In Germany and the European Union, the General Data Protection Regulation (GDPR) in conjunction with the Federal Data Protection Act (BDSG) regulates the appointment of data protection officers. In certain cases, the appointment of a data protection officer – whether internal or external – is required by law. The following describes in detail which types of companies and organizations are required to appoint a data protection officer, including examples from different industries and relevant legal references.
Legal basis
The obligation to appoint a data protection officer arises mainly from Article 37 of the GDPR and Section 38 of the BDSG. The GDPR specifies the conditions under which a data protection officer must be appointed, while the BDSG supplements additional national regulations.
Companies and organizations that must appoint a data protection officer:
1. Public bodies and authorities
Legal reference : Article 37 paragraph 1 letter a GDPR and Section 38 BDSG
- Examples :
- State administrative authorities : federal and state ministries, city administrations, district administrations
- Educational institutions : public schools, universities, research institutes
- Health facilities : public hospitals, health authorities
Public bodies and authorities are generally obliged to appoint a data protection officer, regardless of the type or scope of data processed.
2. Companies whose core activity consists in the extensive processing of special categories of personal data
Legal reference : Article 37 paragraph 1 letter c GDPR
- Examples :
- Healthcare : hospitals, doctor’s offices, nursing homes, laboratories that process extensive health data
- Social institutions : institutions for disabled people, advice centres that process sensitive data
- Insurance companies : health insurance companies, life insurance companies that process health data and other sensitive personal data
Special categories of personal data include data such as information concerning health, biometric data, genetic data, data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs and data concerning sex life or sexual orientation.
3. Companies whose core activity is the extensive, regular and systematic monitoring of data subjects
Legal reference : Article 37 paragraph 1 letter b GDPR
- Examples :
- Financial service providers : banks, credit institutions that monitor customer transactions
- Telecommunications companies : providers of telephone and internet services that monitor communication data
- Marketing and advertising companies : Companies that carry out extensive tracking and profiling activities to deliver personalized advertising
Systematic surveillance refers to activities such as video surveillance, internet tracking and the creation of customer profiling through extensive data analysis.
4. Companies with at least 20 employees who regularly process personal data
Legal reference : § 38 BDSG
- Examples :
- Trading companies : Large retail chains, e-commerce companies that regularly process customer data
- Service companies : call centers, customer service centers
- Industrial companies : Production companies with extensive personnel and customer data management
In Germany, companies that generally employ at least 20 people who are constantly involved in the automated processing of personal data must appoint a data protection officer.
5. Companies that act as processors for other organisations
Legal reference : Article 37 paragraph 1 GDPR
- Examples :
- IT service providers : data centers, cloud service providers that process data on behalf of other companies
- Outsourcing service providers : Companies that handle business processes for other companies, such as payroll accounting or customer management
Processors are companies that process personal data on behalf of a controller. They must meet the same data protection requirements and may be required to appoint a data protection officer.
Benefits of appointing an external data protection officer
The appointment of an external data protection officer can be beneficial in many ways, especially for small and medium-sized companies:
- Cost efficiency : External DPOs often work on a flat or hourly basis, which makes costs more predictable and often lower than the cost of an internal DPO who requires ongoing training and development.
- Knowledge and expertise : External DPOs bring specialised knowledge and extensive experience in data protection. They are often better informed about the latest legal developments and best practices (Article 37(5) GDPR).
- Independence and objectivity : External DPOs act independently and can provide objective and unbiased recommendations. This minimises the risk of conflicts of interest.
- Flexibility and scalability : Companies can adapt the scope of services to their specific needs, which is particularly beneficial during times of high workloads or for special projects.
Summary
The appointment of a data protection officer is a legal requirement in many companies and organizations. Compliance with these obligations is crucial to minimize legal risks and increase the trust of data subjects in the handling of their data. Companies that cannot or do not want to appoint an internal data protection officer have the option of appointing an external DPO, which offers numerous advantages, including cost-effectiveness, high level of expertise and independence.
