Public bodies, like public authorities, schools, and kindergartens, have a duty to appoint a DPO. Under the GDPR, private bodies, like companies, need to appoint a DPO if certain conditions are fulfilled. The appointment is mandatory if

• the organization's core business operations involve the processing of especially sensitive personal data, like health data, data relating to religious or ideological convictions, or data relating to criminal convictions or offences, on a large scale, or
• the core business operations involve the regular and systematic monitoring of data subjects on a large scale.

In addition, the GDPR allows Member States to enact additional national rules for the appointment of DPOs. Germany has made use of this option. Pursuant to the new version of the Federal Data Protection Act (BDSG-new), the controller of the data processing has the duty to appoint a certified DPO if

• a company has 10 or more employees permanently engaged in the automated processing of personal data;
• the processing operations are subject to a data protection impact assessment; or
• personal data are processed in a businesslike manner for the purpose of transmission, or for market research or public opinion polling purposes.

Where a company is not required to appoint a DPO, it can decide to do so voluntarily.

The DPO's role is to enable self-monitoring with regard to compliance with data protection rules.

His duties include

• informing and advising the data processing controller (e.g. the management) and the employees about existing duties under data protection law;
• monitoring compliance with the data protection provisions (GDPR, BDSG and other data protection rules);
• raising awareness among, and providing training to, the employees;
• providing advice in connection with the data protection impact assessment; and
• cooperating with the supervisory authority. 

The GDPR has significantly increased both the duties and the responsibilities of the certified data protection officer. As a consequence, he will only be able to fulfill his duties adequately if he is suitably qualified and experienced in the areas of privacy law and data protection practices in Germany.

Basically an organization can appoint either one of its employees as a DPO (internal DPO) or an external DPO based on a service agreement. Due to the wide range of duties and the required expertise, practical experience has shown that an external solution offers a variety of advantages.

An organization that fails to appoint a data security protection officer although it is legally obliged to do so is in violation of the GDPR and may face a fine of up to EUR 10 million or, in case of a company, up to 2 percent of the overall annual turnover generated worldwide in the preceding business year.

As a consequence all companies, nonprofit organizations, and public bodies should check whether or not they have a duty to appoint a DPO. Our privacy experts will be very pleased to assist you in doing so.