§ 6 BDSG
Position
(1)The public body shall ensure that the data protection officer is properly and at an early stage involved in all issues relating to the protection of personal data.
(2)The public body shall support the data protection officer in performing the tasks referred to in Section 7 by providing the resources necessary for the performance of those tasks and access to personal data and processing operations.
(3)The public body shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall not be dismissed or disadvantaged on account of the performance of those tasks. The data protection officer shall have the right to submit matters directly to the head of the public body.
(4)The dismissal of the data protection officer shall be permissible only in application by analogy of Section 626 of the Civil Code. The termination of the activity as data protection officer within the authority shall be permissible only if the facts which entitle the public body to demand the cessation of the designation pursuant to the first sentence no longer exist. After the end of the designation as data protection officer, the data protection officer may not be disadvantaged on this account for a period of one year.
(5)Data subjects may contact the data protection officer on all issues relating to the processing of their personal data and the exercise of their rights pursuant to Regulation (EU) 2016/679, this Act and other data protection provisions. The data protection officer shall be bound by secrecy or confidentiality regarding the identity of the data subject and regarding circumstances that allow conclusions to be drawn about the data subject, unless the data subject releases the data protection officer from this obligation.
(6)If the data protection officer learns of an indication that personal data are being processed unlawfully by the body which designated the data protection officer, the data protection officer shall address this with the controller and, if necessary, submit proposals for remedying the data protection violation. If the violation is not remedied, the data protection officer shall inform the Federal Commissioner or the competent supervisory authority of the Land. In doing so, the data protection officer shall maintain the confidentiality of the identity of the data subject in accordance with Subsection (5), second sentence, unless disclosure is indispensable for the exercise of the rights of the data subject.