Data Protection Officer in Germany

German Data Protection Officer: Tasks, Rights and Duties

Tasks of an external data protection officer in Germany

The General Data Protection Regulation (GDPR) introduced the first European-wide duty for companies and public authorities to appoint a data protection officer (DPO). At the same time, the regulation has tightened the requirements for the appointment of a DPO and altered the DPO's position and role. The GDPR has increased the importance of DPOs within companies, public bodies, and nonprofit organizations.

External Data Protection Officer Services Germany

Duty to appoint a data security officer

Public bodies, like public authorities, schools, and kindergartens, have a duty to appoint a DPO. Under the GDPR, private bodies, like companies, need to appoint a DPO if certain conditions are fulfilled. The appointment is mandatory if

  • the organization's core business operations involve the processing of especially sensitive personal data, like health data, data relating to religious or ideological convictions, or data relating to criminal convictions or offences, on a large scale, or
  • the core business operations involve the regular and systematic monitoring of data subjects on a large scale.

DPOs for German companies having 10 or more employees

In addition, the GDPR allows Member States to enact additional national rules for the appointment of DPOs. Germany has made use of this option. Pursuant to the new version of the Federal Data Protection Act (BDSG-new), the controller of the data processing has the duty to appoint a certified DPO if

  • a company has 10 or more employees permanently engaged in the automated processing of personal data;
  • the processing operations are subject to a data protection impact assessment; or
  • personal data are processed in a businesslike manner for the purpose of transmission, or for market research or public opinion polling purposes.

Where a company is not required to appoint a DPO, it can decide to do so voluntarily.


Privacy and Cyber Security in Germany 2023
(Chapter in the Law Review series)

Our privacy experts contributed a chapter on data protection in Germany to the handbook The Privacy, Data Protection and Cybersecurity Law Review.

Read here for free

The role of the DPO

The DPO's role is to enable self-monitoring with regard to compliance with data protection rules.

His duties include

  • informing and advising the data processing controller (e.g. the management) and the employees about existing duties under data protection law;
  • monitoring compliance with the data protection provisions (GDPR, BDSG and other data protection rules);
  • raising awareness among, and providing training to, the employees;
  • providing advice in connection with the data protection impact assessment; and
  • cooperating with the supervisory authority

The GDPR has significantly increased both the duties and the responsibilities of the certified data protection officer. As a consequence, he will only be able to fulfill his duties adequately if he is suitably qualified and experienced in the areas of privacy law and data protection practices in Germany.

Internal or external DPO?

Basically an organization can appoint either one of its employees as a DPO (internal DPO) or an external DPO based on a service agreement. Due to the wide range of duties and the required expertise, practical experience has shown that an external solution offers a variety of advantages.

Benefits of an external data protection officer

The advantages of engaging an external data protection officer include

  • the existing expertise and extensive experience;
  • an unbiased approach;
  • the absence of conflicts of interest;
  • the simple removal as, unlike internal DPOs, an external DPO does not benefit from any special protection against dismissal;
  • the exclusion of costs for further or continuing training.

A disadvantage of an external DPO is, however, that he will first have to get acquainted with the particularities and processes of the client organization.

What may happen if no DPO has been appointed?

An organization that fails to appoint a data security protection officer although it is legally obliged to do so is in violation of the GDPR and may face a fine of up to EUR 10 million or, in case of a company, up to 2 percent of the overall annual turnover generated worldwide in the preceding business year.

As a consequence all companies, nonprofit organizations, and public bodies should check whether or not they have a duty to appoint a DPO. Our privacy experts will be very pleased to assist you in doing so.

Our services as an external DPO in Germany

Your data protection in the hands of experts: We will be pleased to provide the external data protection officer for your organization or to advise and assist your corporate DPO as needed in the individual case.

Our services include:

  • assessing new projects and providing advice on how to implement them in compliance with data protection requirements;
  • providing information and advice to the management and employees on issues relating to data protection law;
  • assessing existing, and advising on the introduction of appropriate, technical and organizational measures;
  • supporting the internal DPO as needed in the individual case ("training on the job");
  • cooperating with supervisory authorities;
  • conducting employee training on data protection issues;
  • supporting the preparation of the list of processing operation;
  • supporting the implementation a data protection impact assessment;
  • providing advice on contracts with customers and external service providers and on the exchange of data within a group of companies, whether at national or international level;
  • supporting the introduction of procedures ensuring that data subjects can exercise their rights;
  • assessing data breaches and ensuring compliance with the associated notification requirements.

Your external DPO in Germany

We assist your organization as an external data protection officer. We will be pleased to provide a customized offer.

The easiest way to reach us is by e-mail ( or by phone (+49 69 76 75 77 80).

Do you need support?

Do you have questions about our services or would you like to arrange a personal consultation? We look forward to hearing from you! Please fill in the following information.

Or give us a call: +49 69 76 75 77 80