German Data Protection Officer: Tasks, Rights and Duties

Tasks of an external data protection officer in Germany

The General Data Protection Regulation (GDPR) introduced the first European-wide duty for companies and public authorities to appoint a data protection officer (DPO). At the same time, the regulation has tightened the requirements for the appointment of a DPO and altered the DPO's position and role. The GDPR has increased the importance of DPOs within companies, public bodies, and nonprofit organizations.

Duty to appoint a DPO

Public bodies, like public authorities, schools, and kindergartens, have a duty to appoint a DPO. Under the GDPR, private bodies, like companies, need to appoint a DPO if certain conditions are fulfilled. The appointment is mandatory if

  • the organization's core business operations involve the processing of especially sensitive personal data, like health data, data relating to religious or ideological convictions, or data relating to criminal convictions or offences, on a large scale, or
  • the core business operations involve the regular and systematic monitoring of data subjects on a large scale.

DPOs for German companies having 10 or more employees

In addition, the GDPR allows Member States to enact additional national rules for the appointment of DPOs. Germany has made use of this option. Pursuant to the new version of the Federal Data Protection Act (BDSG-new), the controller of the data processing has the duty to appoint a DPO if

  • a company has 10 or more employees permanently engaged in the automated processing of personal data;
  • the processing operations are subject to a data protection impact assessment; or
  • personal data are processed in a businesslike manner for the purpose of transmission, or for market research or public opinion polling purposes.

Where a company is not required to appoint a DPO, it can decide to do so voluntarily.


Privacy and Cyber Security in Germany 2019

(Chapter in the the Law Review series)

Our privacy experts contributed a chapter to the handbook The Privacy, Data Protection and Cybersecurity Law Review. Read here for free

The role of the DPO

The DPO's role is to enable self-monitoring with regard to compliance with data protection rules.

His duties include

  • informing and advising the data processing controller (e.g. the management) and the employees about existing duties under data protection law;
  • monitoring compliance with the data protection provisions (GDPR, BDSG and other data protection rules);
  • raising awareness among, and providing training to, the employees;
  • providing advice in connection with the data protection impact assessment; and
  • cooperating with the supervisory authority. 

The GDPR has significantly increased both the duties and the responsibilities of the DPO. As a consequence, he will only be able to fulfill his duties adequately if he is suitably qualified and experienced in the areas of privacy law and data protection practices.

Internal or external DPO?

Basically an organization can appoint either one of its employees as a DPO (internal DPO) or an external DPO based on a service agreement. Due to the wide range of duties and the required expertise, practical experience has shown that an external solution offers a variety of advantages:

The advantages of engaging an external DPO include

  • the existing expertise and extensive experience;
  • an unbiased approach;
  • the absence of conflicts of interest;
  • the simple removal as, unlike internal DPOs, an external DPO does not benefit from any special protection against dismissal;
  • the exclusion of costs for further or continuing training.

A disadvantage of an external DPO is, however, that he will first have to get acquainted with the particularities and processes of the client organization.

What may happen if no DPO has been appointed?

An organization that fails to appoint a DPO although it is legally obliged to do so is in violation of the GDPR and may face a fine of up to 10 million EUR or, in case of a company, up to 2 percent of the overall annual turnover generated worldwide in the preceding business year.

As a consequence all companies, nonprofit organizations, and public bodies should check whether or not they have a duty to appoint a DPO. Our privacy experts will be very pleased to assist you in doing so.

Our services as an external DPO in Germany

Your data protection in the hands of experts: We will be pleased to provide the external DPO for your organization or to advise and assist your corporate DPO as needed in the individual case.

Our services as an external DPO include

  • assessing new projects and providing advice on how to implement them in compliance with data protection requirements;
  • providing information and advice to the management and employees on issues relating to data protection law;
  • assessing existing, and advising on the introduction of appropriate, technical and organizational measures;
  • supporting the internal DPO as needed in the individual case ("training on the job");
  • cooperating with supervisory authorities;
  • conducting employee training on data protection issues;
  • supporting the preparation of the list of processing operation;
  • supporting the implementation a data protection impact assessment;
  • providing advice on contracts with customers and external service providers and on the exchange of data within a group of companies, whether at national or international level;
  • supporting the introduction of procedures ensuring that data subjects can exercise their rights;
  • assessing data breaches and ensuring compliance with the associated notification requirements.

Your external DPO in Germany

We assist your organization as an external DPO. We will be pleased to provide a customized offer. Your contact partners for any questions relating to DPOs are Attorney Olga Stepanova and Attorney Lars Gerbe. The easiest way to reach us is by e-mail ( or by phone (+49 (0)69 76 75 77 80).

"Privacy Law": Recent blog posts

EU Commission Adopts New GDPR Standard Contractual Clause

- Olga Stepanova

EU Commission Adopts New GDPR Standard Contractual Clause

No materiality threshold for damages under the GDPR?

- Patricia Jechel

No materiality threshold for damages under the GDPR?

Challenge in Data Protection: Data Transfer From the EU to the USA and Great Britain

- Olga Stepanova

Challenge in Data Protection: Data Transfer From the EU to the USA and Great Britain


1627094462 > 1633471200

WINHELLER is represented by three lawyers in the 2021 Best Lawyers Ranking.


1627094462 > 1629842400

Among 405 companies, WINHELLER has made it into the 2021 best list in the field of tax law.





Juve AwardLegal 500 Germany 2019
azur100: Top Employer for Lawyers 2021