Background

The RDG is intended to ensure that both the legal system and those seeking advice are protected from unqualified advice. A legal service is defined as an activity in specific third-party matters if these require a legal examination of the individual case. The provision of such a service is subject to permission. A corresponding permit for attorneys is contained in Section 3(1) of the German Federal Lawyers' Act² ('BRAO'). According to this, attorneys may in principle advise and represent in all legal matters. But do DPOs also need a corresponding legal basis?

DPO as a legal service

The tasks and powers of a DPO are outlined in Article 39 of the GDPR. These include advising and training employees, providing advice, where requested, in relation to Data Protection Impact Assessments ('DPIAs') and monitor their performance, and monitoring compliance with data protection regulations. In this respect, the question arises as to whether this is a legal service. In the case of internal DPOs, the service provided is already not extraneous to the company and therefore does not fall under the definition of legal service in Section 2(1) of the RDG. However, something different could apply to the appointment of an external DPO. According to Article 39 of the GDPR, the DPO is to monitor the activities of the controller for compliance with data protection regulations and to act in an advisory capacity. Advice on the solution of specific data protection issues requires a legal examination of the individual case and therefore constitutes a legal service.³

A mere ancillary service?

However, Section 5(1) of the RDG provides for an exception if the legal service is merely ancillary to another profession or activity. This requires thinking about the job description of a DPO. The tasks and powers of the DPO, which are specified in Article 39(1) of the GDPR, do not only relate to advising on data protection issues. They also relate to cooperating with the data protection authority and holding employee trainings. Prior to the GDPR, in a decision of 5 June 2003 (Az. VIII R 27/17)⁴, the German Federal Fiscal Court ('BFH') outlined the role of the DPO as a job that includes teaching content from engineering and law, business administration, and pedagogy. The BFH stated that the DPOs are not only tasked with advising on legal issues. In a decision of 12 March 2021 (Az. 1 AGH 9/19)⁵, the North Rhine-Westphalia Lawyers' Court ('AGH') endorsed this view and assumed for an external DPO that the provision of legal services in this case constitutes an ancillary service within the meaning of Section 5(1) of the RDG.

Interpretation of the RDG in conformity with European law

It is questionable whether the above considerations are necessary at all. Instead, the RDG should be interpreted in accordance with European law. The GDPR regulates which requirements a DPO must meet. According to Article 37(5) of the GDPR, the DPO is appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, as well as the ability to fulfil the tasks referred to in Article 39 of the GDPR. A proposal of the European Parliament⁶ that provided for more extensive requirements was not included in the draft. This was probably a deliberate decision to not tighten the requirements. There is no opening clause that would allow the Member States to provide for higher hurdles for the activity as a DPO. The exception for secondary activities pursuant to Section 5(1) of the RDG is therefore not necessary.

Activity limits

The authority for non-attorney external DPOs is not limitless. The interpretation of the RDG in conformity with European law can only extend as far as Article 39 of the GDPR defines the tasks and powers of the DPO. According to Article 39(1)(a) of the GDPR, for example, the monitoring and advising of the controller or processor regarding their obligations under the GDPR is included. It remains unclear whether this wording also covers activities such as drafting a contract for commissioned processing or joint controllership. Further, the exception of Section 5(1) of the RDG only applies if the provision of legal services in the specific individual case is a secondary service of the main activity. If, on the other hand, it represents the main focus, the involvement of an attorney may be required.

Boundaries for attorneys as DPOs

If attorneys act as external DPOs, specific problems arise. These include the question of whether they may become DPOs if they have already advised the relevant company on other issues. In this case, a prohibition of activity under Section 45 of the BRAO could intervene. Pursuant to Section 45(1)(4) of the BRAO, an attorney may not act if they have been professionally active in the same matter outside their legal practice. In this respect, the result depends on whether the activity as a DPO constitutes an attorney's activity. Further limits may also result from Article 38(6) of the GDPR, according to which the controller and the processor must ensure that the tasks and duties as a DPO do not lead to a conflict of interest. The same questions arise vice versa when a DPO also acts as an attorney for the controller.

Conclusion

DPOs must have the necessary qualifications pursuant to Article 37(5) of the GDPR. However, external DPOs do not necessarily have to be attorneys. Deviations may apply in individual cases if the activity goes beyond the powers in Article 39 of the GDPR, as in the preparation of contracts, and the concrete application of the law is no longer an ancillary service, but the core of the activity of the DPO. In such cases, data controllers and processors should therefore consider hiring attorneys. If attorneys are appointed as external DPOs, the existence of conflicts of interest must be examined in each individual case.

Stefan Hessel Attorney-at-Law and Co-Head Digital Business Unit
[email protected]
reuschlaw Legal Consultants, Saarbrücken

1. Available at: https://www.gesetze-im-internet.de/englisch_rdg/index.html
2. Available at: http://www.gesetze-im-internet.de/brao/
3. Paal/Nabulsi, NJW 2019, 3673, 3675.
4. Available at: https://www.bundesfinanzhof.de/de/entscheidung/entscheidungen-online/detail/STRE202010054/ (only available in German)
5. Available at: https://www.justiz.nrw.de/nrwe/anwgh/j2021/1_AGH_9_19_Urteil_20210312.html (only available in German)
6. See at: https://www.europarl.europa.eu/doceo/document/A-7-2013-0402_EN.html