Public bodies, like public authorities, schools, and kindergartens, have a duty to appoint a DPO. Under the GDPR, private bodies, like companies, need to appoint a DPO if certain conditions are fulfilled. The appointment is mandatory if

• the organization's core business operations involve the processing of especially sensitive personal data, like health data, data relating to religious or ideological convictions, or data relating to criminal convictions or offences, on a large scale, or
• the core business operations involve the regular and systematic monitoring of data subjects on a large scale.

In addition, the GDPR allows Member States to enact additional national rules for the appointment of DPOs. Germany has made use of this option. Pursuant to the new version of the Federal Data Protection Act (BDSG-new), the controller of the data processing has the duty to appoint a DPO if

• a company has 10 or more employees permanently engaged in the automated processing of personal data;
• the processing operations are subject to a data protection impact assessment; or
• personal data are processed in a businesslike manner for the purpose of transmission, or for market research or public opinion polling purposes.

Where a company is not required to appoint a DPO, it can decide to do so voluntarily.

The DPO's role is to enable self-monitoring with regard to compliance with data protection rules.

His duties include

• informing and advising the data processing controller (e.g. the management) and the employees about existing duties under data protection law;
• monitoring compliance with the data protection provisions (GDPR, BDSG and other data protection rules);
• raising awareness among, and providing training to, the employees;
• providing advice in connection with the data protection impact assessment; and
• cooperating with the supervisory authority. 

The GDPR has significantly increased both the duties and the responsibilities of the DPO. As a consequence, he will only be able to fulfill his duties adequately if he is suitably qualified and experienced in the areas of privacy law and data protection practices.

Basically an organization can appoint either one of its employees as a DPO (internal DPO) or an external DPO based on a service agreement. Due to the wide range of duties and the required expertise, practical experience has shown that an external solution offers a variety of advantages:

The advantages of engaging an external DPO include

• the existing expertise and extensive experience;
• an unbiased approach;
• the absence of conflicts of interest;
• the simple removal as, unlike internal DPOs, an external DPO does not benefit from any special protection against dismissal;
• the exclusion of costs for further or continuing training.

A disadvantage of an external DPO is, however, that he will first have to get acquainted with the particularities and processes of the client organization.

An organization that fails to appoint a DPO although it is legally obliged to do so is in violation of the GDPR and may face a fine of up to 10 million EUR or, in case of a company, up to 2 percent of the overall annual turnover generated worldwide in the preceding business year.

As a consequence all companies, nonprofit organizations, and public bodies should check whether or not they have a duty to appoint a DPO. Our privacy experts will be very pleased to assist you in doing so.

Your data protection in the hands of experts: We will be pleased to provide the external DPO for your organization or to advise and assist your corporate DPO as needed in the individual case.

Our services as an external DPO include

• assessing new projects and providing advice on how to implement them in compliance with data protection requirements;
• providing information and advice to the management and employees on issues relating to data protection law;
• assessing existing, and advising on the introduction of appropriate, technical and organizational measures;
• supporting the internal DPO as needed in the individual case ("training on the job");
• cooperating with supervisory authorities;
• conducting employee training on data protection issues;
• supporting the preparation of the list of processing operation;
• supporting the implementation a data protection impact assessment;
• providing advice on contracts with customers and external service providers and on the exchange of data within a group of companies, whether at national or international level;
• supporting the introduction of procedures ensuring that data subjects can exercise their rights;
• assessing data breaches and ensuring compliance with the associated notification requirements.