationprovidesweakprotectionagainstdismissalfordataprotectionofficersintermsof its wording, but that this protection, however, is concretised and extended by theprovisions of the BDSG-new – a fact which is certainly to be welcomed due to theassociatedlegalcertainty.Accordingtotheauthorsofthisexpertopinion,thefactthattheprovisionsoftheBDSG-newonprotectionagainstdismissalofthedataprotectionofficerarelikelytobeinconformitywithEuropeanlawalsoresultsinparticularfromtherecitalstotheGeneralDataProtectionRegulationandthefactthataneffectiveactivityofthedataprotectionofficerisonlylikelytobepossibleiftherearepreciselymanageableprotectionprovisions.

1.3.0 Preliminaryremarkto1.3.1:Fundamentalsofcivilliabilityofthedataprotectionofficer

In order to answer the question of civil liability, the basis for such liability must first bepresentedinordertoprovideabetterunderstanding.Theseaspectsthenalsohaveamirrorimageeffectonthepossibilitiesforlimitingliability,whichisthesubjectofquestion1.3.4.

Againstthebackgroundofthecurrentsituation,thedataprotectionofficer'sliabilityduetoomissionneeds tobeexaminedmore closely. This is presentedunderpoint 1.3.0.1, takingintoaccount theoverallcircumstancesarising fromtheGeneralDataProtectionRegulation(seepoint1.3.0.1.1).

Thecommonconditionsofcivilliabilityoutsidethebracketsaresetoutbelow,astheyapplyequallytotheestablishmentandfulfilmentofthedataprotectionofficer'sliability-whetherinternalorexternal.Theindividualprerequisitesleadtooverallliabilityiftheyaremet.

39Lepperhoff/Müthlein,LeitfadenzurDatenschutz-Grundverordnung(GuidetotheGeneralDataProtectionRegulation),2017,p.85

34

The prerequisite for liability is the existence of a culpable breach of duty through eitheractiveactionoromission,whichmusthaveresultedincausaldamage.

Ø Breachofduty

The prerequisite for the liability of the external, designated data protection officer is thebreach of a duty to perform. These will therefore be dealt with in greater detail in thefollowing.Forwithoutanobligation toperform,nobreachofdutywillexistandwithoutabreachofdutynoliability.Abreachofdutycanalsoconsistinafailuretoact.However,thisisonlythecaseifthedataprotectionofficerisalsoobligedtoact,butnoactionistaken.Forexample, inthecaseofnon-preventionofadataprotectionviolationwithintheframeworkofmonitoring,ifthereisadutytoact.TheGeneralDataProtectionRegulationisbasedonasystemofmonitoringandaction in termsof its legal structureandsystem.Theconceptofmonitoringmustbe integrated into this systemasanoverall consideration.Foran isolatedviewofthetermoverlooksfundamentalpointsthatresultinadifferentassessment.

Thepossiblebreachesofdutybythedataprotectionofficerarelistedbelow:

• Breachofdutyintheformof:Breachofacontractualobligation

Ifthedataprotectionofficerviolateshisprimarycontractualobligations,e.g.byrevealingsecretsoftheclientcompany,abreachofdutycanreasonablybeassumed.Thisisclearinthis respect and is dealt with in this expert opinion only briefly with regard to therelevanceforcriminallaw(cf.excursusafterquestion2.2.1).

Abreachofacontractualobligationmayalsoexistifafurtherobligationtoactonthepartofthedataprotectionofficerisagreedintheconsultancyagreement,suchasifheisalsograntedtherighttoissueinstructions.

Adistinctionmustbemadebetweencontractualobligationsand legalobligationsofthedataprotectionofficer.Onlythelatterarethesubjectofthisexpertopinion.

• Breachofdutyintheformof:Breachofdataprotectionbythedataprotectionofficer

Thedataprotectionofficercan,likeanyotheractorinacompany,violatedataprotectionregulationshimself,forexamplebypassingonpersonaldatatoathirdpartywithouttheconsentofthedatasubject.

35

• Breachofdutyintheformof:InfringementofastatutorydutypursuanttoArticle39GDPR(throughactiveaction)

According to Article 39(1) lit. a GDPR, the data protection officer is responsible forinformingandadvisingthecontrollerortheprocessorandtheemployeescarryingouttheprocessingoperationswithregardtotheirduties.PursuanttoArticle39(1)lit.cGDPR,hehasthedutytoprovideadviceinconnectionwiththedataprotectionimpactassessment.Inaddition,Article39(1)lit.dGDPRstipulatesthatheisalsoresponsibleforcooperationwiththesupervisoryauthority,andArticle39(1) lit.eGDPRstipulatesthatheisalsothecontactpointforthesupervisoryauthorityinmattersrelatedtoprocessing.

If one of the aforementioned conditions is incorrectly applied, for example if the dataprotectionofficerprovidesthecontrollerwithincorrectinformationduringconsultations,abreachofdutycanalsoreasonablybeassumed.

• Breachofdutyintheformof:Non-preventionofadataprotectionviolationinthe

company

Abreachofdutycanalsoexistifsomeoneomitsanactionalthoughheisobligedtodoso.Failure todosoalwayspresupposesaduty toact,be it -asexplainedabove- fromthecontractorfromthestatutorytasksassignedtothedataprotectionofficer.

Forthedataprotectionofficerthereisnoobligationperse-ofanykind-topreventdataprotectionbreaches.

According to Article 39(1) lit. b GDPR, the data protection officer, whether internal orexternal,isresponsibleforthefollowing:

"Monitoring compliance with this Regulation, other data protection legislation oftheUnionortheMemberStates,andthepoliciesofthecontrollerorprocessorforthe protection of personal data, including the allocation of responsibilities,awareness-raising and training of staff involved in the processing operations andrelatedverifications.”

At first glance, this may result in a prevention duty. The concept of monitoring is notregulated intheGDPR itself,40but it isdecisive for thequestionofwhetherandwhenabreachofdutyonthepartofthedataprotectionofficerhasoccurred.

40SoalsoMarschall/MüllerZD2016,416,418

36

ExcursusontheoldlegalsituationofthepreviouslyapplicableFederalDataProtectionAct:

Previously, Article 4 g (1) sentence 4 no. 1 BDSG of the Federal Data Protection Act(Bundesdatenschutzgesetz) also stipulated that the data protection officerwas tomonitortheproperuseofthedataprocessingprogrammesusedtoprocesspersonaldata.AccordingtotheFederalDataProtectionAct,monitoringtheproperuseofdataprocessingprogramsisone of the focal points of the data protection officer's activities. Monitoring is anaccompanying checkwhich is intended to prevent unlawful processing of personal data atall.41 The data protection officer is obliged to check the compatibility of the processingprogramsalreadyintroducedoronlyplannedwiththerequirementsofdataprotectionandto report this to the controller.However, he is not obliged to explain how the correctionsrequired inhisviewcanbe implemented indetail.42Thismeansthatmonitoringwithinthemeaning of the Federal Data Protection Act is limited to checking existing or plannedprocessingprogramsfortheircompatibilitywithdataprotectionlaw,butdoesnot,however,makeconcretechangestotheexistingorplannedprogramorevenproposethem.AccordingtotheFederalDataProtectionAct,theresponsibilityfordataprotectionlieswiththeofficeresponsible according to Articles 2, 3 (7) BDSG and thus in the non-public area of themanagement of the respective data processing company. Thismeans that the task of thedataprotectionofficerformonitoringendswithareporttothemanagement.

An interpretation of the General Data Protection Regulation on the basis of thisunderstanding is naturally not possible. The General Data Protection Regulation is to beinterpreted as a Union law ordinance in its own right and not from the perspective of anationalpredecessor law.43Thisappliesevenagainst thebackgroundthat theFederalDataProtectionActwasclearlytheinspirationfortheprovisionsinArticle37to39GDPR.

DeviatingfromtheprovisionsoftheFederalDataProtectionAct,theGeneralDataProtectionRegulationisbasedinitslegalstructureonamonitoringandactionsystem.ThismeansthattheconceptofmonitoringmayimposeadditionalobligationsontheDPO,whichalsorequireactionbytheDPOhimself.

Ifanobligationtoactarisesfromtheword"monitoring",theremaybeabreachofdutyifanecessary action is omitted. The question of the duty to monitor is dealt with in greaterdetail in point 1.3.0.1.3 below,whereby this cannot be viewed in isolation for the sake ofoverall understanding, but the organisationmust first be described in point 1.3.0.1.1 andthenincludedinaderivativeform.

41Gola/Schomerus,BDSG,12thedition2015,Article4gBDSGmarginal1842Simitis,FederalDataProtectionAct,8thedition2014,Article4gmarginal4643RoßnagelMMR2015,359

37

Ø Culpability

Aculpablebreachofdutyisrequiredfortheestablishmentofliability.Basically,everyoneisliable for intent and negligence if no statutory liability privileges are apparent.44 This alsoapplies to the external data protection officer, but not to the internal one, as will beexplained in point 1.3.1. The culpabilitymust exist in relation to the respective breach ofduty.

Article39(2)GDPRcannotbeconstruedasa liabilityprivilege.Theprovision is intended toregulatethemannerinwhichthetasksaretobeperformedinaccordancewithArticle39(1)GDPR and stipulates that the data protection officer must take due account in theperformance of his duties.45 The statutory provisions of Articles 675, 611 ff. BGB (GermanCivilCode)whicharerelevantfortheexternaldataprotectionofficeralsoprovidenoliabilityprivileges.Otherstatutoryliabilityprivilegesarenotapparent.

Intent is theknowledgeandwilfulnessofthebreachofduty. It isalreadysufficient forthispurposeifthebreachofdutyisrecognisedandtacitlyaccepted.Inthecaseofculpabilityduetoafailuretoact,thismeansthatthedutytoactisrecognisedbutignored.

Anyonewhoneglects thecare required in trafficactsnegligently, cf.Article276(2)BGB. Incontrasttocriminallaw,anobjectiveratherthanasubjectivestandardisapplied.

Thelevelofdiligencetobeexercisedbythedataprotectionofficerwillthereforedependonthe level of diligence to be applied to him. As a rule, the yardstick used is the degree ofprudence anddiligence a prudent and conscientiousmemberof the relevant publicwouldhaveobservedinthespecificsituation.46Theobjectiveyardstickwillhavetobedeterminedon the basis of the requirements addressed by the General Data Protection Regulation inArticle 37 (5) GDPR, namely the particular professional qualifications and expertise of thedataprotectionofficer.Thecorrespondingmissionstatementsofthedataprotectionofficerwillalsobeincludedintheevaluation.47

Tothisend,thebreachofdutymusthavebeenforeseeableforthedataprotectionofficer.Thegeneralforeseeabilityofaninjuriousoutcomeissufficienthere,thedetailsofthespecificcourseofeventsneednotbeforeseeable.48

Itfollowsalreadyatthispointthattheculpabilitycriterionof"negligence",whichisrelevantinthefollowing,cannotberegardedasafixedterm.Itdependsinparticularonthelevelofobjectified care that can be expected from a data protection officer. Therefore, in thepresent

44GrüneberginPalandt,76thedition2016,Article276BGBmarginal145PaalinPaal/Pauly,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),1stedition2017,Article39GDPRmarginal246GrüneberginPalandt,76thedition2016,Article276BGBmarginal1747BvD,DasberuflicheLeitbilddesDatenschutzbeauftragten(TheprofessionalmissionstatementoftheDataProtectionOfficer),3rdedition201648GrüneberginPalandt,76thedition2016,Article276BGBmarginal20

38

case,thecontentoftheservicecanhavealiabilitylimitingeffectwithinthescopeoffault.

Ø Causaldamage

Noteverydamage,whichhasanycauseinthebreachofdutyofthedataprotectionofficer,istoberegardedascausalintermsofliabilitylaw.Inafirststep,itmustbeestablishedthatthedamagewascausedpreciselybytheeventobligatingtheclaimanttopaydamages.

Inasecondstep,theremustbeanadequatecausaldamagescenario.Thismeansthatdutifulconductcanberegardedasanadequate,typicallyappropriateconditionfordamage. Iftheactiondoesnotcausethedamagedirectly,butonlyindirectlyduetotheadditionoffurthercircumstances,athird,evaluativeconsiderationwillbeaddedasacorrectivetotheliability.Thedamagemustalsobesuchthatthebreachedobligationshouldprotectagainsttheactualdamage. This stepalso requiresanevaluative consideration,which - like the second step -mustbecarriedoutbyacourtintheeventofadisputeandcanonlybedeterminedonthebasisofthesituationandnotasawhole.

• Breachofthecausallink

In concrete situations, there may be interruptions in the attribution of causality, forexample intheeventofan intentionallyactingthirdparty intervening,or if thedamagewouldalsohaveoccurredifthedataprotectionofficerhadactedlawfully.49

• Contributorynegligence

In thecontextofcontributorynegligencealso, theclaimantof thedamagescanbeheldresponsibleforthefactthatthedamagecanalsobeattributedtohim.50Thiscanleadtoaminimisationoftheclaimuptoanexclusionoftheliabilityofthedataprotectionofficer.Thedecisivefactor iswhatobligationstheclaimanthimselfhas.Thiswillbediscussedinmoredetailinpoint1.3.3.

1.3.0.1 Liabilityofthedataprotectionofficerintheeventofnon-preventionofabreachofdataprotectionwithinthecompany

In the following, the above-mentioned category of "non-prevention of a breach of dataprotection within the company" as a breach of duty by the data protection officer isexaminedinmoredetail.

49Cf.OetkerinMünchKommBGB,7thed.2016,Article249marginal14250Cf.OetkerinMünchKommBGB,7thed.2016,Article254marginal3

39

In its legal structure and systematics, the General Data Protection Regulation assumes anindependentmonitoringandactionsystem.51Theconceptofmonitoringmustbeintegratedintothissysteminanoverallview.Foran isolatedviewofthetermoverlooksfundamentalpoints that lead to a different assessment. Any isolated view of the term "monitoring"overlooks fundamental aspects. The monitoring and action system of the General DataProtection Regulation must therefore be described in advance. Only together with thisdescriptioncanthedutyofthedataprotectionofficertomonitorbesystematicallyclassifiedandassessedintermsofliability.

1.3.0.1.1 MonitoringandactionsystemoftheGeneralDataProtectionRegulation

The controller is the person held responsible. This results from Article 5(2) GDPR. Theresponsibility is clearly and explicitly assigned to this person. TheGeneral Data ProtectionRegulation imposes additional accountability obligations on him for compliance with thisresponsibility.52 The controller is therefore placed at the centre of compliance with theprovisionsoftheGeneralDataProtectionRegulation.

ThemonitoringandactionsystemoftheGeneralDataProtectionRegulationisgovernedbyArticles5,12and24oftheGDPR.Atthecentreofthissystemarethereforethecontrollerandthecorrespondingorgansofthecompany.53

• Article5GDPR

Article 5 GDPR regulates the principles of a legally compliant processing of personaldata.54Theseprinciplesarenotmerelythesettingofprogrammaticobjectivesbutbindingrequirements for data processing authorities.55 The principles set out here in a ratherabstractmanneraredefinedinthefurtherregulations,sothataviolationofthemorefar-reaching provisions of Article 6 ff. GDPRmust always also be regarded as a breach ofArticle5GDPR.56Article5GDPRmustthereforebeseenasthe"generalstandard"ofdataprotection.

Controllers are held accountable for their compliance with the substantive legalrequirementslaiddowninArticle5(1)GDPR,i.e.theprinciplesof

- Legality- Processingingoodfaith- Transparency57

51Cf.HeberleininEhmann/Selmayr,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),2017,Article37marginal152Cf.alsoHamannBB2017,1090,1091f.53SoalsoBehlingZIP2017,697,699f.54Cf.SchantzNJW2016,1841,1843;HamannBB2017,1090f.55HamannBB2017,1090,109156SoalsoHerbstinKühling/Buchner,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),Article5(1)57HerbstinKühling/Buchner,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),Article5marginal7

64Sachs/Kranig/Gierschmann,Datenschutz-CompliancenachderDS-GVO(DataprotectioncomplianceinaccordancewiththeGDPR),p.24

40

It follows fromArticle5(2)GDPR that the controller is accountable for compliancewiththe principles for processing and that he must be able to prove compliance with theprinciples.58AccordingtoArticle4(7)GDPR,thecontrollerisanydataprocessingauthoritywithin the European Union in the non-public sector, i.e. normally a company.59Accountabilitymeansthattheobligationtodocumentdataprocessingistheresponsibilityof the company itself and thus of the management entrusted with directing thebusiness.60

Thedocumentationobligationisintendedtoencouragesthecontrollertocomplywiththelawfulnessoftheprocessingfromtheoutset.Article5(2)HS.2GDPRforcesthecontrollerto fulfil the specified obligations. The obligation to document thus serves to safeguarddataprotection.61

AbreachoftheprovisionsofArticle5(1)GDPRisalreadyassumediftheresponsiblebody- and thus the management – is unable to provide evidence of data processing inaccordance with the General Data Protection Regulation.62 A breach of thedocumentation obligation under Article 5(2) GDPR is sanctionedwith a so-called "largefine"withinthemeaningofArticle83(5)GDPR.Inthiscase,finesofupto€20millionor,inthecaseofacompany,upto4%ofitstotalworldwideannualturnoverofthepreviousfinancialyeararepossible,dependingonwhichoftheamountsishigher.

Twothingscanbe inferredfromthis:Ontheonehand, the locationof thesanction lieswiththemanagementofthecompanyitselfandnotwiththedataprotectionofficer.Ontheotherhand,thefactthata"largefine"isimposedforabreachofthedocumentationobligation indicates the legislative intention for the management itself to meet therelevant obligations under the GDPR. It is responsible for organising the company incompliancewithdataprotectionlaws.

• Article24GDPR

Article 24(1) GDPR regulates the obligation to ensure that processing is carried out incompliancewithdataprotectionregulationsandtobeabletoprovideevidencethatitiscarried out in compliancewith data protection regulations.63 According to Article 24(1)sentence 2 GDPR, the organisational measures required for this purpose must bereviewedandupdatedasnecessary.64

The regulation explicitly addresses the controller. This expresses the fact that thecontrolleradoptsacentralpositionintermsofdataprotectionresponsibility.

58Sachs/Kranig/Gierschmann,Datenschutz-CompliancenachderDS-GVO(DataprotectioncomplianceinaccordancewithGDPR),p.24;methodCR2016,714,71659ErnstinPaal/PaulyDatenschutz-Grundverordnung(GeneralDataProtectionRegulation),1sted.2017,Article4marginal5560HerbstinKühling/Buchner,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),Article5marginal77ff.61InconclusionalsoWybitulCCZ2016,194,19762Cf.Sachs/Kranig/Gierschmann,Datenschutz-CompliancenachderDS-GVO(DataprotectioncomplianceinaccordancewiththeGDPR),p.11063PiltzK&R2016,709,710

68Cf.WiseZD2016,315,31841

• Article12GDPR

Article12GDPR,inconjunctionwithArticle13to23GDPR,regulatesthedutiestoprovideinformation to data subjects affected by data collection as well as the modalities forexercising the rights of data subjects.65 It thus regulates the essential implementationrequirements for the company, towhichArticles 5 and24GDPR refer.Article 12GDPRdescribes which measures are to be taken, in particular which information is to beprovided.Thestandardstipulatesthatappropriatemeasuresaretakenbythecontroller(paragraph1),thatthecontrollerfacilitatestheexerciseoftherightsofthedatasubjects(paragraph2)andthatthecontrollerprovidesthedatasubjectswithinformationonthemeasurestaken(paragraph3).

AbreachoftheobligationsunderArticle12GDPRissanctionedwitha"largefine"withinthemeaningofArticle83(5)GDPR.FromthisitcanbededucedthattheobligationswithinthemeaningofArticle12GDPRapplytothecontrollerwithinthemeaningofArticle4(7)GDPR. The amount of the fine also reflects the intention of the legislator to hold thecompanyand themanagementactingon itsbehalf accountableand to require themtotakeappropriatemeasuresthemselves.

• Dataprotectionimpactassessment

Article35(1)GDPRstipulatesthatthecontrollermustfirstcarryoutanassessmentoftheconsequencesoftheplannedprocessingoperationsfortheprotectionofpersonaldataif,due to the nature, scope, circumstances and purposes of the processing, a form ofprocessing is likely toentailahighrisk for therightsandfreedomsofnaturalpersons.66According to Article 35(2) GDPR, the controller must seek the advice of the dataprotectionofficerwhencarryingoutsuchanassessment.

The data protection impact assessment pursuant to Article 35 GDPR makes clear therelationshipbetweenthedataprotectionofficerandthecontrollerinthreerespects.

AlthoughthelegalsituationwhichappliedundertheFederalDataProtectionAct(BDSG)cannot be used to interpret the General Data Protection Regulation, the presentationneverthelessmakesclearthedifferentwayofthinkingundertheGeneralDataProtectionRegulation.UnderArticle4(1)sentence1BDSGinconjunctionwith4d(6)BDSG,thepriorchecking, which is now regulated in Article 35 GDPR, was the sole task of the dataprotectionofficer.This supplementedhisduty tomonitorandadvise.67 In the successorinstrument to the General Data Protection Regulation, Article 35(1) GDPR, this originaltask isassignedsolely to thecontroller.68 In relation to theFederalDataProtectionAct,therefore, itcanbeseenthataseparatepriorcheckbythedataprotectionofficer isnolongerprovidedfor.

65SchantzNJW2016,1841,184566Kühlung/MartiniEuZW2016,448,45267Simitis,(Bundesdatenschutzgesetz(FederalDataProtectionAct),8thed.2014,Article4g,marginal81

69SoalsoJaspers/ReifRDV2016,61,6642

TheDPOdoesnotplayanindependentroleincomplyingwiththerequirementsofArticle35GDPR.69

Here,too,itcanbeseenthattheGeneralDataProtectionRegulationassignsasecondaryrole to the data protection officer, a secondary positionwhose advice is sought by thecontroller at the centre of data protection. In principle, the data protection impactassessmentcouldalsobeincludedintheconceptof"monitoring"alone.Butthenitwouldnot have been necessary to clarify that the data protection officer should only beconsulted.

• Noenforcementpowers

Within a corporate structure, the executive bodies of the company are basicallyauthorisedtocarryoutactionsandorganisetheircompany.Ifthispossibilityisalsotobegranted to an employee or a third party outside the corporate structure, it requires aconferralofauthority,eitherbythecompanyoritsexecutivebodiesorbylaw,inordertoact.

Thedataprotectionofficerdiffersfromthecompanyanditsexecutivebodies inthathehasnoentrepreneurialororganisationalpowerstoactwithinthecontextofcarryingouthisdataprotectiontasks.TheGeneralDataProtectionRegulationdoesnotgivehimthepower either to act accordingly. The GDPR leaves the formulation of civil law to theregulationsofthememberstates.

This once again draws attention to the secondary role of the data protection officer.Althoughhistaskistocheckcompliancewithdataprotectionlaw,hedoesnot,however,receive any intrinsic powers to act in order to be able to put an end to possibleinfringements.Hereportspossiblebreachestothecontroller.

• Targetofsanctions

Ultimately,itcanalsobeseenfromanoverallviewpointthatthedataprotectionofficerisnotmentioned intheprovisionsonsanctions inArticle83GDPR.Thecontrollerandtheprocessor are explicitly named. This also shows that the data protection officer plays asecondaryroleindataprotectionlawandisnotthefocusofsanctionsforinfringementsofduty.

• Summary

Thedataprotectionofficer isnotmentioned inArticles5, 24and12GDPR, so that theobligationslaiddownthereincannotaffecthimintrinsically.HeisnotthecentralbodyfordataprotectionwithinthemeaningoftheGeneralDataProtectionRegulation.Accordingtotheaboveexplanations,thisisundoubtedlythecontrolleraccordingtoArticle4(7)

72Klugloc.cit.43

GDPR.70 This also means that the responsibility - seen in the overall context - cannotsimplybepassedon.

A similar conclusion can also be assumedwith regard to the provisions on sanctions inArticles 82, 83GDPR. Thesedonot include thedataprotectionofficer.Only controllersandprocessorsareexpresslynamedasliableparties.However,aDPOisneitherofthese.In this respect, the terms used represent a paradigm shift from the Federal DataProtection Act, which in Article 43 BDSG with refers to everyone - including the dataprotectionofficerwith"It’sanoffenceto".However,thiscannolongerapplyduetothewordingoftheGeneralDataProtectionRegulation.

1.3.0.1.2 Legalstatusofthedataprotectionofficer

Pursuant to Article 38(1) GDPR, the data protection officer must be duly and promptlyinvolvedinallmattersrelatingtotheprotectionofpersonaldata.Thisisabasicprerequisiteforhiseffectiveperformance.Itisthedutyofthecontrollerandtheprocessortoensurethatthisisthecase.PursuanttoArticle38(3)sentence3GDPR,thedataprotectionofficerhasadirectrighttoreporttothehighestmanagementlevel,whichheinformspursuanttoArticle39(1) lit. aGDPR.71At the same time,Article38(4)GDPR stipulates thatdata subjectsmayconsultthedataprotectionofficer.Thesameappliestotheexerciseoftheirdataprotectionrights under theGeneral Data Protection Regulation. This is likely to refer to the rights ofdatasubjectsunderArticles12to23oftheGeneralDataProtectionRegulation.72

ItcanthereforebeseenthattheDataProtectionOfficerisintendedinparticulartoplayanadvisory andmediating role in the system of theGeneral Data Protection Regulation. ThecontrollerandtheprocessorarealsosubjecttoobligationsunderArticle38GDPR.Theyarealsothetargetofsanctionsifthedutiesto"safeguard"arenotobserved.PursuanttoArticle83(4)GDPR, in theeventof infringements, a so-called "small fine"will be imposed. In thiscase, fines of up to €10million or, in the case of a company, up to 2%of its total annualworldwideturnoverintheprecedingfinancialyeararepossible,whicheveristhehigher.Thedataprotectionofficer,ontheotherhand,isnottargetedbyanysanctions.

FromthesystemoftheGeneralDataProtectionRegulation(asdescribedinpoint1.3.0.1.1)andthelegalpositionofthedataprotectionofficer,thefollowingcanbeconcludedfromanoverallviewpoint:

Thedataprotectionofficerisnotthe"centralbody"ofdataprotectionwithinthemeaningoftheGeneralDataProtectionRegulation.HeisnotsubjecttotheessentialobligationsoftheGeneralDataProtectionRegulation.Theseexclusivelyaffectthecontrollerandthusthe

70BehlingZIP2017,697,699alsoreachesthesameresult71KlugZD2016,315,318;HamannBB2017,1090,1096

80SeealsoBehlingZIP2017,697,699f44

companyitself.ThecontrollerbearstheoverallobligationtoregulatethetasksandmeasuresimposedbytheGeneralDataProtectionRegulation.Thedataprotectionofficeronlyplaysan“outsider” role in the overall view of the monitoring and action system. Against thisbackground,theterm"monitoring"willhavetobeinterpreted(seepoint1.3.0.1.3below).

1.3.0.1.3 "Monitoring"

Pursuant to Article 39(1) lit. a GDPR, the data protection officer informs and advises thecontrollerandtheemployeeswithregardtotheirduties.73This task includes informingthecontroller about processes relevant to data protection by the data protection officerreportingtohim.74

Article 39(1) lit. b GDPR supplements the tasks of the data protection officer regulated inArticle39(1)lit.aGDPRwithacontrolfunction,wh ich alsoincludesinternal"strategies"forthe protection of personal data.75 The interpretation of the term has so far hardly beendiscussedintheliterature.Theterm"monitoring"pointstoanambivalent,butratherpassiveterm.Thesame impression results fromthewordingof theEnglish ("monitor")andFrench("contrôler") texts of the Regulation, which, to judge by their meaning, imply a perhapspassivesurveillance.76Accordingtothemeaningoftheword,"monitoring"canalsobeunderstood as "observation" and "logging". It can be inferred from recital 97 that"monitoring" is intended to be a supportive task for the controller or the processor.77However,itcannotbeinferredfromthisthatactivecontrolisnecessary.78

Nevertheless, the interpretationofeachparticular termdoesnot seem tobe constructive,butthetermshouldbeseenasauniform"monitoringofcompliancewiththisRegulation".Inthe overall context of the explicitly regulated organisational obligations outlined above, itbecomesclearthat"monitoringcompliancewiththisRegulation"canonlybeunderstoodasa review of the organisational structure under data protection law, which the responsiblepartyitselfmustestablishinaccordancewiththeprovisionsinArticles5,24,12GDPR.79

Thedataprotectionofficerhasneitherthetasknortheauthoritytoestablishaseconddataprotection structure in order to prevent breaches of data protection regulations.80 Whileactions are prescribed for the controller ("takes measures", "must prove", "providesinformation"),thedataprotectionofficerhasnotbeengivenanysuchdutiestoactorevenopportunitiestoact.

73Cf.Klugloc.cit.,31874Cf.ThodeCR2016,714,718;Klugloc.cit.75Klugloc.cit.76A.A.Marschall/MüllerZD2016,415,41877SoalsoHeberleininEhmann/Selmayr,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),2017,Article39marginal1078A.A.Marschall/MüllerZD2016,415,41879SoalsoEttig/BauseweininWybitul,HandbuchEU-Datenschutz-Grundverordnung(HandbookEUGeneralDataProtectionRegulation,Article39marginal16

85Jaspers/Reifloc.cit.45

The originally planned task of "safeguarding" the documentation was dropped during thetripartitenegotiations.81

Monitoringintheconventionalsensewouldalsorequirethepossibilityofaninterventioninthe process in order to eliminate the error in terms data protection law if necessary.However,thiswouldrequirethedataprotectionofficertohavethecorrespondingauthorityto issue instructions.82 This same cannot be inferred from the General Data ProtectionRegulation.AlthoughmonitoringpursuanttoArticle39(1)lit.bGDPRincludestheallocationof responsibilities to employees,83 in the view of this party, no further authority to issueinstructions can be derived from this. According to thewording, the allocation also servesonly the purpose of the monitoring itself, not the elimination of any data protection-infringingstatesthatmaybeuncovered.

Article 38(3) GDPR assigns the data protection officer the task of reporting to the highestmanagementlevel.Additionaldutiestoactorauthoritytoissueinstructionsarenotprovidedfor.84If theexternaldataprotectionofficerhasauthority to issue instructions in theconsultancyagreement or - in the case of an internal data protection officer - in a supplementaryagreement, this has a corresponding effect on his liability.85 This was not done in theconsultancy agreement provided, so that this is not elaborated any further in the presentdraft. Neither the General Data Protection Regulation nor the BDSG-new give rise to anyintrinsicauthoritytoissueinstructions.Thisisalsoinlinewiththeviewoftheevaluatorsofthisexpertopinionthat,accordingtorecital97,monitoringbythedataprotectionofficerisasupportingmeasureforthoseactuallyresponsible,namelyforthecompanyitselfandfortheprocessor.

There is strong doubt, as stated above, that the data protection officer has the role ofpreventing any breach of data protection within the company. This also results from theprotectivepurposeofthestandard.Thisisbecauseitisnotdesignedinsuchawaythateverybreach of data protection should be prevented. Rather, the standard is designed so thatinformation is obtained about breaches of data protection, and that the data protectionofficer brings these the attention of the controller who then rectifies them. Monitoringthereforemeansmonitoringthedataprotectionorganisationofthecontroller.

Insummary,thefollowingapplies:

In principle, the General Data Protection Regulation stipulates that the data protectionofficer's duty to review andmonitor the existing organisation of data protectionmust besuchthatitscompatibilitywithdataprotectionlawandinternalguidelinescanbechecked.

81Cf.Jaspers/ReifRDV2016,61,6582Marschall/MüllerZD2016,415,41883PaalinPaal/PaulyDatenschutz-Grundverordnung(GeneralDataProtectionRegulation),1sted.2017,Article39marginal684Jaspers/ReifRDV2016,61,66;alsoEttig/BrauseweininWybitul,HandbuchEU-Datenschutz-Grundverordnung(HandbookEUGeneralDataProtectionRegulation,1stedition2017,Article39marginal17

86GuidelinesonDataProtectionOfficersofArticle29DataProtectionWorkingPartydd.13.12.2016,p.446

The consequence of this is, unless otherwise stipulated in the contract, that the dataprotection officer is obliged to report a data protection infringement at the highestmanagementlevel.TheGeneralDataProtectionRegulationdoesnotprovideforamorefar-reaching power of the data protection officer to issue instructions in order to remedy theidentified breach himself, which is why the data protection officer, in the context ofmonitoring,hasanobligationto informthecontrollerofadataprotectionbreachofwhichhebecomesaware,butnotanobligationtoremedythedataprotectionbreachhimself.

This is in line with the monitoring and action system of the General Data ProtectionRegulation.Thecontrollerisobligedtoactunderdataprotectionlaw,asfollowsfromArticles5,24,12GDPR. In thecontextofhisdutyof review, thedataprotectionofficeronlyhasasupporting function which, in the opinion of the authors of this expert opinion, does notentailanydutiestoactbeyondreportingtothemanagement.

1.3.0.2Result

Intheopinionoftheeditorsofthisexpertopinion,thedataprotectionofficerisnotliablefor any non-prevention of data protection infringements in the company. He adopts an“observer” roleand reportsdataprotection infringements to the controller.Hedoesnothavethetaskofpreventingbreachesofdataprotectionandthereforehasnodutytoact,whichwouldbenecessaryforanyliabilityclaimsarisingfromomission.

1.3.1 Question:"Underwhatcircumstancescantheemployeddataprotectionofficerheldliable?"

Ithasalreadybeenexplained inthecontextof theaboveremarksthat thedataprotectionofficer-regardlessofwhetherheisanexternaloraninternaldataprotectionofficer-canbeheldliableforculpablebreachesofdutyinaccordancewiththerelevantcivillawregulationsandstandards.Theviewexpressedfromtimetotimethatthedataprotectionofficerisnotliableforbreachesofdutyhasnot,intheopinionoftheauthorsofthisexpertopinion,beenrelatedtoquestionsoflabourlaworgeneralcivillaw.86ForitistruethatthepersonprimarilyresponsibleforcompliancewiththeprovisionsoftheGeneralDataProtectionRegulationandthe so-called compliance regulations is the controller. However, this does not mean thatgeneral liability principles of civil and labour law would not apply to the data protectionofficer. Rather, it can be assumed that the General Data Protection Regulation does notcreateanyadditionalcivilorlabourliabilitystandards.Atthesametime,however,itdoesnoteliminate liabilityprinciplesundergeneralciviland labour law.European legislatorsarenoteven

91BAG,jurisdictiondd.28.10.2010-8AZR418/0947

empoweredtomakesuchstatutoryprovisions.Foritisprimarilyuptothenationallegislatortoamendanddefinetheregulationsoflabourlaw.87

Accordingtothis,theinterimresultisthatanemployeddataprotectionofficerisinprincipleliableunderthesameconditionsasanyotheremployee.

Inthecontextofalong-termdevelopmentofcaselaw,theFederalLabourCourtlastdefinedin 2010 the principles of an employee's liability vis-à-vis the employer in the event of aculpable (i.e. at least slightly negligent) breach of legal obligations. In this context, theFederal LabourCourt firstof allworkedout thatanemployment relationship constitutesaspecialcivil-lawobligationinwhich,duetothespecialpersonaltiesbetweenthecontractingparties, a large number of ancillary obligations as well as duties to cease and desist andduties toact regularlyarise. Inaddition, therearegeneraldutiesof care, custody,welfare,informationandnotificationwhichservetopromotetheperformanceoftherespectivemainduties of the parties to the employment contract, i.e. the employee and the employer, tomaintaintheperformancecapabilitiesandtosecurethesuccessofperformance.88

Accordingtothecase-lawoftheFederalLabourCourtcitedabove,anemployeeis liabletoanemployerforabreachofdutyandculpabledamagecausedtotheemployerinaccordancewiththeprinciplesoftheso-calledoperationallyinducedactivity:

Iftheemployeeinfringeslegalinterestsoftheemployerwithinthescopeofanoperationallyinducedactivityandtherebycausesdamagetotheemployer,analleviationof liabilitymaybeconsidered.Theemployee'sactionsarepromptedby thecompany if, fromanobjectivepoint of view, they were in the interests of the company from the point of view of theinjuringparty,ifhisactionswerenotuntypicalinthelightofcustomarycommercialpracticeand if they did not constitute an excess.89 Activitieswhichwere assigned to himunder anemploymentcontractorwhichtheemployeecarriesoutforthecompanyintheinterestsoftheemployerareconsidered tobepromptedby thecompany.Actiondoesnothave tobepartoftheemployee'sactualareaofresponsibility;itissufficientifheactsintheemployer'sbestinterests.90

Theoperationalcharacteroftheactivityisnotlostthroughtheemployee'sgrosslynegligentorevenintentionalbreachofhisdutiesduringtheperformanceoftheactivity,evenifsuchconductisinprinciplenotintheemployer'sinterest.91

Ultimately,thismeansthatanemployee'salleviationofliability,whichisstilltobespecifiedbelow,canalwaysbeconsideredintheeventofdamagetotheemployer'slegalassetsifthedamagingactiontookplacewithinthecontextofjobperformance.Asimplecaseinthis

87Jaspers/Reif,RDV2016,61,6488BAG,jurisdictiondd.28.10.2010-8AZR418/0989BAG,jurisdictiondd.22.04.2004-8AZR159/0390BAG,jurisdictiondd.14.03.1974-2AZR155/73

48

context would be, for example, that of the driver who damages another vehicle whilemanoeuvring in thedepot.A caseof so-calledexcess, i.e. a case inwhichnooperationallyinducedactivitycouldbeassumed,wouldbethatoftheemployeewho,withinthecontextofa disputewith colleagues, damages legal interests, such as furnishingsormachines, of theemployer.

Asageneralrule,theterm'operationallyinducedactivity'istobeunderstoodquitebroadly.

Insofar as a so-called operationally induced activity exists, the principles developed by theFederalLabourCourtonlimitedemployeeliabilityapply.Accordingtothis,anemployeeisinprinciple fully liable if he intentionally causesdamage to theemployer. In the caseofonlyminor or very minor negligence, the employee is generally not held liable. In the case ofmoderate negligence, the damage is usually shared between the employer and theemployee. In the case of gross negligence, the employee generally has to bear the entiredamages,butalleviationofliability,dependingonacase-by-case,maycomeintoquestion.92

It is naturally difficult in individual cases to distinguish between the different degrees ofnegligence. The deliberate causation of damage, on the other hand, is quite easy todetermineonacase-by-casebasis.Ontheotherhand,itisoftendifficulttoassesswhetherthereisacaseofminornegligenceormoderatenegligence.

TheFederalLabourCourtitselfhasthereforedeterminedthatboththeconceptofculpabilityand the individual types of culpability (minor, simple,moderate and gross negligence) arelegalconceptswhicharesubjecttoassessmentbythe judge.TheFederalLabourCourthasthereforepointedoutasacorrectiveforthislegaluncertaintythateveninthecaseofgrossnegligence,circumstancesmayarisewhichjustifyalimitationofliability.Here,forexample,theFederalLabourCourtreferredtotheamountoftheemployee'spay.Anemployeewhoispaidonlya lowwagecannot, inprinciple,beheld liable in fulleven fordamagecausedbygrossnegligence.

These principles of employee liability, developed and consistently applied by the Germanlabourcourt,alsoapplytoculpablebreachesofdutybytheinternaldataprotectionofficerand his liability towards his employer. However, even after the General Data ProtectionRegulationentersintoforce,itmustbeborneinmindthatthedataprotectionofficer,duetothe operational risk to be borne by the employer and the considerable contributorynegligenceofthecompanymanagement(Article254BGB)–forexample,duetoinadequate

92BAG,loc.cit.(Fn91)93BAG,loc.cit.(Fn91)

49

equipment of the data protection officer - should not normally be expected to accept fullliability.94

Nevertheless,the internaldataprotectionofficer isalsoheld liableforthefulfilmentofthetasksanddutiesassignedtohimthroughhisemploymentcontractasdataprotectionofficerwithinthemeaningoftheGeneralDataProtectionRegulation.

The General Data Protection Regulation governs a large number of the data protectionofficer'stasksandisnotfullytransparentandunambiguousineveryrespect.95Wordingthatissometimesmisleadingispartlytothedetrimentofthelegalcertaintyofthecompaniesandultimately, due to a certain legal uncertainty, also to thedetriment of the data protectionofficersthemselves.96However,itisinprincipleuptotheclaimanttopresentandprovetheevidencethatisintendedtosupporthisclaim.Thisrelativeuncertaintyaboutthetasksandobligations of the data protection officer, which stems from the General Data ProtectionRegulation,isreinforcedbytheconsequencesofaculpablebreachofobligationsonthepartoftheinternaldataprotectionofficer,whicharethemselvesdifficulttoforeseeinpractice.

Due to theuncertaintiesoutlinedabove, itmaybeadvisable inpractice todefinepreciselythe individual tasksandobligationsof theDPO in thecompany inan intrinsicemploymentcontract for an employee recruited as DPO or in the context of an agreement on theassumptionof thepositionofDPO(in thecaseofasubsequentappointmentasDPO).ThiswouldclarifyforboththeemployeeandtheemployertheexactresponsibilitiesoftheDPOinthecompanyandalsoanybreachesofobligations.Anindividualcontractualregulationwhichis in line with the General Data Protection Regulation and which specifies the tasks andobligations of the data protection officer mentioned therein, should not be objectionablewith regard to the liabilityof the internaldataprotectionofficer fromthepointofviewoflabourlaw.

Notincludedintheliabilityprivilegesoflimitedemployeeliabilityareanyclaimsfordamageswhich a data subject himself could hold against a data protection officer. Since the datasubjecthimselfasarulehasnocontractualrelationshipwiththedataprotectionofficer,thedatasubject'sclaimsagainstthedataprotectionofficermayonlyarisefromthepointofviewofacontractwithprotectiveeffectinfavourofthirdpartiesorfromtortlawinaccordancewithArticle823ff.BGB(GermanCivilCode).

Forexample,acontractwithaprotectiveeffectinfavourofthirdpartiescouldbeseenintheagreementbetween the internaldataprotectionofficerandhisemployerunderwhich theemployee takesover thedutiesofdataprotectionofficer.Anexampleof thiscouldbe theemploymentcontractofapersonoriginallyemployedasdataprotectionofficerorofa

94Gola/BrinkinBoecken/Düwell/Diller/Hanau,GesamtesArbeitsrecht(Completelabourlaw),1stedition2016,Article4gBDSG,marginal1095Marschall/MüllerZD2016,415,42096Marschall/Müller,loc.cit.

50

supplementary agreement to the employment contract concerning the duties of the dataprotectionofficer.

Acontractwithprotectiveeffect infavourofathirdparty isa legal institutioninwhichthetwopartiestoacontractextendtheprotectionofthecontracttoanuninvolvedthirdparty(e.g.oneoran indefinitenumberofdatasubjects).Suchacontract is characterisedby thefactthattheclaimtothemainservicesoftheemploymentcontractissolelyduetothetwocontracting parties, but the third party is included in the contractual duties of care andcustodyinsuchawaythathecanassertcontractualclaimsfordamagesintheeventoftheirinfringement.Theinclusionofathirdpartyintheprotectiveeffectofacontractpresupposesthat the senseandpurposeof thecontractand the recognisableeffectsof thecontractualservices on the third party require its inclusion, taking account of good faith, and that acontracting party, recognisably for the other contracting party, can reasonably expect thatthe care and attention owed to it will also be extended to the third party to the sameextent.97

Sofar,nolegalviewhasbeentakenthattheemploymentcontractbetweenaninternaldataprotectionofficerandthecontrolleroranyotherlabouragreementbetweenaninternaldataprotectionofficerandhisemployercaninfactbeconsideredasanagreementtoprotectanunpredictable number of data subjects. It cannot be assumed that the parties to such anagreement intend to extend the protection of the contract to data subjects, nor can it beassumed that this is in linewith the provisions of theGeneralData ProtectionRegulation.NeithertheGeneralDataProtectionRegulationnorthedraftoftheplannedAdaptationActprovide for any direct liability or any further liability on the part of the data protectionofficer.

Althoughthedataprotectionofficerwillcontinuetobereferredtoasthe"lawyerofthedatasubjects"infuture(Article38(4)and(5)GDPR),98thisis,however,hardlytobeunderstoodasmeaningthatthedatasubjectsintheirentiretyshouldbeincludedinthescopeofprotectionofacontractualagreementbetweenthedataprotectionofficerandthecontroller.

It isthereforeconceivablethatonlyaclaimunderso-calledtortlawpursuanttoArticle823ff. BGB (GermanCivil Code) remains. In this context, however, it shouldbenoted that thedamagesincurredmustbecausedbythedataprotectionofficer'sbreachofduty.SincetheGeneralDataProtectionRegulationhasnomeansbywhichthedataprotectionofficercouldeffectively enforce his suggestions or proposals, the causal link between the failure tomonitororotherwisecarryouthisdutiesislikelytobemissinginmostcases.

It should also be pointed out that, pursuant to Article 24GDPR, the processing of data inaccordancewiththeprovisionsoftheGeneralDataProtectionRegulationistheresponsibility

97LAGHessen,jurisdictiondd.29.1.2015-5Sa922/1498Jaspers/ReifRDV2016,61,65;Lepperhoff/Müthlein,loc.cit.p.86

51

of the controller. According to the concept of theGeneralData ProtectionRegulation, thedata protection officer assumes a function within the framework of compliance.99 Thequestion of liability by omission in general will still have to be dealt with within theframeworkoftheanswertoquestion1.3.3.

Theinternaldataprotectionofficerisliableforculpablebreachesofdutyinthesamewayasotheremployees.Duetotheoperationalactivitycarriedoutbyhim,hebenefitsfromanemployeeliabilityprivilege.

1.3.2 Question:"Underwhatconditionscantheexternal(servicecontract)dataprotectionofficerappointedbeheldliable?

Theexternaldesignateddataprotectionofficershallbeliableinaccordancewiththerelevantcivil lawregulations. Itrequires-asdescribedindetailaboveunderpoint1.3.1-aculpablebreachof a contractual or statutoryobligation toperform.However, he is not liable like acomplianceofficer,ashe-asalreadydescribedinthisexpertopinion-isnotobligedtoact.100

Asmentionedabove,therearenospecialrequirementsforexternaldataprotectionofficers.Heshallbeliableonacivil-lawlevelwithoutanyspecialcivil-lawfeatures.Inthecaseofanagency agreement in accordance with Article 675(1) BGB (German Civil Code), as it existswithanexternaldataprotectionofficer,therearenospecialliabilityprovisions.Inprinciple,theexternaldataprotectionofficeristhereforeliableaccordingtotheconditionsdescribedatthebeginning.Aliabilityprivilegesimilartothelimitedemployeeliabilitydescribedaboveisnotapparent.

TheGeneralDataProtectionRegulationstandardises-asalreadydescribedunderpoint1.3.1above - a large number of tasks that the data protection officer is responsible for and indoing so is not fully transparent and unambiguous in every respect.101 Some misleadingwordingistothedetrimentofthelegalcertaintyofthecompaniesandultimatelyalsotothedetriment of the data protection officers themselves due to a certain legal uncertainty.102However, it is in principle up to the claimant to present and prove the factswhich are tosupporthisclaim.Thisrelativeuncertaintyaboutthetasksanddutiesofthedataprotectionofficer, which stems from the General Data Protection Regulation, is exacerbated by theconsequences of a culpable breach of duties on the part of the internal data protectionofficer,whicharethemselvesdifficulttoforeseeinpractice.

Due to theuncertaintiesoutlinedabove, itmaybeadvisable inpractice topreciselydefinethe individual tasks and duties of the data protection officer in the company in theconsultancyagreementoftheexternaldataprotectionofficer.Thiswouldachieveclarityforboth

99Klug,ZD2016,315,318100Cf.zurstrafrechtlichenHaftungdesCompliance-OfficersundderentsprechendenRechtsprechungdesBGH(thecriminalliabilityoftheComplianceOfficerandthecorrespondingjurisdictionoftheBGH)below,Article2.2.1101Marschall/MüllerZD2016,415,420102Marschall/Müllerloc.cit.

52

parties as to the exact tasks of the data protection officer in the company and also withregardtoanybreachesofobligations.

Itisalsopossibletocontractuallyextendthetasksanddutiesofthedataprotectionofficersothat thecompanygrantshimtheauthority to issue instructions for theperformanceofhistasks.However,thiswouldthenalsoleadtoanexpansionoftheliabilityriskdescribedhere,as it would then also be subject to an obligation to act, particularly in the context ofmonitoring.103 Thus, by granting authority to issue instructions, companies could alsodeliberatelyforceanintensificationofliabilityrisks.It isthereforetoberecommendedthatthe data protection officer moves within the scope of his tasks as standardised by theGeneralDataProtectionRegulation-indetailconcretisedbycontractprovisions-butthat,ifpossible,noadditionalpowerstoissueinstructionscanbegranted,becausethiscanleadtoacivil-lawshiftinliabilitytothedetrimentofthedataprotectionofficer.

The external data protection officer is therefore fully liable for any damage originatedcausally by himunless there is a contractual limitation of liability. Point 1.3.3 still explainshowtoassessthedamage.

In addition, any claims for damages by a data subject against the external data protectionofficermayalsobeconsidered.Sincethere isnocontractualrelationshipbetweenthetwo,only claimsarising fromtheaspectof thecontractwithprotectiveeffect in favourof thirdpartiesorfromtortlawaccordingtoArticles823ff.BGB(GermanCivilCode)maycomeintoquestionatall.

Acontractwithaprotectiveeffect in favourof thirdpartiescouldbeseen, forexample, inthecompany'sconsultancyagreementwiththeexternaldataprotectionofficer.Pleaserefertopoint1.3.1 foranexplanationof theagreementwithprotectiveeffect in favourof thirdparties.Onthesamegrounds,aliabilityconstellationsuchasthiswithregardtotheexternaldata protection officer should be rejected, as it cannot be seriously assumed that thecontractual agreements between the external data protection officer and the companyshould include an unforeseeable number of data subjects in their protective effect. Inparticular,thereisnothingofthekindintheconsultancyagreementsubmitted.

Inordertoavoidrepetitions,referenceisalsomadetotheremarksinpoint1.3.1withregardtoclaimsbythedatasubjectundertortlaw.Therewillnormallybenodamagecausedbyabreach of duty, as the data protection officer has no means of effectively enforcing hissuggestionsandproposals.Unlikeanemployee,theexternaldataprotectionofficercannotinvokeananalogous limitationof liabilityunder tort law.He is liable inprinciple to the fullextent.

103SoprobablyalsoMarschall/Müllerloc.cit.

53

Itisthereforeadvisabletotakeoutacontractuallimitationofliability(seepoint1.3.4below)and/orathird-partyliabilityinsurancepolicytocoverthis.

Thequestionmustthereforebeansweredinsuchawaythattheexternal,designateddataprotectionofficerisliableinaccordancewiththerelevantcivillawprovisions,withoutanyintrinsicprivilegedliabilitybeinggrantedtohim.

1.3.3 Question:"DataprotectionofficersareresponsibleformonitoringcompliancewiththeGDPR.Isliabilityconceivableforsanctionsintheeventofafailuretomonitor?Whatconditionsarenecessaryforthis?"

Article 39(1)GDPR assigns the data protection officer primarily informational and advisorytasks as well as monitoring and cooperation tasks. This provision corresponds to thequalificationwhichArticle37(5)GDPRpresupposes.Article39(1) lit.aGDPRcorrelateswiththedirectreportinglinetothehighestmanagementlevellaiddowninArticle38(3)sentence3GDPRandobligesthedataprotectionofficertoinformseniormanagementofthecompanyorauthorityaboutprocesseswhicharerelevanttodataprotection.Theadvisorydutylinkedto this duty to provide information requires that the data protection officer proposesmeasurestocomplywithEuropeanandnationaldataprotectionlaw.104

However, it is also the responsibility of the data protection officer tomonitor compliancewith the provisions of the General Data Protection Regulation and other European andnationalrulesinthecontroller.ThistaskresultingfromArticle39(1)(b)oftheGeneralDataProtectionRegulationcertainlyrepresentsa"paradigmshift".105

Asstatedaboveunderpoint1.3.1,the internaldataprotectionofficer is liableaccordingtothe principles of employee liability set out above. If the internal data protection officerculpably breaches his obligations under the employment contract and his duties as dataprotectionofficer,heshallbe liableforthedamagecausedbyhim,taking intoaccounttheprinciples of employee liability. In this context, however - as alreadymentioned above - itmust be taken into account that the data protection officer has no possibility ofimplementinghissuggestionsandideasvis-à-visthecontrollereitherundertheprovisionsofthecurrentlyapplicableFederalDataProtectionActorundertheprovisionsof theGeneralDataProtectionRegulation.Theprimaryresponsibilityandalsothe finaldecisionalways liewiththecontroller.

Itmust therefore be taken into account that the data protection officer, despite hismanytasksandobligations,cannotforcethecontrollertoimplementthemeasuresthatwouldberequiredtocomplywiththerulesoftheGeneralDataProtectionRegulation.

104Klug,ZD2016,315,318105Marschall/Müller,ZD2016,415,418

54

Ifthedataprotectionofficerculpablyfailstomeethismonitoringobligationsinaccordancewith Article 39(1) (b) GDPR, a corresponding liability is, in fact, justified. However, liabilitywouldonlybeconsideredifthesanctionbythesupervisoryauthoritywouldnothavebeenimposed if the data protection officer had exercised his monitoring function. In structuralterms,apossibleliabilityofthedataprotectionofficerisgenerallylinkedtoafailuretofulfilthe tasks and duties of the data protection officer. In a case of omission, damage alwaysresultscausallythroughthedefaulteronlyifconductinaccordancewiththestandardcannotbeimpliedwithoutthedamageincurredceasingtoexist.Consequently,thedataprotectionofficermayonlybeheldliableforasanctionimposedbythesupervisoryauthorityifitcanbeproven that the controllerwouldnothave receiveda sanction imposedby the supervisoryauthorityifthedataprotectionofficerhadperformedhisdutiesproperly. Itmustthereforebeevident that thedataprotectionofficer's suggestionswere respected inall casesby thedataprotectionofficer.Evidenceofthiswillbedifficulttoprovideinindividualcases.

Asfarasthequestionaimsatwhetherafinethatisimposedcanbepassedon,notjustthecausality justifying the liability (see above) but also the resulting causality underlying theliabilitymustbeconsidered.

Itisnecessarytoclarifyattheoutsetthat,intheviewoftheauthorsofthisexpertopinion,thetaskofthedataprotectionofficerisnottoeliminatedataprotectioninfringementsfromtakingplacedespitemonitoring,andthattheconceptof"monitoring"cannotbebroadenedtosuchanextentthatitgivesrisetoanobligationtoactwhichcanbeusedtojustifyliabilityonthegroundsoffailuretoact.

The question of whether a fine can generally be passed on internally has not beenconclusivelyclarified.Ingeneral,itcanbesaidthatpassingonafineisonlypossibleifitcanbecausallyattributedtotheobligationsoftheinfringingparty.Intheconstellationsthatarepossiblehere,passingonafineisthereforealwaysruledoutifactionsaimedatavertingfineswere possible, because such actions do not fall within the duties of the data protectionofficer.

Inaddition,contributorynegligenceonthepartofthecontroller inaccordancewithArticle254BGB(GermanCivilCode)mayalsobeconsidered,sincethecontrollerishimselfobligedtocomplywithdataprotection,asexplainedabove.Thiscan lead toaminimisationof theclaimuptoanexclusionoftheliabilityofthedataprotectionofficer.Whatisdecisiveisthecaretakenbythecontrollerhimselfandtheextenttowhichhehasnotcarriedthisoutornotcarrieditoutproperly.Itisnecessarythatthecontroller,astheinjuredparty,hasignoredthecarethatareasonablepersontakesinhisowninterestinordertoprotecthimselffromthedamage.106 Since the controller is already obliged by the provisions of the General DataProtectionRegulationtocomplywiththedataprotectionprovisions,itispossibletoargue

106Cf.OetkerinMünchKommBGB,7thed.2016,Article254marginal30

55

that, inthecontextofhisorganisationalduty,anot inconsiderablecontributorynegligencecangenerallybeassumedifthedataprotectionofficer infringesmonitoringobligations.Forthesedutiesarealwaysalsoobligationsofthecontroller.

Inaddition,damage-promotingaspects,whicharementionedinArticle83(2)GDPR,cannotbepassedontothedataprotectionofficerduetoalackofcausality,asthesearenotwithinthe sphere of influence of the data protection officer. Only the measures taken by thecontrollertoreducethedamagesufferedbythedatasubjectspursuanttoArticle83(2)lit.cGDPRaregivenherebywayofexamples.

Ultimately, the imposition of the fine should be covered by the protective purpose of thestandard. Article 39(1) lit. b GDPR is designed, in the view of the authors of this expertopinion,insuchawaythatnoteverybreachofdataprotectionshouldbeprevented.Rather,thestandardisdesignedinawaythatmeansbreachesofdataprotectionarebroughttolightbyobtaininginformationandthatthesearethenremediedbythecontroller.Thismeansthatthe controller is responsible for data protection, and the data protection officer isresponsible for thecorrespondingadditionalcheck.A finewill thereforenotbecoveredbytheprotectivepurposeof thestandard.This isparticularlyevidentwith regard to thoseonwhomthesanctionsmentionedinArticle83GDPRareimposed.

However,thispositionisnotuncontroversial.

Accordingtotheauthorsofthisexpertopinion,aDPOisnotliableforsanctionsimposedonthecontrollerforlackofaccountabilityduetopoormonitoringbytheDPO.

1.3.4 Question:"Arecontractuallimitationsofliabilityanoption?"

For the internaldataprotectionofficer, limitationsof liabilityorevenexclusionsof liabilityagreedunder the termsof employment contracts or supplementary agreements are easilyconceivable. This applies at least to such infringements of legal obligations caused bymoderatenegligence.Damagescausedbygrossnegligenceoreven intentionallycanhardlybethesubjectofliabilityexclusionregulationsagreedinadvance.

However,inpracticeinworkinglife,itcannotbeassumedthatanemployerwillbepreparedto give a "carte blanche" from the outset to an employee taking over the post of dataprotectionofficer.Asexplainedabove,theliabilityofemployeeswithintheframeworkoftheemploymentrelationshipislimitedanywayonthebasisofthecase-lawoftheFederalLabourCourt. In addition, liability canonlybe considered in thecaseofdamage resulting causallyfromanomissionbythedataprotectionofficer.Thenumberofcases inwhichfullorevenmerelyextensiveliabilityoftheinternaldataprotectionofficerwillbeenforcedwillthereforeultimately remain quite limited.

56

Nevertheless,considerationsofoffering liability insurancecoverfordataprotectionofficersarelikelytofindfertileground.TheGeneralDataProtectionRegulationdoesnotexcludeanyfundamental liabilityon thepartofboth the internalandexternaldataprotectionofficers.Nevertheless,thiswillnotnecessarilyapplytoeverybreachofduty;duetothefactthatthebreach of duty will generally result from an omission, the potential claimant will have toovercomevarioushurdlesinordertopresenthisallegedclaims.Irrespectiveofthis,thereisalso the fact that the data protection officer, despite his extensive duties, only has acompliancefunctiontofulfilandisthereforeisplacedatbestbesidethecontroller,butdoesnot accept his obligation - in particular that derived from Article 24 GDPR - and cannotthereforebeprosecuteddirectlyforthis.

From a purely civil law point of view, limitations of liability within the framework of thestatutoryprovisionsarequitefeasible.Article276(3)BGB(GermanCivilCode)stipulatesthatliabilityforintentcannotbewaivedinadvanceforthedebtor.Thelawdoesnotprovideforfurtherexclusionsorlimitationsofliabilityinthecaseofanindividualcontract.

If,however,pre-formulatedcontractualconditionsareused,theadditionalprovisionsofthelawoftheGeneralTermsandConditionsmustbeobserved.Thisisalreadythecaseifapageuses a sample contract that is intended for multiple use, even if it is actually used onlyonce.107

If General Terms and Conditions exist, these shall be measured against the specialrequirementsofArticles307to309BGB(GermanCivilCode).Theseareintendedtoensurethatthereisnoone-sidedshiftininterestsasaresultofonepartyimposingitsconditionsontheother.

A limitation of liability is then only possible in accordance with Articles 307 to 309 BGB(GermanCivilCode),wherebycase lawcriticallyopposesa limitationof liabilityandusuallyonlyapprovesitwithinnarrowlimits.

1.4 Appendixquestions

Question:"DoappointmentsmadeundertheBDSGremaineffectiveundertheGDPRasthedesignationofthedataprotectionofficer?

Asalreadyelaboratedinthecontextofthisexpertopinion,theprerequisitesforamandatorydesignationof thedataprotectionofficerpursuanttoArticle37(1)GDPRand, inparticular,Article 5 BDSG-new and Article 38(1) BDSG-new are largely tied to the provisions of thecurrently applicable Federal Data Protection Act. There are therefore practically noconceivable case constellations in which, according to previous law, a mandatoryappointmentofthedataprotectionofficerhadtobe implemented,butunderthenewlawnomandatorydesignationwouldhavetobemade.

107Cf.GrüneberginPalandt,76thedition2016,Article305BGBmarginal9

57

Againstthisbackground,itcanbeassumedthatthepreviousappointmentswillcontinuetoexist as designations of a data protection officer even after the General Data ProtectionRegulation comes into force. In this context, the renewed consideration of the sense andpurposeoftheGeneralDataProtectionRegulationandalsotheBDSG-newistobebasedonthe assumption that the new introduction and entry into force of the General DataProtectionRegulationwillnotendangerorcompletelyreorganisetheGermansystemofdataprotection officers in companies and administrations. If the national legislator in Germanyhasalreadydecidedtoultimatelyretaintheappointmentconditionsregulated inArticle4f(1)BDSGasfaraspossibleevenunderthevalidityoftheGeneralDataProtectionRegulation,it is logical to assume that data protection officers appointed under the validity of thecurrently applicable Federal Data Protection Actwill in principle remain in office after theGeneralDataProtectionRegulationcomesintoforce.

Inprinciple,appointmentsmadeundertheFederalDataProtectionActcontinuetoexist,butthedutiesandlegalpositionofthedataprotectionofficerwillinfuturebegovernedbytheGeneralDataProtectionRegulation.108

1.4.1 Question:"Aretheredifferencesbetweeninternal(employed)andexternal(seesamplecontract)dataprotectionofficers?”

There should be no differences between internal and external DPOs as regards thecontinuity of previous appointments as designations under the General Data ProtectionRegulation.

The consultancy agreement provided as a model already ties in with the General DataProtection Regulation in Article 1. Even if the relevant consultancy agreement did notmentiontheprovisionsoftheGeneralDataProtectionRegulation,itisunlikely,onthebasisoftheconsiderationssetoutabove,thatanappointmentundertheFederalDataProtectionAct will be eliminated by the introduction of the General Data Protection Regulation. Theappointments remain effective as designations. Their legal consequenceswill be governedexclusivelybytheGeneralDataProtectionRegulationfromthetimeofitsentryintoforce.

1.4.2 Question:"Willimpliedappointmentsbeanoptionthroughcontinuationoftheactivity?"

Asthepreviousappointmentswillcontinuetoapplyandbeconsidereddesignations,impliedappointmentsbycontinuationoftheactivityarenotlikelytobenecessary.

108Jaspers/ReifRDV2016,61,62

58

Ashasalreadybeenelaborated in thecontextof thisopinion, theGeneralDataProtectionRegulation on data protection also assumes that a unilateral act, the appointment, by thecontroller, is required in order to obtain the post of data protection officer. An impliedappointment is therefore inconceivable. Incontrast to theFederalDataProtectionAct, theGeneralDataProtectionRegulationdoesnotrequirethedesignationtobeinwriting,butitdoesrequireanactbywhichthedataprotectionofficerisbroughtintooffice.

Duetothecircumstancesoutlinedabove,animplieddesignationofadataprotectionofficerisnotnecessary.Earlierappointmentsaccordingto theFederalDataProtectionAct remaineffectiveasdesignations.

2. CriminalstatusofthedataprotectionofficerundertheGDPR

2.1 PreliminaryquestionsabouttheGDPR

Explanationofthequestioner:"Thepreviousactivityofthedataprotectionofficertypicallyconsistsofbecomingactivewhenprocessesarebroughttohimorwhenhegainsknowledgeofprocessesrelevanttodataprotection,evaluatingtheseprocessesandpointingthemouttothemanagementor, ifprior checkingof theseprocesseswasnecessary, carrying themout.However,hedidnothavetheobligationto1.ensure(organisationally)thathewasawareofall(dataprotectionrelevant)transactionsand2.monitororevenensuretheimplementationofhisopinion/statements.

AccordingtotheGDPR,thecontroller(intheterminologyoftheBDSG:responsiblebody)hasprocedural/organisationaldutiestocomplywiththerequirementsoftheGDPR(e.g.Articles5,12,24,32,35,36GDPR). In contrast to theprior checkaccording to theBDSG, thedataprotectionimpactassessmentisalsotheresponsibilityofthecontroller."

2.1.1 Question:“Isthereadutyfordataprotectionofficerstoobtainknowledgeofprocessesrelevanttodataprotection?”

AccordingtotheunderstandingofthetasksofthedataprotectionofficeraccordingtoArticle39GDPR represented in thisexpertopinion, theseare tobeunderstoodwith reference tothedetailedderivationunderpoint1.3.0.1totheeffectthataccordingtotheGeneralDataProtectionRegulationthedataprotectionofficer isobliged,within thescopeofhisduty toreviewand control, tomonitor the existingdata protectionorganisationwith regard to itscompliancewithdataprotectionlawandinternalrequirements.Thisresultsinan“observer”capacity, during the exercise of which the data protection officer reports relevant dataprotectionprocessestothecontroller.

59

Article39(2)GDPRregulatesthatthedataprotectionofficershalltakedueaccountoftheriskassociatedwith theprocessingoperations in theperformanceofhisduties. The risk-basedapproachoftheGeneralDataProtectionRegulationisthusalsoreflectedinhisactivities.

Fromthisitcanbeconcludedthatthemorethenature,extent,circumstancesandpurposeof theprocessing sodemand, themore comprehensively and carefully thedataprotectionofficerisrequiredtoexaminethedataprotectionrisks.Thisriskassessmentshallbecarriedoutbythedataprotectionofficerathisowndutifuldiscretion.109

In view of the risk-based approach and the data protection officer's duty to review theexistingdataprotectionorganisationandtoreporttoseniormanagement,itisessentialforthedataprotectionofficer-at leastwithan increasingriskappetite- togainknowledgeofprocesses relevant to data protection if he is to fulfil his duties effectively. As a rule, thiscertainlydoesnotincludetheacquisitionofknowledgeofindividualfactsbymeansofone'sownresearch,butratherknowledgeofthebasicworkflowoftheprocessesrelevanttodataprotectionthatunderpinthestructureoftheexistingdataprotectionorganisation.

2.1.2 “Doesthedataprotectionhaveadutytomonitororevenensurethathisinstructionsorspecificationsarefollowed?”

The understanding of the term "monitoring" according to Article 39(1) lit. b GDPRrepresentedinthisexpertopiniondoesnotconstituteanobligationforthedataprotectionofficertomonitortheimplementationofhisinstructionsandspecificationsoreventoensurethis isdone.Asdescribedinpoint1.3.0.1.3ofthisopinion,thedataprotectionofficer lacksthenecessaryauthority to issue instructions inorder toensureeffectivemonitoringof theimplementation of his instructions and specifications by the controller in the sense of thequestion. Thus, he is not obliged to actively investigate possible breaches of dataprotection.110Ifthedataprotectionofficer,intheexerciseofhisobservationalrole,discoversthat his instructions or specifications are not implemented in the data protectionorganisationalstructure,hemust(again)reportthistothehighestmanagementlevelwithintheframeworkofhisreportingobligationpursuanttoArticle38(3)GDPR.Withregardtothequestionofreportingintervals,i.e.theperiodoftimethatthedataprotectionofficerhastoreview a reaction of the company management to his instructions and specifications,referenceshouldagainbemadetotherisk-basedapproachofArticle39(2)GDPR.Thehigherthedataprotectionofficer’sassessmentoftheriskinanareaaddressedbyhimandthemoreurgent the recommendation for actionderived from it is, the faster hewill have to report(again) to senior management in the performance of his duties if he finds an inadequateresponsetotheimplementationofhisfindings.

109BergtinKühling/Buchner,Datenschutz-GrundverordnungKommentar(GeneralDataProtectionRegulationCommentary),2017,Article39marginal23110Seeaboveunder1.3.0.1.3.

60

Thepointofreferenceforhisfindingsisagainthedataprotectionorganisationalstructureofthecontrollerandthechangesmadetomodifyit.

On the other hand, the data protection officer does not have the authority to issueinstructions in order to remedy the detected infringement himself. The data protectionofficeristhereforenotobligedtoremedyadataprotectioninfringementhimselfwithinthescopeofthemonitoring.

2.1.3 Question: “Does the data protection officer have a duty to set up a data protectionorganisationforhisactivitiesinadditiontothatwhichthecompanyisrequiredtosetup(seeArticles5,12and24oftheGDPR)?”

Havingregardtotheopinionexpressedinthepresentreportontheconceptof"Inthecaseof"monitoring"pursuanttoArticle39(1)lit.bGDPR(cf.above,point1.3.0.1.3),itshouldbenotedthatthedataprotectionofficerhasneithertheremitnortheauthoritytoset up a second data protection organisation in order to prevent infringements of dataprotectionprovisionshimself.Thistaskisclearlyassignedtothecontroller,whoaccordingtoArticles5,12,24GDPRmusttakemeasures,keepevidenceorprovideinformationthroughappropriateactionsaccordingtothewordingofthelaw.

AstrongargumentforthisunderstandingisthattheCommission’sdraftstillprovidedfortheobligation of the data protection officer to ensure documentation within the meaning ofArticle28GDPR-E.111Theabandonmentofthispositionwithintheframeworkofthetriloguenegotiations shows that a broad understanding of the data protection officer's powers ofintervention was ultimately not able to gain acceptance. The task of ensuring a certainprocedure represents a clear "added" responsibility compared to the task of monitoringcompliancewithdataprotectionregulations.

2.2 Criminalliability

Explanation of the questioner: "In order to answer the following questions, only theobligationsforthedataprotectionofficerresultingfromGDPR-i.e.theintrinsicobligationsofthedataprotectionofficer-aretobetakenintoaccount".

Noteof theauthors: Theconceptualquestionof criminal liability shallnotbeanswered inthe following in the senseof theGerman legal understanding, according towhich criminallawontheonehandandadministrativeoffence lawontheotherhandcanbeprosecuted.Rather,theconceptofcriminalliabilityisbasedona"broad"understandingofsanctionslawdetachedfromthis,sothatresponsibilityisalsotakenintoaccountfromthepointofviewofadministrativeoffencelaw.

111

BergtinKühling/Buchner,Datenschutz-GrundverordnungKommentar(GeneralDataProtectionRegulationCommentary),2017,Article39marginal5

61

2.2.1 Question:“Couldcriminalliabilityapplytothedesignateddataprotectionofficer?"

The sanction law under the General Data Protection Regulation only provides for fines inArticle83GDPR,theimpositionofwhichistheresponsibilityofthesupervisoryauthorities.According to Article 83(8) of the General Data Protection Regulation, this fine proceduremustbesubjecttoappropriateproceduralsafeguardsinaccordancewithUnionlawandthelawof theMemberStates, includingeffective judicial remediesanddueprocess.The formthattherightto judicial legalprotectiontakes istheresponsibilityoftheprocedural lawofthe respective Member State.112 In addition, Article 84 of the General Data ProtectionRegulationgivesMember States thepossibility toestablishother (additional) sanctions forinfringementsoftheGeneralDataProtectionRegulation,inparticularwhereArticle83GDPRdoesnotprovideforafineforsuchinfringements.

TheGermanlegislatorhasmadeuseofthisinChapter5ofthenewFederalDataProtectionActintheformofArticles41to43BDSG-new,whichcomesintoforceon25May2018.

TheFederalGermanprovisionsoftheAdministrativeOffencesActandtheGeneralLawsonCriminalProceedingsshallapplymutatismutandistothepunishmentofandproceedingsinrespectof an infringementpursuant toArticle 83(4) to (6)GDPR throughArticle 41BDSG-new.

BymeansofArticle42BDSG-new,theFederalGermanlegislatormakesuseofthepossibilityof sanctionsaccording toArticle83GDPR to createa criminaloffence. InArticle43BDSG-new,anadministrativeoffenceiscreatedinadditiontothesanctionsprovidedbyArticle83GDPR.

This leads to thequestionof the criminal liabilityof thedesignateddataprotectionofficeraccordingtotwocasegroups:

If the data protection officer leaves his intended role and deliberately commits unlawfulbreaches of data protection or acts as a result of a joint project in deliberate and wilfulcooperation with a person authorised to make decisions by the data controller or theprocessor, the data protection officer may be held criminally liable for deliberate andintentionalbreachesintheformofperpetrationorcomplicitythroughactiveactionoraidingandabetting.However,thesearelikelytoremainabsoluteexceptions.The second case group comprises cases inwhich an accusation couldbemadeagainst thedataprotectionofficertotheeffectthatheomittedacertainactandthereby(co-)causedthedata protection infringement. A responsibility by omission contrary to duty is possibletherebybothwithcriminaloffencesandwithmisdemeanours.

112 NemitzinEhmann/Selmayr,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),2017,Article83marginal11

62

Inbothcases,severalconditionsmustbemetinorderforthereultimatelytobeapossibilityofpunishmentintheformofanoffencebeingcommittedbyomission:

Ø Causality

Firstof all, it is highlyprobable that the infringementwouldhave ceased toexisthad thedataprotectionofficerperformedtheobjectivelynecessaryact. It isnecessary todemandconcrete indicationshere that seniormanagement, towhom thedataprotectionofficer isobliged to report,wouldactuallyhave followedtheproposedmeasure.Amere increase intheriskofan infringementthroughtheomissionof thedataprotectionofficer is thereforenotsufficienttoestablishthecausallink.113Sincetheauthorityofthedataprotectionofficerwillalwaysbelessthanthatofseniormanagement,anoverallresponsibilityforthedecisionbehaviouraccordingtotheprinciplesofacumulativeomission114cannotbeassumedhere.

Ø Guarantorstatus

If a causal link can be established in an individual case, the next prerequisite to examinewould be the existence of a guarantor status within the meaning of Article 8 OWiG(Administrative Offences Act) or Article 13 StGB (German Criminal Code). The followingappliesinthisrespect:

It was alreadymentioned in point 2.1.2 that, according to the understanding of the term"monitoring" as advocated by the authors of this expert opinion, there is an obligation toreviewtheorganisationalstructureunderdataprotectionlaw.ThisstructuremustbesetupbythecontrollerinaccordancewiththeprovisionsofArticles5,12,24GDPR.

TheunderstandingderivedinthiswayofthetaskofmonitoringpursuanttoArticle39(1)lit.bGDPRmustthenbeexaminedastowhetherthisestablishesapositionofguarantorforthedataprotectionofficer.Intheliteraturesofar,atleast,theprevailingviewrepresenteduptonow, according to the currently valid Federal Data Protection Act, was that no guarantorposition resulted for the data protection officer, in comparison with the decision of theFederalCourtof Justice,115withwhich inprincipleaguarantorpositionwasassignedtotheComplianceOfficer.In order to be able tomake an accurate assessment of the duties of the data protectionofficerpursuanttoArticle39GDPR,adetailedexaminationmust firstbecarriedoutoftheconsiderations of the Federal Court of Justice regarding the transfer of duties and anyresultingguarantorposition.Therelevantkeymessagesofthisdecisionareasfollows:

113BGH,jurisdictiondd.12.1.2010-1StR272/09114BGH,jurisdictiondd.6.7.1990-2StR549/89115BGH,jurisdictiondd.17.7.2009-5StR394/08

63

- By assuming obligations, legal liability in the sense of Article 13(1) StGB (GermanCriminalCode)canbejustified,whichleadstoculpabilityowingtofailuretocomplywiththeobligations.Thisisbasedontheconsiderationthatthosetowhomdutiesofcarefora particular source of danger are delegated also have a special responsibility for theintegrity of the area of responsibility assumed by them. To this end, it is first of allnecessary to determine the area of responsibility which the obliged person hasassumed,wherebyitisnotthelegalformofthetransferofobligationsthatisimportant,butthecontentoftheobligation,takingintoaccountthelegalbackground.

- The justification of the guarantor position can be derived from the assumption of a

certainfunction(e.g.radiationprotectionofficer)orfromaservicecontract.Inthelattercaseitdoesnotdependontheconclusionofthecontract,butontheactualassumptionoftheobligations.

- However,noteverytransferofobligationsconstitutesaguarantorposition in termsof

criminal law. In addition, a special relationship of trustmust normally be established,which induces the transferor to assign special duties of protection to the obligor. Inordertodeterminethecontentandscopeoftheguarantor'sobligation,thedirectionofthe transfer must be taken into account. If the assigned duties consist solely inoptimisinginternalprocessesanduncoveringandpreventingbreachesofdutydirectedagainstthecompany,theresponsibilitydoesnotgoasfarasiffurtherdutiesareadded,accordingtowhichthedataprotectionofficermustalsoobjecttoandpreventbreachesoflawemanatingfromthecompany.

The acceptance of a guarantor positionwithin themeaning of Article 13(1) StGB (GermanCriminal Code) is supported by further obligations, in particular the obligation assumedtowardscompanymanagementtopreventinfringementsofthelawandinparticularcriminaloffencesthroughpro-activeinvolvement.

According to the above-mentioned understanding of the task of monitoring pursuant toArticle 39(1) (b) GDPR derived from the authoritative English term "monitoring", it can beassumed for theareaof responsibilityof thedataprotectionofficer, asdeterminedby theobligations arising from the General Data Protection Regulation, that no position ofguarantorcanbederivedfromtheseoriginalobligationsalone.

However, thisassessmentonlyapplies intheeventthatthedataprotectionofficer'sactualunderstanding of his duties is strictly oriented along the tasks standardised in Article 39GDPR.Assoonasthedataprotectionofficertakesonanextendedrangeofduties-inactualpracticeorbycontractualassumption-theriskofbeingseenasaguarantorinthecontextofanassessmentexaminingtheindividualcaseincreasesforhim.

Insummary,withregardtocriminalliability,itcanbestatedthatinrareexceptionalcasesthis will be the case if the data protection officer deliberately and actively infringes hisduties.

64

Theoretically, there is also a risk in the question of responsibility (criminal law oradministrativeoffencelaw)forthecaseofomission-i.e.failuretoactinbreachofduty-which is relevant to practice. In this case, Article 84 GDPR not only provides for thepossibility of an offence under Article 42 BDSG-new by omission but also for the risk ofcommitting an administrative offence by omission. On the one hand, through Article 84GDPRintheformofArticle43BDSG-new.Ontheotherhand,however,alsoinaccordancewith Article 83 GDPR through Article 84 GDPR and the provisions of the GermanAdministrative Offences Act (OWiG) in the form of aiding and abetting offences byomission.Thiswillbediscussedinmoredetailinpoint2.2.2below.

Excursus:Article203StGB(GermanCriminalCode)

Theprescriptionof203StGB is tobe seenonlymarginallyasa further sanction risk in thecriminallawsense.

EvenbeforetheentryintoforceoftheGeneralDataProtectionRegulation,therewasariskthat the betrayal of secrets would be punishable under Article 203 (StGB) of the CriminalCode. This has not been mitigated by the provisions of the General Data ProtectionRegulation. On the contrary, Article 38(4) of the General Data Protection Regulation willincrease theriskofcriminal liabilityunderArticle203of theCriminalCode.Foran internaldata protection officer of a company who is not already considered as an active partypursuanttoArticle203(1)or(2)StGB,anoffencemayarisefromArticle203(2a)StGBinthecase of deliberate action if this person makes an unauthorised disclosure of a third-partysecret,whichwasentrustedorbecameknowntoa thirdparty (holderof thesecretwithinthe meaning of paragraphs 1 and 2), and of which he has gained knowledge in theperformance of his duties as data protection officer. The risk of criminal misconduct willincreaseevenfurtherbecausethedataprotectionofficerisrequiredundertheGeneralDataProtection Regulation to monitor compliance with data protection regulations and notmerelytoworktowardscomplianceashasbeenthecasetodate.

2.2.2 Question:"DoestheGDPRimposesanctionsonthedesignateddataprotectionofficer?WhichofhisobligationsaredirectlypenalisedbytheGDPR?"

Noinfringements,whetherintentionalorthroughnegligence,againstobligationsincumbentonthedataprotectionofficerunderArticle39GDPRarepunishableunderArticle83(4)to(6)GDPR.InsofarastheprescriptionofArticle39GDPRismentionedinArticle83(4)lit.aGDPR,it is limited to the obligations of the controllers and the processors. These are the targetgroups of the punitivemeasures.116 Consequently, theGeneral Data Protection Regulationdoesnotcontainanyobligationsdirectlypenalisingthedataprotectionofficer.

116NemitzinEhmann/Selmayr,Datenschutz-Grundverordnung(GeneralDataProtectionRegulation),2017,Article83marginal40ff.

117Marschall,ZD2014,66,6865

However,thelegalconstructofparticipationinanadministrativeoffencedescribedaboveinpoint2.2.1canalsoindirectlybeusedtopenalisethedataprotectionofficer.

Accordingtotheviewexpressed inthisexpertopinion, thestandardiseddutiesof thedataprotection officer extend to reporting to senior management and audits of the dataprotection organisational structure introduced and implemented by the controller. Theobligation to reporthas takenplace inproper applicationofArticle 39(2)GDPR. Themorecriticalthenatureofthedataprocessed,thelargerthescope,theriskierthecircumstancesandthewiderthepurposeoftheprocessing,themorecloselythereportingmustbemadetosenior management. Further obligations, such as actively investigating data protectioninfringements or remedying established infringements, do not affect the data protectionofficer in termsof the tasksassigned tohimby theGeneralDataProtectionRegulation. Inthis respect, a more extensive range of obligations can only result from an individualcontractual transferorade factodifferenthandlingofhis role inthecompanybythedataprotectionofficer.

Insofar as it is also a decisive factor for determining the position as a guarantor that theduties incumbent on the data protection officer should also serve precisely to protect theinfringed legally protected right (here, clearly, data protection), no separate discussion isrequired.Thisisobvious.

Asregardstheroleofguarantor,understandingofthetasksofthedataprotectionofficerinthis expert opinion, in particular the role of “monitoring”, does not imply that theduty ofguarantor goes beyond proper reporting to senior management. Accordingly, a more far-reachingguarantorstatusonlyarises if thedataprotectionofficer isgranted furtherdutiesand powers (command and decision-making powers) by way of delegation. Here, theassumption of a position as "monitoring guarantor" is obvious. It should be noted that, inadditiontoadelegationagreed inan individualcontract, theactualexerciseof thepowerswiththeapprovalofcompanymanagementwillalsobesufficientinthisrespecttobeabletoassumeacorrespondingpositionofmonitoringguarantor.

Themorefar-reachingapproachtothepositionofthedataprotectionofficerasaguarantor,accordingtowhichevenwithoutcommandanddecision-makingpowersandbyvirtueofhisenormous information and knowledge advantage and the possibility of involving thesupervisory authority, he would have a position as a monitoring guarantor,117 is to berejectedastoofar-reaching.A special caseof theguarantorposition is thebreachofdutyofprior conduct (ingerence),whichwithregardtothereportingobligationmayresultfromincorrectoromittedreporting.Theguarantor'sposition,however,onlyextendsinthisrespecttothesourceofdanger

122BGH,jurisdictiondd.18.4.1996-1StR14/9666

created by the breach of duty,118 i.e. the inaccurate part of the data protection officer'sstatementsinthecontextofhisreporting.

Once the position of guarantor has been established, the failure to act in breach of dutyaccused in each case must also have led to a causal breach of data protection law. As amatterofprinciple, thecommentsoncausalityasmade in thepreliminary remark inpoint1.3.0ofthisexpertopinionshallapply.Itisthereforenecessarytocomparetheactualcausalcoursewiththehypotheticalcoursewhichwouldhaveresultedifthedataprotectionofficerhadactedcorrectly.As faras thecriminal-lawassessment is concerned, itmustbeseen inthisrespectthatintheareaofaidingandabettingoffencesbyomission,fewerdemandsonthepartofthecourtsaremadeoncausalitybyomissionthanisthecasewithperpetrationbyomission - the absence of success with the offence with a probability bordering oncertainty.119

However,forthedataprotectionofficer,criminalresponsibilityforthequestionofcausalitytestingmayfailbecauseofthequestionoflegitimatealternativeconduct.Accordingtocase-law,120 causality and the attribution of success do not apply if the factual success (here:infringementofdataprotection)wouldhaveoccurredevenwithouttheadditionalnecessaryaction of the data protection officer. It is therefore necessary to determine how seniormanagement would have reacted if the data protection officer had reported to them. Inaddition to the statutory provisions of the General Data Protection Regulation, internalregulationsbetweenthecompanymanagementandthedataprotectionofficerwillalsohavetobetakenintoaccountinthiscontext,insofarastheycontaininstructionsforhisreporting.Iftherearedoubtsastowhetherthebreachofdataprotectionlawwouldalsohaveoccurredif the data protection officer had reported properly, the principle of "in favour of theaccused"appliesincriminallaw-incontrasttothequestionofcivilliability-sothat,incaseofdoubt,thenecessarycausalitynolongerapplies.

Finally,thedataprotectionofficermustalsohaveactedintentionallyasaguarantorinviewof his failure to act. Although the uniform offender concept of Article 14 OWiG(AdministrativeOffencesAct)applies toadministrativeoffence law, therequirementof thedoubleintentiontoassist121 isalsorecognisedbythecaselawhereinordertoavoidunfairunequal treatment between criminal law and administrative offence law. Conditionalintent122 suffices in this respect for the alleged omission. For this to be accepted, it issufficient that he is aware of the general risk of an as yet unspecified data protectioninfringementthroughhisomission.Hismotiveforinactionisirrelevant.Thismayalsobeduetothedesiretoavoidconflictwithseniormanagement.Anassumptionoftheweakestformof intent - conditional intent (dolus eventualis) – is not precluded if the data protectionofficerdoesnotwishsuccess(breachofdataprotectionlaw)orevenexpresslydisapprovesofit.

118BGH,jurisdictiondd.17.7.2009-5StR394/08119BGH,jurisdictiondd.16.1.2008-2StR535/07120OLGStuttgart,jurisdictiondd.19.6.2012-20W1/12121BGH,jurisdictiondd.14.2.1985-4StR27/85

67

For possible penalisation of the data protection officer according to Article 83 GDPR inconnectionwiththeprovisionofArticle14OWiG(AdministrativeOffencesAct)viaArticle84GDPR, itmust be taken into account that administrative offence lawonly knows the term"uniform offender". In contrast to the area of criminal law in which a distinction ismadebetweenperpetratorsandparticipants,administrativeoffenceslawonlyknowstheuniformconceptofperpetrator.BysimplifyingArticle14OWiG,itispossiblethateventhosewhoarenot the target group of this provision may also be the perpetrator of an administrativeoffence. Under Article 14OWiG, the data protection officer could also be the conceivableperpetrator of an administrative offence within themeaning of Article 83 GDPR, becauseArticle14(1)sentence2OWiGstipulatesthatthepossibilityofpunishmentalsoexistsiftheparticular personal characteristic is only present in the case of one participant (here:controller).

However, this broadpossibilityofpunishment is correctedby the fact that,with regard tointent, the requirements that apply in theareaof criminal law to formsofparticipation ininstigatingandaidingandabettingare required to thesameextent123.Thedataprotectionofficer would therefore have to have an intention himself, both in terms of his owncontributiontotheoffence(helpingthecontrollertocommitanoffence)andintermsoftheintentionaloffencecommittedby the controller. Thecausalityof theparticipation requiresthatthedataprotectionofficermusthaveobjectivelypromotedorfacilitatedtheactofthecontrollerthroughhiscontribution.

In conclusion, it must be stated in summary that it is highly unlikely that the dataprotectionofficerwillbeheldresponsibleundersanctionslawifheactswithinthescopeofhisdutiespursuanttoArticle39GDPR.Accordingtotheviewexpressedhere,thescopeofobligations under Article 39 GDPR does not include any guarantor status required for asanctionduetofailuretocomplywithanobligation.

However,theriskofsanctionsincreasesforthedataprotectionofficertotheextentthat-asaresultofindividualcontractualprovisionsordefactohandlingapprovedbycompanymanagement - he expands his scope of duties. The more he assumes command anddecision-makingpowers, themore likelyhe is tobeawardedaguarantorposition in theeventofhisfailuretoactinaccordancewithhisduties.

2.2.3 Question:“Doesthedesignateddataprotectionofficerhaveageneraldutytoprevent

breachesofdataprotectionwithinthecompany"?

Again,theobligationsdefinedforthedataprotectionofficermustbetakenintoaccount.Ageneralobligationtopreventdataprotectioninfringementsinthecompanyintheformofanactivedutytotakeactioncannotbeseenhere.

However, theobligation tomonitor theorganisational structureunderdataprotection lawandthemoreextensivereportingobligationtoseniormanagementlevelmeanthatthereisanindirectobligationtomonitortheinstrumentsprovidedbythecompanytopreventdataprotectioninfringements.

123OLGDüsseldorf,jurisdictiondd.31.8.2001-2aSs149/02-46/01II

68

Here,too,itisnecessarytorecalltherisk-basedapproachstandardisedinArticle39(2)GDPR,accordingtowhichthedataprotectionofficerinhisindependentpositionmustcarryouttheriskassessmenthimselfaccordingtohisdutifuldiscretion.

The prevention of breaches of data protection can, however, only refer in this respect toreviewingtheorganisationalstructures introducedbythecontroller,whichare intendedtopreventabreachofdataprotectionprovisions.However,activeinterventiontoeliminateorprevent individual infringements should not be regarded as part of the data protectionofficer'sdutiesintheabsenceofappropriatepowersofinstruction.Thiscould,ifnecessary,be done by means of a corresponding individual contractual agreement between thecontrollerandthedataprotectionofficerwithregardtohispowers.

Ithasbeendecidedunderconstitutionallawthatonlyapurelydefactopossibilityofavertingsuccessormoraldutiescannotconstituteaguarantor,124,whichiswhythequestionisbasedexclusivelyonthescopeofdutiesoftheindividualcasetobeassessed.

2.2.4 Question:“Doesthedesignateddataprotectionofficerhaveanobligationtopreventcertaindataprotectionbreacheswithinthecompany?”

For the reasons stated in point 2.2.3, an obligation to prevent certain breaches of dataprotectionmustalsobenegated.

2.2.5 Question: "Control tasks are one of the main obligations formulated for data protectionofficers.Cansanctionsresultdirectlyfromalackofcheckswithinthecompany?"

As described aboveunderpoint 2.2.2, thedataprotectionofficer is exposed to the risk ofsanctions due to a lack of control in the company by participating in an administrativeoffencebasedonhisfailuretocomplywithhisduty.

Themonitoringofthedataprotectionorganisationstructureofthecontrollercanthereforelead toa sanctionunder the conditions listed there. Inaddition toArticles41 to43BDSG-new, the possibility of sanctions is also opened up by the possibility of sanctions underadministrativeoffencelawpursuanttoArticle83GDPRintheformofparticipationthroughnon-compliantomission.

124BVerfG,jurisdictiondd.21.11.2002-2BvR2202/01

69

2.2.6 Question: 'Does the designated data protection officer have an obligation to prevent dataprotectionbreacheswithinthecompanyifhehaspreviouslypointedouttheillegality?

The view expressed in this expert opinion is that there is no obligation to prevent dataprotection infringements. As already stated several times in this expert opinion, theobligationislimitedtoreportingtothemanagementofthecontroller.

Ifthedataprotectionofficerhasalreadypointedoutanunlawfulsituationdiscoveredbyhiminthecourseofhisreporting,itis,however,incumbentuponhim,againstthebackgroundofArticle39(2)GDPR,topayparticularattentiontothesituationdiscoveredandanyreactionsofthecontrollerto it inthecourseofhis futurereporting. If thedataprotectionofficernolongerpaysattentioninfuturereportingtothecircumstanceswhichhehasalreadycriticised,thismay result in an unlawful breach of duty and an associated breach of the guarantor'sposition.

2.2.7 Question:"IsthereadifferencebetweenwhethertheDPOisanemployeeofthecompanyoranexternalserviceprovider?"

With regard to the question of the quality of the perpetrator in terms of criminal law oradministrativeoffences,itisirrelevantwhetherthedataprotectionofficerisanemployeeofthecompanyoranexternalserviceprovider.Suchadistinctionisnotmadeaccordingtothenormsofcriminal laworadministrativeoffenceslaw.Theonlydecisivequestioniswhetherthe officer can be held responsible as a perpetrator or as an assistant (criminal law) in aspecificindividualcase.

In each case, the duties assumed by him and any further powers assigned to him byindividualcontractsshallbetakenintoaccount.

2.3 Delegatedtasks

Explanation of the questioner: "The previous practice under the BDSG suggests that thecontrollerwill transfercertain tasksof theGDPRto thedataprotectionofficer -at leastdefacto".

2.3.1 Question:"Forcriminalliability,isitnecessarytodistinguishbetween,ontheonehand,the

originaldutiesofthedataprotectionofficerand,ontheother,dutiesassumedbydelegation?

With regard to the question of the consequences of sanctions, it is not necessary todistinguish between infringement of the primary tasks of the data protection officer orinfringementofassumedduties.Asanctionisalwaysimposedifthebreachofdutyfulfilsthecriminal law requirements for the assumption of a guarantor position aswell as the otherconditionsoftheevidence.

70

However,asalreadymentionedabove(point2.2.2),responsibilityresultingfromtheprimarytasksofArticle39GDPRisunlikelytoariseintheeventofcarefulreportingintheabsenceoffurtherinstructionanddecision-makingpowersonthepartofthedataprotectionofficer.

Insofar as further duties and powers are conferred on the data protection officer bydelegation,thelatter'sriskofbeingheldcriminallyresponsibleintheeventofaccusablenon-fulfilmentofthesedutiesalsoincreases.

Point 2.2.1 states to the extent that it is decisive whether the data protection officer'sdelegatedauthority-contractualorfactual-authorityalsoincludes,inadditiontoreporting,therighttotaketargetedactionagainstindividualinfringementsbyissuinginstructionsandtakingaction,ortopreventsuchinfringementsonanindividualbasis.Accordingtothelegalview expressed in this expert opinion, the General Data Protection Regulation does notprovideforthispower.If,however,thedataprotectionofficerallowssupplementarytaskstobeassignedtohim,the implementationofwhichalso involvestheassignmentofextendedrights(righttoissueinstructionsanddecision-makingauthority)tohim,hisresponsibilitywillalsocometotheforeundercriminallawifhedoesnotexercisethedecision-makingleewayassignedtohimordoessocontrarytohisduties.

In this respect, theprovisionofArticle38(6)GDPR,according towhich thedataprotectionofficer may perform other tasks and duties, is of particular importance. However, thequestion towhatextentand inwhatarea theassumptionof furtherobligationsunder thisstandardincreasestheriskofcriminalliabilityisnotcoveredbythegivenquestion.Heretoo,theprinciplewillbethatArticle38(6)GDPRmustbeobservedforthedeterminationoftheconcretescopeofobligations.ThisgoeshandinhandwiththefactthattheassumptionofataskwhichinfringesArticle38(6)oftheGeneralDataProtectionRegulationisassociatedwithanincreaseintheriskundersanctionslaw.

2.3.2 Question:“Whendoesthedataprotectionofficerincurcriminalliabilityfordelegatedtasks?Istheformofdelegationofthetaskrelevantforthis?"

With regard to the riskof increasing criminal liability inherent in adelegation, reference ismade to the remarks under point 2.3.1. If an extended remit is transferred within theframeworkofthedelegation,itshouldbeclearlydefinedfromthepointofviewofthedataprotectionofficerastohowfarhispowersextendinordertobestavoidrisks.Inthecaseofparticularly risky transfers of tasks, the final decision-making authority should remainwiththecompanymanagement.Inhisowninterests,thedataprotectionofficermustdocumentthatthishasbeenobtained.

71

If the data protection officer has concerns about the legality of the implementation hefavourswhencarryingouthisdelegatedtasks,heshouldseekcontactwiththesupervisoryauthorityonhisowninitiativeinordertoavoidacriminalrisk.

Berlin,31.07.2017

Derra,Meyer&PartnerPartGmbBRAKonradMenz

APPENDIX1

Appendix1-Tipsforactiononimportantaspects:

• Donotassumeanyauthority,asthismayleadtoanextensionofliability.

The data protection officer of the company is not liable for any omission with regard to theobligations under the General Data Protection Regulation, because due to his lack of scope foractionheisnotobligedtoindependentlyremedyadataprotectioninfringement.However,ifheisgivenauthoritywithwhichhecouldendthedataprotectioninfringement,thequestionofthedutytoactarisesanew.Whetherthisdutytoact isbasedonthis,hasnotbeen,butthere isa liabilityriskthatcannotbecalculatedatthispointintime.

• Takeoutprofessionalliabilityinsurance.

Thisisnotmandatoryforexternaldataprotectionofficers,sincethecontractisaservicecontractwhichdoesnotinitselfprovideforsuchinsurance(unlike,forexample,doctorsorlawyers).Unlikethe internaldataprotectionofficer, theexternaldataprotectionofficerhasno liabilityprivileges.Forthisreason, it isadvisablefortheexternaldataprotectionofficertohaveappropriate liabilityinsuranceinadditiontoacontractuallimitationofliabilitytothesuminsured.

• Noobligationtorecastoramendexistingcontractualarrangements

TheGeneralDataProtectionRegulationandtheBDSG-newdonot lead toachange in thestatusandbasiclegalrelationshipofthedataprotectionofficer.Thereisthereforenoimmediateneedtoconcludenewcontractualagreements,suchasanewworkorservicecontract,onthebasisofthechanged legal framework alone.Nevertheless, it is advisable to reviewexisting contracts for anyneed for adjustment, as from 25 May 2018 only the provisions of the General Data ProtectionRegulationandtheBDSG-newwillapply;thecurrentFederalDataProtectionActnolongerapplies,notevenforatransitionalperiod.

• Definitionofindividualtasksanddutiesintheemploymentcontract

Dueto legaluncertainties, it isadvisabletopreciselydefinethe individualtasksanddutiesofthedata protection officer in the company in an original employment contract of an employeerecruitedasdataprotectionofficerorwithintheframeworkofanagreementontheassumptionofthepositionofdataprotectionofficer(inthecaseofasubsequentdesignationasdataprotectionOfficer).

• Considerationofowninterests

In order to avoid a personal sanctions or liability, the data protection officermust take his owninterests into account when performing his duties. If he does not have sufficient capacity toperformhisdutiesorifhefindsthatthestatementsmadeinhisreportstoseniormanagementarenottakenintoaccount,hewillhavetopresentthesecircumstancesagainandagaininacontinuousreportingprocess.Ifheisnotsureabouttheassessmentofthefactualorlegalsituation,hemustpointthisoutandproposeobtainingfurtherexpertise.Ifheisofferedthedelegationoftasksbythemostseniormanagement level,which increaseshis liability for legalsanctionsor legal liability forrisk,heshould reject this formofdelegationwithappropriate justification. If,on theotherhand,thedataprotectionofficerdecidestoassumethetaskstobedelegated,he isstronglyadvisedtoregulate this contractuallyand toobtain insurancecover for theextended tasks. Inanycase, thedelegation shall ensure that the additional tasks do not lead to a conflict of interest with theprimarytasksofthedataprotectionofficer.

APPENDIX2

Sampleagreememt-nottobeused

(basedontheoldlegalsituation)

Certificate of appointment

of an external data protection officer according to Article 4 f BDSG (Federal Data Protection Act)

The company ...

represented by (management / board of directors), and/or on behalf of individual executive management

boards, appoints with effect from (date),

Ms/Mr ... to be external data protection officer according to Article 4 f BDSG / Articles 37, 38 EU-GDPR in his capacity as an employee of xy management consultancy.

Ms/Mr ... is hereby appointed as deputy.

The tasks and obligations resulting from this appointment arise from the BDSG up to 24th May 2018, in particular from Articles 4f, 4g, and from 25th August 2018 from the EU General Data Protection Regulation, here in particular Articles 38, 39, and are not listed separately here. In this function, the data protection officer according to BDSG reports directly to the board of directors / company management.

The appointment is made as a supplement to the consultancy agreement from the date listed. The appointment ends automatically when this agreement is terminated.

All other issues are regulated in the above-mentioned agreement on the appointment of the data protection officer and apply in equal measure.

Place1, Date Place2, Date

Management / Representative Data protection officer/ Management

Appointment of an external data protection officer Page 1 of 1

APPENDIX2

Sample-nottobeused

(basedontheoldlegalsituation)

Data protection officer consultancy agreement Page 1 of 5

Consultancy agreement

The following consultancy agreement is concluded between

and

the company

- hereinafter referred to as the Client - represented by: (Board of Directors / Managing Director)

the Consultant (Managing Director)

1 Subject matter and scope of the order The object of the Consultant's service is to act as the company data protection officer within the meaning of Article 4 f (1) of the Federal Data Protection Act (BDSG) or, as applicable, from 25 May 2018 within the meaning of Article 37f (EU-GDPR) of the EU Data Protection Act with the statutory duties pursuant to Article 4g of the BDSG or pursuant to Article 39 of the EU-GDPR.

The Consultant undertakes these tasks for the Client in the following company:

r ...list legally independent companies r …

In performing this task, the Consultant shall be assisted by internal contact persons. They shall ensure communication and information and support the organisation of appointments.

This agreement does not constitute a contract in favour of third parties within the meaning of Article 328 BGB (German Civil Code). It is the responsibility of the Client to ensure that the necessary contractual and actual prerequisites for the Consultant to perform his or her tasks are met by any associated companies.

2 Provision of services

(1) The time and place of the assignment for the Client shall be freely determined by the

Consultant. If urgent matters require immediate discussion or examination, the Consultant shall also be available at short notice, whereby consideration shall be given to his other operational requirements to the extent that these may not be unreasonably impaired thereby.

(2) The Consultant shall be entitled to employ suitable employees and competent third

parties for the execution of the matters assigned to him. The Consultant's own responsibility remains unaffected by this.

(3) The Consultant shall carry out his activities on his own premises. Insofar as the execution

of the appointment requires a presence at the Client’s premises or at one of the offices listed in Article 1 is required, the Client shall, after prior consultation with the Consultant, ensure that the necessary operational facilities are made available to the Consultant at the premises of the Client or the respective company.

Data protection officer consultancy agreement Page 2 of 5

3 Duty of confidentiality

(1) The Consultant shall be obliged in accordance with the law to maintain confidentiality with

regard to all matters of the Client or other companies pursuant to Article 1 which come to the attention of the Consultant during or on the occasion of the execution of an order, unless the Consultant has been released from this obligation in writing by the company concerned.

(2) The duty to confidentiality does not apply if the disclosure of matters is absolutely

necessary to safeguard the Consultant's legitimate interests. The Consultant shall also be released from the duty of confidentiality insofar as he is obliged to provide information and to cooperate in accordance with the terms of a liability insurance policy.

(3) The statutory rights to information and the right to refuse to make statements shall remain

unaffected by the above provisions, as shall the Consultant's special obligations to confidentiality pursuant to Article 4f (4), 4a BDSG.

(4) This duty of confidentiality on the part of the Consultant shall continue to apply even after

termination of the contractual relationship. Reports, expert opinions and other written statements made on the basis of or on the occasion of this order may only be handed over by the Consultant to third parties with the consent of the Client, except in the case described in Article 3(2) sentence 2.

(5) To the same extent as for the Consultant himself, the duty of confidentiality also applies

to the employees, partners and assistants. (6) If the Consultant calls in expert third parties, he shall ensure that they are bound to

confidentiality to the same extent. 4 Liability

(1) The Consultant shall be liable for his own negligence and for the negligence of his own

employees and assistants. (2) The Consultant has taken out liability insurance with an insured sum of €1,000,000 per

individual case. He undertakes to maintain the insurance cover in this amount for as long as this contractual relationship exists.

(3) Should a higher liability amount be required in an individual case, the Consultant and the

Client shall discuss this and decide whether a higher insurance sum should be concluded with the liability insurance for this individual case. The costs of a higher insurance sum shall be borne by the Client.

(4) Insofar as a claim for damages by the Client vis-à-vis the Consultant is not subject to a

shorter limitation period by law, it shall become statute-barred three years after the date on which it arose. The claim must be asserted within three months of the Client becoming aware of the damage.

Data protection officer consultancy agreement Page 3 of 5

5 Limitation of liability

In the event of slight negligence in a liability case, the Consultant may only be held liable by the Client up to the amount of the existing minimum sum insured in accordance with Article 4. Any liability on the part of the Consultant for further damage is hereby expressly excluded.

6 Exclusion of liability

Any liability is excluded for verbal information outside of an agreed consultation or telephone information. This does not apply if the information is confirmed in writing with the facts described by the Client.

7 Remuneration

(1) As a lump-sum fee, a monthly amount of

(see quotation) € plus the statutory value added tax applicable at the time.

is agreed. In this agreement, the parties assume that the Consultant's monthly expenditure of time for the Client, including all companies pursuant to Article 1, does not exceed an average of 8 hours. This cost estimate is based on the standard model, which includes the usual tasks according to BDSG.

Should it turn out in the course of the annual planning discussion that the expenditure is insufficient or that an adjustment of the expenditure of time is necessary due to projects or other tasks, the parties will agree on the adjustment of the fee. If necessary, travel (train or flight) and accommodation costs will be charged at cost price. A flat rate of €0.50 per km (plus applicable VAT) from the nearest office is charged for travel costs by car (see quotation).

(2) In addition to the monthly expenditure specified under 7(1), a one-off expenditure for the

inventory is agreed at a fixed price of (see quotation) € plus applicable value added tax. The project expenditure for the implementation of the short-term tasks required according to the appraisal is initially estimated at (see quotation) days and agreed at a daily rate of € (see quotation) plus applicable VAT. This expenditure serves the initial implementation of data protection in the processes and regulations, the creation of guidelines and a data protection concept as well as the initial inclusion of the procedural documentation.

(3) The following activities of the Consultant shall not be included in the lump-sum fee and

shall be remunerated separately, if applicable: • IT-security support • Project tasks that cannot be processed within this scope (introduction of new

software, foreign locations, company growth, etc.) (4) Activities in accordance with section (3), will only be carried out after consultation with the

Client. For these activities, a fee of (see quotation) € per hour or part thereof plus applicable value added tax is agreed.

Data protection officer consultancy agreement Page 4 of 5

(5) The payment of the monthly flat fee is due on the 15th of the respective calendar month.

Other expenses and fees for additional activities pursuant to sections (2) and (3) shall be charged separately by the Consultant at the end of each month.

(6) All amounts shall be transferred to one of the following accounts:

Account holder:

BIC IBAN Bank:

VAT no:

8 Duration of contract

(1) The contract begins on (see quotation).

(2) The contract has a limited term of two years and can be terminated for the first time on

xxx with notice of six months. If the contract is not terminated, it shall be extended by a further two years.

(3) Notice of termination must be given in writing.

(4) In all other cases, the provisions of the BGB (German Civil Code) apply to the termination

of the contract. 9 Cooperation of the Client / Certificate of appointment

(1) The Client is obliged to cooperate in the execution of the appointment to the extent

necessary for proper execution of the appointment. He shall provide the Consultant with all evidence, certificates and other documents required for the execution of the appointment in connection with the matters to be processed by the Consultant for inspection and perusal, and shall provide the Consultant with the information necessary for clarifying the facts of the case, in particular with an overview of procedures within the meaning of Article 4 e sentence 1 BDSG (cf. Article 4 g (2) sentence 1 BDSG), insofar as the preparation of the overview is not a task within the scope of this agreement (cf. 7.2).

(2) Furthermore, the Client shall inform the Consultant comprehensively about the factors

and backgrounds which are essential for the assessment of the facts of the case. He shall inform the Consultant of all operational procedures and circumstances which may be relevant to the performance of the agreement.

(3) The certificate of appointment shall be presented by the Client after conclusion of this

agreement and signed by both contracting parties. (4) The Client is responsible for ensuring that any other companies/locations also meet the

aforementioned cooperation obligations in the same way and that the respective certificates of appointment are issued.

Data protection officer consultancy agreement Page 5 of 5

10 Amendments/Additions

There are no verbal ancillary agreements. Amendments or additions to this contract must be made in writing.

11 Severability clause

Should individual provisions of this agreement be or become invalid, this shall not affect the validity of the remaining agreements. The contracting parties undertake to replace ineffective provisions by provisions which come as close as possible to the original purpose and whose effectiveness does not meet with any objections. The same shall apply in the event of gaps in the contract.

Place, Date Place, Date

For the Client Consultant