The Data Protection Officer
When the appointment of a Data Protection Officer is mandatory under Article 37 GDPR and § 38 BDSG, what tasks the DPO performs, and what independence the role requires.
The Data Protection Officer (DPO) is a central institution in corporate data protection. Articles 37–39 GDPR, supplemented by § 38 of the German Federal Data Protection Act (BDSG), set out when appointment is mandatory, what qualifications are required, and what tasks the DPO performs.
When Must a DPO Be Appointed?
The obligation to appoint arises from two sources. Under Article 37(1) GDPR, public authorities and bodies must always designate a DPO. For private organisations, appointment is mandatory where the core activities consist of processing special category data on a large scale, or of large-scale, regular, and systematic monitoring of individuals. The BDSG extends this obligation in § 38: any non-public body that regularly employs at least 20 persons engaged in automated processing of personal data must designate a DPO.
The DPO must have expert knowledge of data protection law and practices (Article 37(5) GDPR). There is no formal certification requirement, but recognised qualifications — such as those offered by TÜV, the GDD, or comparable bodies — are common in practice.
Internal or External DPO
The DPO may be a member of staff (internal DPO) or an external service provider. In both cases, the DPO must be able to perform their tasks with complete independence: they must not receive instructions regarding the exercise of their tasks and must not be dismissed or penalised (Article 38(3) GDPR). The DPO reports directly to the highest level of management.
Tasks of the Data Protection Officer
The DPO's tasks under Article 39 GDPR include: informing and advising the organisation on data protection matters, monitoring compliance with the GDPR, training staff, cooperating with the supervisory authority, and acting as a contact point for data subjects.
Where an external DPO is appointed, a written service agreement is required, clearly setting out the scope of services, availability, liability, and confidentiality obligations. External DPOs are equally subject to the protection against dismissal and must have their contact details registered with the competent supervisory authority pursuant to Article 37(7) GDPR.