Obligation to appoint an external data protection officer

The statutory obligation to appoint a company data protection officer applies to a majority of German companies. The BDSG [German Federal Data Protection Act] allows for the appointment of an external data protection officer in addition to appointing a data protection officer from inside the company.

First of all, the obligation to appoint a data protection officer always applies if:

  • your company permanently employs more than nine persons for automatic processing of personal data or
  • at least 20 persons for non-automated processing.

Furthermore, the obligation always applies if you as the responsible office

  • perform automated processing that is subject to preliminary controls, or
  • commercially process personal data for the purpose of transmission, anonymized transmission or for market or opinion research.

Conversely, however, the absence of these limits does not mean that data protection law requirements (such as those established in the BDSG, TKG [German Telecommunications Act] and TMG [German Telemedia Act]) do not need to be followed. Because of the increasingly rapid pace of technical development and the general tendency toward specialization, it is apparent that even smaller companies are now performing complex data processing and are worth particular attention in terms of data protection law. In these cases, the company management is legally responsible for ensuring data protection compliant behavior.

You can find more information about the requirements for data protection officers and their tasks here.