Datenschutz

Data Protection Officer (DPO): When Mandatory, Duties, Internal vs. External

TL;DR
  • The GDPR (Art. 37) and the German BDSG (Section 38) regulate when a Data Protection Officer must be appointed. In Germany, the 20-person threshold applies: from 20 employees who regularly process personal data by automated means, a DPO is mandatory.
  • The DPO's duties include informing and advising, monitoring GDPR compliance, advising on DPIAs, cooperating with the supervisory authority, and serving as a contact point for data subjects.
  • The DPO must be professionally qualified (legal and technical knowledge) and must not have conflicts of interest. Managing directors, IT managers, and HR managers are regularly excluded.
  • An internal DPO enjoys special dismissal and removal protection. An external DPO offers flexibility, independence, and often broader experience.
  • The DPO is an advisor and monitor, not an implementer. Responsibility for GDPR compliance remains with management.

When you need a Data Protection Officer (DPO)

The appointment obligation arises from two legal bases: Art. 37 GDPR at the European level and Section 38 BDSG (German Federal Data Protection Act) as a national supplement. Both have different triggers.

Appointment obligation under Art. 37 GDPR

Art. 37(1) GDPR requires the appointment of a DPO in three cases:

Public authorities and public bodies. All public authorities and bodies must appoint a DPO, regardless of the type and scope of data processing. Exception: courts acting in their judicial capacity.

Core activity: Extensive regular and systematic monitoring. When your organization's core activity consists of large-scale regular and systematic monitoring of data subjects. Examples: credit reference agencies, detective agencies, security companies with video surveillance, online tracking service providers.

Core activity: Extensive processing of special categories. When the core activity consists of large-scale processing of special categories of personal data (Art. 9) or data relating to criminal convictions (Art. 10). Examples: hospitals, laboratories, health insurance companies.

"Core activity" means: data processing is not merely incidental but an essential component of the business model. HR administration is not a core activity within the meaning of this provision, even though personal data is processed.

Appointment obligation under Section 38 BDSG

Germany has introduced its own threshold beyond the GDPR that is more relevant in practice for most organizations:

20-person threshold: A DPO must be appointed if at least 20 persons are constantly engaged in the automated processing of personal data as a rule.

What counts:

  • Every employee who regularly works with personal data: email, CRM, personnel files, customer databases, accounting
  • Part-time employees, interns, temporary workers, and freelancers, insofar as they regularly process personal data
  • Not only IT staff but everyone who works with personal data on a computer

In practice, most organizations exceed this threshold at around 20 to 25 employees, because today almost every office workstation involves the processing of personal data.

Regardless of the number of employees, Section 38(1) sentence 2 BDSG requires a DPO to be appointed if processing activities are carried out that are subject to a Data Protection Impact Assessment under Art. 35 GDPR, or if personal data is commercially processed for the purpose of (anonymized) transfer or for market and opinion research.

Duties of the Data Protection Officer

Art. 39 GDPR defines the DPO's minimum duties. In practice, however, the scope of tasks extends well beyond this.

Statutory minimum duties (Art. 39)

Informing and advising. The DPO advises management, specialist departments, and employees on all data protection matters. This includes advising on new projects, the introduction of new software, the drafting of contracts, and the handling of data subject requests.

Monitoring compliance. The DPO monitors whether the GDPR, the BDSG, and internal data protection policies are complied with. They review processing activities, audit processes, and flag violations. Important: monitoring does not mean implementation. The DPO identifies deficiencies and recommends measures. Implementation is the responsibility of management and specialist departments.

Awareness and training. The DPO is responsible for data protection training of employees — at least for coordinating it. They create training concepts, conduct or organize training, and verify that all employees are regularly trained.

Advising on DPIAs. The DPO advises on the conduct of Data Protection Impact Assessments and monitors their execution. They are not involved only at the end but are integrated into the process from the start.

Cooperating with the supervisory authority. The DPO is the contact point for the competent supervisory authority. They participate in audits, respond to inquiries, and coordinate communication between the organization and the authority.

Contact point for data subjects. The DPO's contact details must be published and communicated to the supervisory authority. Data subjects can contact the DPO directly with data protection concerns.

Extended duties in practice

Beyond the statutory minimum duties, the DPO in many organizations takes on additional functions:

  • Creating and maintaining the records of processing activities (in collaboration with specialist departments)
  • Reviewing data processing agreements (DPAs)
  • Assessing data breaches and advising on notification obligations
  • Drafting privacy notices for the website and recruitment processes
  • Reviewing marketing activities for data protection compliance
  • Conducting internal data protection audits
  • Preparing the annual data protection report for management

Qualifications: Who is suitable as a DPO?

Art. 37(5) GDPR requires that the DPO is "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices."

Professional requirements

A DPO needs expertise in three areas:

Legal knowledge. Knowledge of the GDPR, the BDSG, and sector-specific data protection regulations (e.g., TDDDG for telemedia, SGB for social insurance, KDG/DSG-EKD for churches). They must know the case law of supervisory authorities and the CJEU and keep up to date.

Technical knowledge. The DPO must understand the technical systems used to process personal data: databases, cloud services, encryption methods, access controls, network architectures. They must be able to assess technical and organizational measures.

Organizational and communication skills. The DPO works with all departments, from management to interns. They must be able to explain complex legal issues in an understandable way, overcome resistance, and embed data protection as part of the corporate culture.

Certifications and training

There is no legally prescribed training for DPOs. In practice, several qualification paths have become established:

  • Certification by DEKRA, TUV, or GDD (Gesellschaft fuer Datenschutz und Datensicherheit)
  • University continuing education and LL.M. programs in data protection law
  • Practical training by experienced DPOs combined with specialized literature and conferences

A formal certification is not mandatory but is a strong indicator of the required expertise.

Conflicts of interest: Who cannot be DPO

The DPO must be able to perform their duties without instructions and without conflicts of interest (Art. 38(3) and (6) GDPR). This means that certain persons may not be appointed as DPO:

Managing director. The managing director determines the purposes and means of data processing. They cannot effectively monitor themselves.

IT management. The IT manager is responsible for the technical systems on which data processing is based. They would have to control their own decisions.

HR management. The HR manager is responsible for extensive processing of employee data. Here too, there is an evident conflict of interest.

Marketing management. Marketing executives drive data-driven processing (newsletters, tracking, profiling) that the DPO would need to critically evaluate.

Supervisory authorities have imposed fines in several cases because organizations appointed persons with conflicts of interest as DPO. The Belgian Data Protection Authority imposed a fine of 50,000 euros in 2020 on a company that had appointed its compliance, risk, and audit director as DPO.

Internal vs. external: What fits better?

The internal DPO

An employee is appointed as DPO. They take on the role either full-time (in larger organizations) or part-time alongside their existing duties (in smaller organizations).

Advantages:

  • Knows the organization, the processes, and the people from the inside
  • Is on-site daily and always available
  • Can integrate data protection into ongoing projects before decisions are made
  • Builds long-term, organization-specific data protection knowledge

Disadvantages:

  • Special dismissal protection (more on this shortly)
  • Costs for training and ongoing continuing education
  • Risk of operational blindness after several years
  • With a part-time appointment: time pressure when day-to-day business is demanding
  • Difficult to maintain the necessary independence when the DPO reports to the supervisor whose department they are supposed to monitor

The external DPO

An external service provider (attorney, consulting firm, specialized DPO provider) is appointed as DPO.

Advantages:

  • Broad experience from different organizations and industries
  • No dismissal protection, flexible contract terms
  • Natural independence from internal hierarchies
  • Current expertise through specialization
  • Scalable: a few hours per month when demand is low, quickly scalable when needed

Disadvantages:

  • Less knowledge of internal processes and corporate culture
  • Not on-site daily (but reachable when needed)
  • Regular costs for the service
  • Onboarding time at the beginning
  • Dependency on the service provider, switching is complex

Recommendation by organization size

For organizations with 20 to 50 employees, an external DPO is usually the better choice. The workload is not enough for a full-time position, and the costs for qualifying an internal employee are disproportionate.

For organizations with 50 to 250 employees, it depends on the industry and the complexity of data processing. Organizations with high data protection needs (healthcare, finance, e-commerce) benefit from an internal DPO. Organizations with less data-intensive processing (manufacturing, trades) manage well with an external DPO.

From 250 employees, an internal, full-time DPO is often the more sensible solution, possibly supplemented by external consulting for specialist topics.

Dismissal and removal protection

Section 38(2) in conjunction with Section 6(4) BDSG grants the internal DPO special dismissal protection: they can only be dismissed for cause (extraordinary termination), not through ordinary termination. The dismissal protection continues for one year after removal.

Removal of the DPO is also only possible for cause. Disagreements on data protection issues are not a valid cause. Lack of expertise or gross breach of duty, however, are.

This protection serves independence: the DPO should be able to perform their duties without fear of reprisal. In practice, however, it causes some organizations to hesitate before appointing an internal DPO because they fear creating an employee who is difficult to dismiss.

DPO liability

The DPO is not liable for GDPR compliance. Responsibility lies with management (the controller within the meaning of the GDPR). The DPO advises and monitors, but the decision of whether and how to implement their recommendations rests with management.

If management acts against the express advice of the DPO and a violation occurs, management is liable, not the DPO. The DPO is liable, however, under general labor law principles if they grossly negligently or intentionally fail to perform their duties — for example, if they notice an obvious data protection violation and do not flag it.

Notification to the supervisory authority

Art. 37(7) GDPR requires you to communicate the DPO's contact details to the competent supervisory authority. In Germany, this is done through the online portals of the state data protection authorities. The notification includes the DPO's name and contact details, but not their qualifications or contract.

Additionally, you must publish the DPO's contact details — typically in the privacy notice on your website and in the data protection information for employees and applicants.

Common mistakes

Not appointing a DPO despite an obligation. Fines for failure to appoint a DPO are not merely theoretical: supervisory authorities actively audit and impose fines, including on smaller organizations.

Appointing a person with a conflict of interest. The IT manager as DPO is one of the most common mistakes. They cannot simultaneously be responsible for the IT security architecture and independently monitor its data protection compliance.

Not enabling DPO duties. The DPO is entitled to the resources necessary for their duties: time, budget for continuing education, access to information and systems. A part-time DPO who is supposed to "also handle" data protection alongside their full-time job without a time budget cannot effectively fulfill their duties. Tools like ISMS Lite ease the DPO's work by consolidating data subject requests, DPIA documentation, and training records in one place.

Turning the DPO into an implementer. If you assign the DPO operational responsibility for data protection (maintaining the records of processing activities, concluding DPAs, writing privacy notices), you undermine their monitoring function. They cannot effectively control what they implemented themselves. Operational work belongs in the specialist departments; the DPO advises and monitors.

No regular reporting. The DPO should report to management at least annually — ideally as part of the management review: data protection status, identified risks, open measures, training status, data subject requests, data breaches. Without this report, management lacks the basis for decision-making, and the DPO loses contact with the leadership level.

Further reading

The Data Protection Officer is not a tedious obligation but a valuable function when properly utilized. They protect your organization from fines, from reputational damage, and from the consequences of data protection violations. The prerequisite is that they have the necessary expertise, the necessary independence, and the necessary resources to fulfill their duties effectively.

Manage DPO tasks in a structured way

ISMS Lite supports your Data Protection Officer with structured workflows for data subject requests, DPIA documentation, and data protection audits. Everything in one place.

Install now