A company must appoint an external data protection officer if it meets the legal requirements of the GDPR and the BDSG. This obligation arises from Article 37 GDPR and Section 38 BDSG. In concrete terms, this means that certain types of data processing or company sizes make the appointment of a data protection officer necessary. The most important criteria include:
Extensive processing of special categories of personal data
If a company processes special categories of personal data on a large scale, it is necessary to appoint a data protection officer. Special categories of personal data include:
- Data on racial and ethnic origin
- Political opinions
- Religious or ideological beliefs
- Trade union membership
- Genetic and biometric data
- Health data
- Data on sexual life or sexual orientation
This data is particularly sensitive and therefore requires a higher standard of protection in accordance with Article 9 GDPR.
Regular and systematic monitoring
Companies whose core business is the regular and systematic monitoring of data subjects must also appoint a data protection officer. This applies, for example, to companies that process personal data on a large scale through extensive monitoring activities, such as video surveillance or comprehensive behavioral analysis (Article 37 paragraph 1 letter b GDPR).
Public bodies and authorities
Public bodies and authorities are generally obliged to appoint a data protection officer, regardless of the type of data processed or the number of employees. This follows from Article 37 paragraph 1 letter a GDPR and Section 38 BDSG.
Companies with at least 20 employees
In Germany, there is also a regulation that companies that employ at least 20 people who are regularly involved in the automated processing of personal data must appoint a data protection officer (Section 38 BDSG). This threshold can vary in some federal states, which is why it is important to pay attention to the specific state regulations.
Liability and sanctions
Appointing a data protection officer is not only a legal obligation, but also a risk minimization measure. Companies that violate the obligation to appoint a data protection officer risk significant fines. According to Article 83 GDPR, violations of data protection rules can result in fines of up to 10 million euros or 2% of the worldwide annual turnover of the previous financial year, whichever is higher.
In summary, companies must appoint an external data protection officer if they carry out extensive and risky data processing, are public bodies or authorities, or employ a certain number of employees who regularly work with personal data. Compliance with these requirements is crucial to minimize data protection risks and strengthen the trust of the data subjects.
