From What Point Do You Need a Data Protection Officer: Thresholds, Obligations, Deadlines

Under Section 38(1) BDSG, companies in Germany must designate a data protection officer as soon as, as a rule, at least 20 people are constantly engaged in the automated processing of personal data. Irrespective of this, the obligations under Art. 37(1) GDPR always apply where the core activity consists of large-scale regular monitoring or the processing of special data categories under Art. 9 GDPR. Both thresholds operate side by side.

Practice shows: many SMEs only discover the obligation through a supervisory enquiry or a data breach. By then the 72-hour deadline under Art. 33 GDPR is already running while internal responsibility remains unclear. This article explains the triggers, the level of possible fines, the difference between internal and external appointment, and the formal steps up to the deed of appointment with which you fulfil the obligation and inform the supervisory authority in a legally sound manner.

The question of when a data protection officer becomes mandatory is answered by two parallel provisions. Art. 37(1) GDPR obliges every controller and every processor whose core activity consists of large-scale, regular and systematic monitoring of data subjects, or the large-scale processing of special categories of personal data under Art. 9 GDPR or criminal-conviction data under Art. 10 GDPR. This threshold knows no minimum number of people.

Section 38(1) BDSG adds for Germany: as soon as, as a rule, at least 20 people are constantly engaged in the automated processing of personal data, a data protection officer must be designated. Counted are employees with access to personnel data, customer data, applicant profiles, accounting systems or CRM tools. Part-time staff, trainees and working students count too. A second threshold under the second sentence of Section 38(1) BDSG applies regardless of the number of people where a data protection impact assessment under Art. 35 GDPR is required or personal data is processed commercially for the purpose of transmission, for example in market or opinion research. Anyone who outsources the role of the external data protection officer fulfils the obligation just as well, provided the appointment is made in writing and the authority is informed.

The wording of Section 38 BDSG regularly gives rise to questions of interpretation. "As a rule" refers to the normal state of the business over several months, not a snapshot. Seasonal fluctuations or individual sick days do not cause the obligation to lapse. "Constantly" means that the people concerned work with personal data recurrently, not just occasionally.

Automated processing includes every operation in IT systems: sending an email with customer data, maintaining a CRM entry, posting in the ERP, applicant management, newsletter dispatch, time recording. A single case handler who conducts personal correspondence in Outlook already counts towards the threshold. In a typical SME, the threshold of 20 is therefore usually reached well before the mark of 50 total employees. Management teams that assume only staff in HR or sales are relevant systematically underestimate the obligation.

Anyone wishing to document the count cleanly keeps a short list of the roles with data access. This list becomes part of the record of processing activities under Art. 30 GDPR and belongs in the audit folder. The deed of appointment, signed, filed, demonstrable. Anyone who documents transparently here spares themselves discussions with the authority in the event of an audit.

In addition to the 20-person threshold, there are triggers that apply regardless of the number of employees. First: where a data protection impact assessment under Art. 35 GDPR is required, for example for the systematic and extensive evaluation of personal aspects of natural persons, the large-scale processing of sensitive data or the systematic monitoring of publicly accessible areas, the DPO obligation under the second sentence of Section 38(1) BDSG applies.

Second: where special categories of personal data under Art. 9 GDPR are processed on a large scale, the company falls directly under Art. 37(1)(c) GDPR. These include health data, biometric data, data on ethnic origin, religious or philosophical beliefs and sexual orientation. Practices, clinics, care services, staffing providers with applicant profiles and market research institutes typically fall under this.

Third: public bodies must designate a data protection officer under Art. 37(1)(a) GDPR and Section 5 BDSG, regardless of size and number of employees. This also applies to municipal enterprises and entrusted operators. Associations and foundations may already be covered below the threshold of 20 as soon as they systematically evaluate member data or build donor profiles. A cleanly documented threshold assessment is therefore part of the initial setup of every growing SME.

Infringements of the designation obligation are sanctioned via Art. 83(4)(a) GDPR. The fine level reaches up to EUR 10 million or 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. To these are added personal risks for management under Section 130 OWiG for breach of supervisory duty, where further infringements result from the missing DPO appointment.

Often more relevant in practice is the escalation dynamic after a data breach. If a reportable event under Art. 33 GDPR occurs, the 72-hour deadline runs from awareness. Anyone who has at that moment established neither a DPO nor a notification path risks a second breach of obligation. Authorities document this combination, and it has a fine-increasing effect. The state data protection commissioners publish annual activity reports in which the multiple infringements are named as a typical fine driver.

Added to this are civil compensation claims by data subjects under Art. 82 GDPR, warnings (Abmahnungen) from competitors and reputational damage in B2B sales. Major customers require the designation of a data protection officer in data processing agreements and check it in supplier audits. Anyone who ignores the obligation loses tenders. The auditor calls, the evidence is ready. This rule applies to the deed of appointment just as it does to the record of processing activities.

The GDPR leaves open the choice between an internal and an external data protection officer. Both variants require expertise, reliability and independence, governed in Art. 38 and Art. 39 GDPR. The choice depends on four factors: availability of qualified personnel, conflicts of interest, risk profile and budget.

An internal DPO knows the company, is present in day-to-day business and can use short routes. Hurdles: the special protection against dismissal under Section 6(4) BDSG binds the person to the company for at least one year after removal. Conflicts of interest exclude IT managers, HR managers and managing directors from the role, because they co-decide on processing operations that they would have to oversee themselves. Added to this is the ongoing training effort. ISO/IEC 27701, BSI baseline protection and current supervisory practice change continuously.

An external DPO brings routine from clients supervised in parallel, carries liability insurance and works independently. Classic lead time to appointment: two to six weeks. CIVAC shortens this path to two working days by preparing the deed of appointment, reporting line, confidentiality arrangement and supervisory notification via the workspace. License the workspace for your internal officers or have our officers appointed. Both paths fulfil Art. 37 GDPR, both are documented in an audit-proof manner.

The appointment of a data protection officer is made in writing. A mere email note is not sufficient. Required are: a deed of appointment signed by management and the appointed person, a description of the tasks under Art. 39 GDPR, an arrangement for the reporting line to the highest management level, a confidentiality agreement and a clarification of freedom from instructions under Art. 38(3) GDPR.

The notification to the competent state data protection authority then follows. Most authorities offer online forms or encrypted mailboxes. Notified are the name and contact details of the DPO, as a rule a functional email address and a telephone number. A private address is not required, since publication in the legal notice (Impressum) only requires the functional address.

In the legal notice or a dedicated privacy policy, the DPO is named, with a contact option for data subjects. Art. 13(1)(b) GDPR requires information about the contact details of the data protection officer at the point of data collection. Anyone who cleanly documents the deed of appointment, the supervisory notification and the publication has completed the first audit building block. Audit-proof, documented, Section 38-proof. The deed of appointment belongs in the immutable compliance folder, not in an Outlook email.

The catalogue of tasks of the data protection officer is exhaustively governed in Art. 39(1) GDPR. First: informing and advising the controller and the employees regarding their obligations under the GDPR and national law. Second: monitoring compliance with the GDPR, other data protection provisions and the controller's policies. Third: advising on data protection impact assessments under Art. 35 GDPR and monitoring their performance. Fourth: cooperation with the supervisory authority. Fifth: acting as a point of contact for the supervisory authority under Art. 39(1)(e) GDPR.

Operationally, this results in a typical annual cycle: ongoing maintenance of the record of processing activities, training for employees, support for new processing operations, responding to data subject requests under Art. 15 to 22 GDPR, support for data processing agreements, support for data protection incidents and notification to the authority within 72 hours.

The DPO is an adviser, not a decision-maker. Responsibility for compliance with the GDPR remains, under Art. 24 GDPR, with the controller, as a rule management. This separation gives the DPO independence but does not relieve management of its duty to oversee and steer data processing within the company.

The data protection officer must have the necessary expertise under Art. 37(5) GDPR. The law does not name a specific number of hours; in practice, the authorities expect annual training in the range of 20 to 40 hours. Proof is provided via training certificates and attendance lists. The training is the obligation of the company, not of the private individual.

The special protection against dismissal under Section 6(4) BDSG protects internal data protection officers from dismissal on account of performing their tasks. It applies during the appointment and one year beyond. For external DPOs the protection does not apply, because the contractual relationship is a service contract. Removal is only possible under Art. 38(3) GDPR where the person no longer performs their tasks, for example in the event of prolonged illness or loss of expertise.

The DPO's liability is limited. Since they are not a controller within the meaning of the GDPR, the fines under Art. 83 GDPR do not affect them directly. Personal liability risks exist in cases of gross negligence or intent in an employment-law context, as well as for breach of the duty of confidentiality. External DPOs cover these risks via professional indemnity insurance, which is standard in the market and is usually required in data processing agreements.

Anyone who determines that the DPO obligation applies usually has two weeks of lead time until the next supplier audit, the next applicant interview or the next data incident. Formal fulfilment comprises six building blocks: threshold assessment documented, person selected, deed of appointment signed, authority notified, legal notice updated, reporting line established. With the first day of operations come the record of processing activities, the training plan and the response guide for data breaches.

CIVAC is a compliance platform and Officer-as-a-Service for exactly this path. In the workspace, the deed of appointment, supervisory notification, processing-record template and 37 audit templates are available on demand. The ISMS under ISO/IEC 27001:2022 with 93 controls secures EU data residency and the audit trail. License the workspace for your internal officers or have our officers appointed. Both variants shorten the lead time from the classic two to six weeks to two working days.

Turn reading into a mandate. Write to info@civac.de or use the contact form at civac.de. An initial conversation clarifies the threshold assessment, variant and appointment route, and within a few days you have a signed deed of appointment in the audit folder.