Data Protection Officer: When Does Your Business Need One?

Data Protection Officer: When Does Your Business Need One?

Data protection is one of those topics that many business owners would prefer to ignore — until a fine notice from the supervisory authority arrives. Yet the question of whether your business requires a data protection officer (DPO) is far from academic: violations of the appointment obligation can result in fines of up to 10 million euros or 2 per cent of annual worldwide turnover. In practice, fines tend to be lower, but the risks should not be underestimated.

This article provides a comprehensive overview of when appointing a DPO is mandatory, what requirements apply to the person, and how to optimally structure the role in your business.

When Is a Data Protection Officer Mandatory?

The 20-Person Threshold Under BDSG

The best-known rule is found in § 38 Abs. 1 BDSG: as soon as at least 20 persons in your business are regularly engaged in the automated processing of personal data, you must appoint a DPO. This includes:

• Permanent employees (full-time and part-time)
• Temporary agency workers and freelancers
• Interns and trainees, provided they regularly work with personal data

The decisive factor is not the total number of employees, but the number of those who actually process personal data — for example, writing emails, maintaining customer data, or handling personnel files. In practice, this applies to virtually all office workers in most businesses.

Obligation Regardless of Employee Numbers

Even if you employ fewer than 20 persons, a DPO obligation may exist. Under Art. 37 Abs. 1 DSGVO and § 38 Abs. 1 BDSG, a data protection officer is always required if:

• Your core activity consists of extensive, regular, and systematic monitoring of individuals (e.g., credit agencies, security companies, tracking service providers)
• Your core activity involves extensive processing of special categories of data under Art. 9 DSGVO (health data, biometric data, trade union membership, religious beliefs)
• You are required to carry out data protection impact assessments (§ 38 Abs. 1 Satz 2 BDSG)
• You process personal data on a commercial basis for the purpose of transfer or anonymised transfer

Public Bodies

For public authorities and bodies, the DPO obligation applies without exception, regardless of size or type of data processing (Art. 37 Abs. 1 lit. a DSGVO).

Internal vs. External Data Protection Officer

The Internal DPO

An internal data protection officer is an employee of your business who assumes this function on an additional or full-time basis. The advantages:

• Company knowledge: An internal DPO knows the processes, systems, and corporate culture
• Constant availability: Short communication lines and direct accessibility
• No ongoing external costs: No monthly consultancy fees

However, the disadvantages are significant:

• Special dismissal protection: An internal DPO enjoys dismissal protection under § 6 Abs. 4 BDSG similar to that of a works council member — extending one year after removal from the role
• Training costs: The employer must finance continuing professional development (§ 38 Abs. 2 in conjunction with Art. 38 Abs. 2 DSGVO)
• Conflicts of interest: Certain positions are incompatible with the DPO role
• Liability risk: In the event of breaches of duty, the employer is liable, not the internal DPO

The External DPO

An external data protection officer acts on the basis of a service contract. This offers:

• Specialised expertise: External DPOs are generally specialised in data protection and serve multiple clients
• Independence: Lower risk of conflicts of interest
• Flexibility: The contract may be terminated subject to the agreed notice periods — no special dismissal protection
• Predictable costs: Monthly flat fees or hourly rates, typically between 300 and 1,500 euros per month depending on company size
• Liability: An external DPO is liable for their own errors within the scope of their service contract

Cost Comparison

Factor	Internal DPO	External DPO
Monthly costs	Pro-rata salary + training	300--1,500 EUR/month
Training	1,500--5,000 EUR/year	Included in fee
Dismissal protection	Yes (§ 6 Abs. 4 BDSG)	No
Liability	Employer is liable	DPO contractually liable
Availability	High	By arrangement

Requirements for the Data Protection Officer

Professional Qualification

Art. 37 Abs. 5 DSGVO requires that the DPO possess professional qualifications and in particular expert knowledge of data protection law and practice. In concrete terms, this means:

• Sound knowledge of the DSGVO, the BDSG, and relevant special legislation (TTDSG, TMG, etc.)
• Understanding of technical and organisational measures (TOM)
• Sector knowledge commensurate with the nature and scope of data processing
• Regular continuing education to maintain expertise

There is no legally prescribed certification. However, recognised qualifications include the programmes offered by TÜV, the GDD (Gesellschaft für Datenschutz und Datensicherheit), or the IAPP (International Association of Privacy Professionals).

Independence and Freedom from Instructions

The DPO may not receive instructions in the exercise of their duties (Art. 38 Abs. 3 DSGVO). They report directly to the highest management level and may not be dismissed or disadvantaged for the performance of their duties.

Avoiding Conflicts of Interest

Certain positions are incompatible with the DPO role. The following may not be appointed as DPO:

• Managing directors and board members
• IT directors and heads of human resources
• Marketing directors who decide on the use of tracking tools
• In general: persons who decide on the purposes and means of data processing

Supervisory authorities have consistently imposed fines in the past — for example, against companies that appointed their IT director as DPO.

Duties and Responsibilities of the DPO

The catalogue of duties is set out in Art. 39 DSGVO:

• Informing and advising the controller and employees regarding data protection obligations
• Monitoring compliance with the DSGVO, BDSG, and other data protection provisions
• Advising on data protection impact assessments (Art. 35 DSGVO)
• Cooperating with the supervisory authority and serving as a contact point
• Awareness-raising and training of employees
• Maintaining the record of processing activities (in practice, this is frequently delegated to the DPO)

Liability: Who Bears the Risk?

A widespread misconception: the DPO is not the controller within the meaning of the DSGVO. Data protection responsibility always remains with the company or its management. The DPO has an advisory and monitoring function. Fines are therefore directed at the company, not at the DPO personally.

Practical Tips for Appointment

1. Conduct a stocktake: First determine how many persons in your business actually process personal data and whether special data categories are involved
2. Cost-benefit analysis: Compare the total costs of an internal DPO (salary, training, dismissal protection) with the costs of an external service provider
3. Check for conflicts of interest: Ensure that the selected person does not hold conflicting responsibilities
4. Written appointment: The appointment should be made in writing with a clear definition of duties
5. Publication: Under Art. 37 Abs. 7 DSGVO, you must publish the DPO's contact details and notify the supervisory authority
6. Provide resources: Ensure the DPO has sufficient time, access to information, and training opportunities

Conclusion

The question of whether your business needs a data protection officer can usually be answered quickly — but the practical implementation requires careful planning. Whether internal or external DPO: the decisive factor is that the appointed person has the necessary expertise, can act independently, and receives adequate resources.

At compleneo, we advise you not only on whether a DPO obligation exists, but also support you in selecting, appointing, and working with your data protection officer — practical, clear, and tailored to your business.