According to Article 37 of the General Data Protection Regulation (GDPR), all companies that process personal data automatically require a Data Protection Officer (DPO). However, there is one exception for smaller companies: If less than 10 people in your company regularly work with personal data, you do not need a data protection officer. 

However, it should be noted that this group also includes temporary or part-time employees. However, this rule would be too simple, so of course there are exceptions here as well: As soon as you process sensitive data (health data, religious affiliation, ethnic origin or even sexual orientation) or personal data is transmitted to third parties, companies with less than 10 employees must also appoint a data protection officer.

The data protection officer must ensure that the company complies with the data protection requirements. These tasks are described in more detail in Article 39 of the GDPR.

Informing and advising the controller or the processor and employees carrying out processing operations of their obligations under this Regulation and other Union or national data protection legislation;

Monitoring compliance with this Regulation, other Union or Member State data protection rules and the policies of the controller or processor on the protection of personal data, including the assignment of responsibilities, awareness raising, training and review of staff involved in processing operations;

Advice, upon request, on data protection impact assessment and monitoring of its implementation in accordance with Article 35;

Cooperation with the Supervisory Authority;

act as a focal point for the Supervisory Authority on matters related to the processing, including prior consultation in accordance with Article 36, and, where appropriate, provide advice on all other matters.

In carrying out his tasks, the Data Protection Officer shall take due account of the risk inherent in the processing operations, taking into account the nature, extent, circumstances and purposes of the processing operation.

You can appoint an external data protection officer or appoint an employee of your company as data protection officer. This decision is entirely up to you. An internal DPO has the advantage that he knows all the processes in the company, but can also easily get into conflicts of interest. In addition, the employee must acquire the relevant specialist knowledge and undergo ongoing training. An external DSB, on the other hand, does not know your processes so well, but already has the relevant specialist knowledge and a neutral view of your company. In addition, the external data protection officer is fully liable for violations, including negligence.

We would like to point out that our website is for information purposes only and does not constitute legal advice. The content of this offer cannot replace a binding legal advice. All information is without guarantee of correctness and completeness.