Activity of the designated DPO: No conflict with the Legal Services Act.
In its decision of 12 March 2021, the North Rhine-Westphalia Lawyers’ Court (Anwaltsgerichtshof NRW; in the following AGH NRW) commented on the activity of the Data Protection Officer and the fundamental compatibility with the Legal Services Act (Rechtsdienstleistungsgesetz; in the following RDG).
1. What is it about?
The activity of the Data Protection Officer (DPO) is a professional activity. The Federal Fiscal Court (Bundesfinanzhof) already ruled on this in January 2020. Not to forget the famous Ulm ruling of 1990. Thus, in its decision (Ref.: 5T 153/90-01 LG Ulm), the Ulm Regional Court stated that company and public authority Data Protection Officers exercise a profession because with their activity they make a contribution to society as a whole that is calculated on a permanent and not temporary basis. Even if they perform their task as DPO in addition to their actual main profession, this activity is to be regarded as a profession from a constitutional point of view.
The RDG endows lawyers with special powers that are not granted to non-lawyers. In its judgment of 12 March 2021 – 1 AGH 9/19 – the Lawyers’ Court of North Rhine-Westphalia dealt with the question of whether only lawyers may act as Data Protection Officers. The answer to this question is of particular interest to many external DPO because they are usually not lawyers.
According to the ruling, the authority to provide legal advice by a designated DPOr results from art. 39 GDPR (Tasks of the Data Protection Officer). It says there that his task includes “to monitor compliance with this Regluation [or] other provisions”. The discussion is thus whether Data Protection Officers are allowed to provide legal advice on data protection law in Germany due to the activity specified in the General Data Protection Regulation (GDPR), which precisely also includes legal advice on data protection law, or whether this legal advice constitutes a violation of the RDG.
2. What did the AGH NRW decide?
The AGH NRW has issued a clear and well-reasoned ruling on this matter, and there is not much to be said against the reasoning.
The AGH NRW ruled that the DPO’s activity is a legal service within the meaning of section 2 of the RDG.
The AGH NRW also says that this is a permitted legal service with reference to §§ 1 and 3 RDG. It states that legal services are not unlawful if there is another authorisation law outside the RDG. Article 39 of the GDPR is such a permission norm. Its wording explicitly mentions legal services. It says that advice and information about the rights and obligations under this regulation are part of it. I.e. art. 39 GDPR defines data protection advice by the DPO here. No more, but also no less.
According to the AGH NRW, article 39 GDPR sufficiently defines the tasks and powers of the DPO for a specific area and specific activities.
3. What are the tasks of the Data Protection Officer?
Legal advice is one of the three core elements, but only one and usually the smaller part of the Data Protection Officer’s work. The three core elements are: business advice, technical and organisational advice and, in addition, legal advice, i.e. advice on data protection law.
Even if art. 39 GDPR is not a sufficient permission law, one must come to § 5 RDG and refer to it. Legal advice is at least a permitted secondary activity. It is a permitted legal service that must be able to be provided so that the DPO can also fulfil his or her activity in accordance with legal requirements.
It is important to note that legal services for a DPO are only permitted to the extent that they are necessary for the activity as DPO. In other words, not beyond that – regardless of whether the appointed DPO is a lawyer or not. There are different professional profiles and roles here, which must be distinguished and separated in their exercise and must not be mixed with each other. It must also be examined to what extent there is not a conflict of interest between legal advice as a Data Protection Officer and legal advice as a lawyer.
Consequently, a lawyer who is appointed as a DPO can only perform the (advisory) tasks of a DPO in this function. As a DPO, he or she is “not competent” to provide legal advice beyond this and, by virtue of his or her function as DPO, cannot do so.
Furthermore, it may be necessary to discuss what else belongs to data protection law; e.g. Unfair Competition Act, Social Code, General Terms and Conditions Act, etc. Where do the boundaries begin, where do they end and how deep – the deeper interpretation, as secondary questions also under liability aspects.
It is not the clarification of legal issues that makes up the focus of the typical activity of the appointed data protection officer, this is an ancillary activity. The focus of the activities lies in the audit of procedures, processing and processes, i.e. in the control and monitoring of data protection conformity and the organisation’s compliance with the GDPR.
The GDPR is an EU regulation that takes precedence over national law. National law, in this case the RDG, cannot be interpreted and applied in a way that limits the effectiveness of EU law.
5. Further Information (only available in German)
Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e.V. Positionspapier (Stand: April 2021): https://www.bvdnet.de/wp-content/uploads/2021/05/BvD-Positionspapier-DSB-kein-Konflikt-zum-RDG.pdf
Urteil 1 AGH 9/19 vom 12.03.2021: https://openjur.de/u/2336889.html
Otto Schmidt live – der Podcast by Verlag Dr. Otto Schmidt (Folge 06.05.2021): Tätigkeit des Datenschutzbeauftragten: Kein Verstoß gegen das RDG! https://anchor.fm/verlag-dr-otto-schmidt/episodes/Ttigkeit-des-Datenschutzbeauftragten-Kein-Versto-gegen-das-RDG-e10br9e
Datenschutz PRAXIS – der Podcast: DSB-Tätigkeit nicht im Konflikt mit RDG I Podcast Folge 22 (21.05.2021): https://www.datenschutz-praxis.de/datenschutzbeauftragte/dsb-taetigkeit-nicht-in-konflikt-mit-rdg-podcast-folge-22/ (WEKA Media GmbH & Co KG).
Author: Regina Mühlich, CEO of AdOrga Solutions GmbH; Member of the Board of the Professional Association of Data Protection Officers in Germany (Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e.V.)