Data Protection Officer

The data protection officer must ensure compliance with data protection regulations in automated data processing procedures. This applies not only with regard to the technical and organizational requirements under Section 9 of the LDSG, but also when a procedure involves the assessment of individual personality characteristics. This is because decisions that entail a legal consequence for the data subjects or significantly affect them must not be left to a computer program (Section 5 (5) LDSG). The data protection officer must therefore check whether the procedure in question takes account of the prohibition of automated individual decisions.

Pursuant to Section 11 (5) Sentence 2 LDSG, data subjects (e.g., whistleblowers, employees of the controller, persons whose data is processed) may contact the data protection officer at any time. He or she is then obligated to examine the concern and communicate the result of his or her examination. In cases of doubt, the Data Protection Officer may contact the State Commissioner for Data Protection .

The data protection officer is obligated to maintain confidentiality about the identity of the data subject, unless he or she is released from this obligation by the data subject (Section 11 (2) LDSG). The confidentiality of the data protection officer shall be ensured by technical and organizational data protection measures. These include forwarding mail addressed to him in his function as data protection officer directly and unopened.

The management of the authority may only request that the data protection officer submit to it the transactions not covered by the duty of confidentiality. The obligation under Section 11 (2) is only one of several duties of confidentiality incumbent on the data protection officer. Of course, he or she must also observe data secrecy pursuant to Section 8 LDSG and confidentiality obligations under service law.