77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Federal Data Protection Act 2026: Obligations, thresholds, appointment certificate
Data Protection & Privacy

Federal Data Protection Act 2026: Obligations, thresholds, appointment certificate

19 June 202613 min readBy Lena Vogt
CIVAC

The Federal Data Protection Act specifies the GDPR in Germany and requires a data protection officer for groups of 20 or more people. This article explains thresholds, fines, ordering obligations and what evidence is required in the audit.

The Federal Data Protection Act (BDSG) in its current version has been in force since May 25, 2018 and supplements the General Data Protection Regulation (Regulation (EU) 2016/679) with national opening clauses. Among other things, it regulates the obligation to appoint data protection officers in Section 38 Paragraph 1 BDSG, employee data protection in Section 26 BDSG and the sanctions in connection with Article 83 GDPR and Section 43 BDSG. Anyone who processes personal data in Germany cannot avoid the BDSG, even if the company's headquarters are abroad and only the market place principle according to Art. 3 Para. 2 GDPR applies.

This article classifies the BDSG from an operational perspective. Which thresholds trigger which obligation, what evidence does a supervisory authority require in the event of an event-related audit, and where does Germany differ from other EU member states. You will receive concrete information on how to appoint a data protection officer, how to maintain the processing register in accordance with Art. 30 GDPR and the 72-hour reporting period for data breaches in accordance with Art. 33 GDPR. In the final part we show how these obligations can be represented as a platform task rather than as a loose file folder from the last decade. You are reading a practical guide, not a legal opinion, but every statement is supported by paragraphs or ISO references.

Key Takeaways

  • Section 38 BDSG requires a data protection officer as soon as at least 20 people constantly process personal data automatically.
  • Fines according to Art. 83 GDPR range up to 20 million euros or 4 percent of the global annual group turnover, whichever is higher.
  • The appointment certificate, the processing directory and the reporting path in the event of a data breach are the three pieces of evidence that supervisory authorities regularly want to see first.

BDSG and GDPR: How the two sets of rules interact

The GDPR applies directly in all EU member states and, as a regulation, takes precedence over national law. However, the Federal Data Protection Act uses the opening clauses that the GDPR expressly provides. These include the obligation to appoint data protection officers in Section 38 BDSG (opening via Art. 37 Para. 4 GDPR), employee data protection in Section 26 BDSG (opening via Art. 88 GDPR), special circumstances for video surveillance in Section 4 BDSG and the processing of special categories of personal data in Section 22 BDSG. Regulations on scoring (§ 31 BDSG), data transfer to public bodies (§§ 23, 24 BDSG) and the correction of archived holdings (§ 35 BDSG) are also national specifications.

In practice, this means: a pure GDPR conformity check does not go far enough in Germany. Anyone who keeps a processing list in accordance with Article 30 of the GDPR must also check whether Section 38 of the BDSG applies, whether Section 26 of the BDSG provides the legal basis for employee processing and whether confidentiality obligations under Section 203 of the Criminal Code are affected. The sanctions are also spread over two worlds. The fines largely follow Art. 83 GDPR, the BDSG supplements its own administrative offenses in Section 43 BDSG, for example in the case of unauthorized transmission of non-obvious personal data or violations of information rights.

A well-founded data protection organisation is aware of this interaction and documents it. CIVAC provides audit templates that link the obligations from the GDPR and BDSG in a single evidence matrix. Auditors can see at a glance which measure serves which standard without having to maintain a second Excel table. You can find out more about the role on the page external data protection officer, and an overview of all roles on civac.de/roles. The distinction from the ePrivacy Directive and the TTDSG, which have priority for cookies and tracking services, is also practically relevant. Anyone who only has the GDPR in mind regularly overlooks the TTDSG consent in accordance with Section 25 TTDSG, which can be triggered regardless of the reference to personal data.

§ 38 BDSG: When the appointment of a data protection officer becomes mandatory

According to Section 38 Paragraph 1 Sentence 1 BDSG, those responsible and processors appoint a data protection officer if they usually employ at least 20 people on a permanent basis with the automated processing of personal data. The threshold applies cumulatively to full-time and part-time employees, freelancers, interns and temporary workers, provided they regularly work in data processing processes. Pure read access to email inboxes, CRM systems or applicant databases counts. What is important is not the form of the contract, but the actual activity on the data record.

Regardless of the 20-person threshold, the obligation to order according to Section 38 Paragraph 1 Sentence 2 BDSG necessarily exists in three case groups. Firstly, if the processing is subject to a data protection impact assessment in accordance with Art. 35 GDPR, for example in the case of large-scale profiling or processing of sensitive data. Secondly, if special categories of personal data are processed commercially in accordance with Art. 9 GDPR, such as health data by practices or nursing services. Thirdly, if data is processed for the purpose of commercial transmission, anonymized transmission or market and opinion research. Sectoral obligations, for example for those subject to professional secrecy in accordance with Section 203 of the Criminal Code, remain in effect.

The order is made in writing using an appointment certificate in which tasks in accordance with Art. 39 GDPR, freedom from instructions in accordance with Art. 38 Paragraph 3 GDPR and reporting line to the management are documented. CIVAC delivers the certificate in the workspace as a versioned template, including an escalation matrix, annual confirmation of task performance and substitution regulations. The appointment certificate, signed, filed, verifiable. This means that the evidence is immediately available during the audit, without having to search for file folders or sift through email threads. It is also important to report the contact details to the supervisory authority in accordance with Art. 37 Para. 7 GDPR, as well as to make them public, for example in the legal notice or in the data protection declaration.

Processing directory, order processing, TOMs: The three ongoing tasks

There are three duties that concern every data protection officer on a permanent basis, regardless of industry and size. Firstly, the List of processing activities in accordance with Art. 30 GDPR. It records all processing with purpose, legal basis, data categories, recipients, storage periods and technical-organisational measures. The obligation applies below 250 employees as soon as processing is carried out regularly or at risk (Art. 30 Para. 5 GDPR). In practice, a medium-sized company has 30 to 80 processing operations, a group has three-digit volumes.

Secondly, order processing according to Art. 28 GDPR. Every external service provider who processes personal data on your behalf needs a written contract with the minimum content set out in Article 28 (3) GDPR. Cloud providers, payroll accounting, newsletter tools, help desk systems, recruiting software, and even the external shredding company are included. Third country transfers additionally require standard contractual clauses (implementing decision (EU) 2021/914) and a documented transfer impact assessment. Anyone who uses hyperscalers must also check the authorities' access in the respective third country.

Thirdly, the technical-organisational measures in accordance with Art. 32 GDPR. Encryption, pseudonymization, availability, resilience and a procedure for regularly checking effectiveness are mandatory. Anyone who operates an ISMS according to ISO/IEC 27001:2022 with the 93 controls from Appendix A covers the TOMs structurally. The CIVAC platform links both worlds in a single list of measures and makes the effectiveness verifiable, with those responsible, deadlines and audit status. For operational depth, it is worth taking a look at the CIVAC FAQ, where the most common audit questions are prepared. In addition, sector specifications must be observed, such as the BSI basic protection for KRITIS sectors, ISO/IEC 27017 for cloud security or the TISAX requirements for the automotive industry. These frameworks overlap in content with the TOMs according to Art. 32 GDPR and should be maintained in a common measures matrix, otherwise additional effort will arise.

Fines, supervision, liability: what happens if a violation occurs

The amount of the fines results from Art. 83 GDPR. For most violations, level one applies up to 10 million euros or 2 percent of the previous year's global turnover, for example in the case of violations of order processing or obligations of processors themselves. For core violations such as a lack of legal basis, violation of the rights of those affected or disregarding supervisory orders, level two applies to 20 million euros or 4 percent. The higher amount is decisive. § 43 BDSG supplements national administrative offenses, such as the unauthorized transmission of non-publicly accessible data or the obtaining of personal data under false pretenses.

In Germany, the supervisory authority is the respective state data protection authority (LfDI Baden-Württemberg, BayLDA, LDI NRW and so on), in sectors such as telecommunications or post the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Supervisory measures range from requests for information to orders to the suspension of processing (Article 58 GDPR). The management is personally liable in accordance with Section 130 OWiG for breaches of supervisory duties, under civil law in accordance with Art. 82 GDPR towards those affected, and there are also reputational and investor risks in listed companies.

What is important is the reversal of the burden of proof in accordance with Art. 24 GDPR: The person responsible must prove that the processing is lawful. Without proper documentation, the process becomes expensive because the supervisory authority evaluates the missing evidence to the detriment of the company. The CIVAC platform logs every measure with a time stamp, person responsible and approval so that the auditor calls and the proof is ready. You can find an overview of all representative roles that relieve management at civac.de/roles. In fact, the practice of fines in recent years shows that it is not one spectacular incident that costs the largest sums, but rather repeated violations of information and deletion obligations, missing order processing contracts and poorly documented supervisory communication.

Data breaches: The 72-hour path according to Art. 33 GDPR

A data breach, technically a violation of the protection of personal data, is, according to Art. 4 No. 12 GDPR, any security breach that leads to the destruction, loss, alteration or unauthorized disclosure of personal data. This includes encrypted notebooks that are stolen, as well as incorrectly addressed collective emails with an open recipient list, access data obtained through phishing, defective backups with personal references or a ransomware incident with encryption of productive data sets. The accidental publication of application documents in a public place also counts.

The reporting obligation takes effect as soon as the person responsible becomes aware of it. Deadline begins as soon as we become aware of it. The responsible supervisory authority must be informed within 72 hours (Art. 33 GDPR), and if there is likely to be a high risk to the rights and freedoms of those affected, they must be informed immediately (Art. 34 GDPR). The notification must include the nature and extent of the breach, categories and approximate numbers of those affected, categories and approximate numbers of personal records, likely consequences and measures taken or proposed. A later or staggered report is possible, but must be documented with reasons in the report text.

The operational bottleneck is rarely due to the form, but rather to recognition, escalation and decision-making in the first 24 hours. Anyone who pulls the breakdown paths into a platform as a workflow, with roles, SLA clock, template texts and an audit-proof storage, will meet the deadline even if it is reported on Friday evening. CIVAC maps the reporting path as a guided workflow and then produces the registration certificate as an audit-proof PDF, including internal documentation for supervision and management. Anyone who fulfils NIS 2 obligations in parallel can report the same incident in both reporting paths without double recording, because the 24/72 logic according to BSIG and the 72-hour logic according to Art. 33 GDPR expire upon knowledge.

Employee data protection according to Section 26 BDSG: Application until leaving

§ 26 BDSG allows the processing of employee data for the purposes of the employment relationship, to the extent necessary. Necessary means: without the processing, the task would not be possible or could only be carried out with disproportionate effort. The standard covers everything from applicant selection, payroll, time recording, performance evaluation, illness management and use of company IT to record keeping after leaving the company. It applies to classic employment relationships as well as to employee-like people and trainees.

In practice, there are four stumbling blocks. Firstly, the issue of consent in the employment relationship: Because of the relationship of dependency, voluntariness is not a given, which Section 26 Para. 2 BDSG expressly addresses and thus partially offsets the ECJ ruling on the Hessian Data Protection Act. Secondly, employee monitoring, such as browser logs, email scans, GPS on company vehicles or keyboard analytics in the home office: These are only permitted under strict conditions and usually after works council participation in accordance with Section 87 Paragraph 1 No. 6 BetrVG. Thirdly, the retention periods: Employment contracts at least 10 years due to Section 257 of the German Commercial Code (HGB), salary documents 6 years according to the AO, application documents of rejected applicants a maximum of 6 months without express consent due to Section 15 AGG. Fourthly, the topic of Whistleblowing: Whistleblower reports according to the HinSchG may not be openly linked to HR data.

All of this can be operationalized. A lean data protection policy for HR, supplemented by a processing overview, a training concept, a deletion matrix and an escalation rule for special processes, covers the typical audit questions. The CIVAC audit templates contain exactly these five building blocks as fillable modules with versioning. In addition, for groups with cross-border processing, the one-stop-shop logic according to Art. 56 GDPR with a lead supervisory authority applies, which can simplify HR data processing in companies operating across Europe.

DSB internal or external: costs, liability, availability

A data protection officer can be appointed internally or externally (Art. 37 Para. 6 GDPR, Section 38 Para. 2 BDSG in conjunction with Section 6 BDSG). Both paths are permissible, but differ in costs, risk and speed. An internal DPO brings market proximity and knows the processes, but can come into role conflict, for example if IT management, HR management or management are in the same person as the DPO function. Art. 38 Para. 6 GDPR expressly prohibits conflicts between tasks and the DPO function. The data protection conference has specified the permissible constellations in several resolutions.

An external DPO is liability insured, independent, can be used immediately and provides a market price instead of a full cost calculation with training, representation and further education. The contract term is typically 24 months with a three-month notice period in accordance with Section 38 Paragraph 2 BDSG in conjunction with. V. m. § 6 para. 4 BDSG, the protection against dismissal protects the person, not the contract. Remuneration depends on the number of employees, risk profile, sector and number of locations. A realistic indication for a medium-sized company is between 4,000 and 18,000 euros annually, a corporation or a clinic is higher.

CIVAC works with a dual model. Licence the workspace for your internal representatives, or have our representatives order it. This way you can ensure liability and availability without paying the market rate for a full-time position. Switching between the two modes is possible at any time in a company's life cycle, for example when an internal position becomes available or an M&A phase requires additional compliance depth. It is important to hand over the inventory documentation: the directory, appointment certificate, reporting incidents and training lists remain in the workspace and are not lost with the person.

Prepare for the BDSG audit: The typical test components

An audit or an event-related examination by the supervisory authority follows a recurring pattern. Auditors almost always see four components first: the appointment certificate from the data protection officer with the current date, the processing directory according to Art. 30 GDPR including the current status, the proof of TOMs according to Art. 32 GDPR with proof of effectiveness and the reporting path in the event of data breaches with at least one documented example from practice. If these four are clear, the first hour of the audit is typically unproblematic.

In addition, increasingly deeper layers are checked: the authorisation concept with the need-to-know principle, deletion concepts with deletion classes and deadlines according to DIN 66398, contracts for order processing with the associated TOM appendix, third country transfer analyses with Schrems II reference, training certificates with content and date as well as the procedure Rights of those affected in accordance with Articles 12 to 22 GDPR. Poorly prepared data information regularly triggers the next complaint because those affected forward follow-up correspondence with the supervisory authority. The functionality of the internal reporting office in accordance with the HinSchG is also taken into account in an expanded review.

Pragmatic preparation includes a complete list of measures, the reflection of these measures in the directory, a quarterly self-assessment and an emergency manual for data breaches with a telephone list and template texts. Audit-proof, documented, Section 38-proof. CIVAC bundles these building blocks as a guided workflow on a platform with German data residency, so that the response time compared to supervision drops from weeks to days and management can view the compliance status at any time. Experienced data protection officers also keep a lessons-learned log in which every official inquiry and every internal complaint is documented with response time, reasoning and result, which noticeably expands the scope for argumentation in recurring audits.

From BDSG text to verifiable evidence: How CIVAC supports

The Federal Data Protection Act is a good twenty printed pages long. The operational part, i.e. what has to happen every day, fills several filing cabinets or, more cleverly, a platform. CIVAC sees itself as a compliance platform and officer-as-a-service: We bring the appointment certificate, processing directory, technical-organisational measures, reporting path and training certificates into a workspace with 490 ready-to-use audit templates, reporting line to management and defined escalation paths. Data residence: Germany. Authentication: SSO or SAML. Interfaces: common HR and ticket systems.

Others run compliance like a filing cabinet. We run it like software. So that the examiner calls, the proof is ready. Licence the workspace for your internal representatives, or have our representatives order it. The dual model is deliberately kept open because company sizes, risk profiles and IT maturity levels are different. The platform's SLA is two business days, measured from the time the request is received, instead of the industry standard two to six weeks. In addition to the workspace, we provide prepared templates for procedure lists, AVV, TOM descriptions, training slides and templates for data subject rights, so that you don't have to restructure every task from scratch.

If you now want to be specific: turn reading into an order. Write to info@civac.de or use the contact form on civac.de. We will schedule a 30-minute initial consultation in which we will discuss your status quo, the thresholds from Section 38 BDSG and the next three sensible steps. This costs nothing and delivers a written proposal with a clear task list, timeline and transparent prices no later than the business day after next. In any case, you retain sovereignty over order data, directories and evidence because the platform works with an export function and EU data residency and is not forced into US tooling.

FAQ

For how many employees must a data protection officer be appointed?

Section 38 Paragraph 1 Sentence 1 BDSG requires a data protection officer as soon as at least 20 people regularly process personal data automatically. Full- and part-time employees, temporary workers and freelancers with regular data access are counted. Regardless of the threshold, the obligation also applies to impact assessment obligations in accordance with Article 35 of the GDPR or in the case of commercial processing of special categories of data in accordance with Article 9 of the GDPR.

What fines are there for violations of the BDSG?

Art. 83 GDPR provides for two levels: up to 10 million euros or 2 percent of global group sales for formal violations, up to 20 million euros or 4 percent for material core violations such as a lack of legal basis. The higher amount always applies. In addition, Section 43 BDSG can punish its own administrative offenses, and the management is personally liable in accordance with Section 130 OWiG for breaches of supervisory duties.

How does the BDSG differ from the GDPR?

The GDPR applies directly in all EU countries. The BDSG uses their opening clauses and supplements national regulations, in particular on the obligation to order (Section 38), on employee data protection (Section 26), on video surveillance (Section 4) and on special categories (Section 22). In practice, both sets of rules are intertwined; BDSG conformity without reference to the GDPR is not possible, and a GDPR check is not complete without BDSG.

What deadlines apply in the event of a data breach?

Art. 33 GDPR requires reporting to the supervisory authority within 72 hours of the person responsible becoming aware of it. If there is a high risk for those affected, immediate notification is required in accordance with Art. 34 GDPR. The period begins with positive knowledge, not with final confirmation. A later report is possible, but the reasons must be documented in the report text, otherwise the sanction practice will apply.

Does the data protection officer have to be internal or external?

Art. 37 Para. 6 GDPR and Section 38 Para. 2 BDSG allow both ways. Internally brings market proximity, but entails role conflicts with IT or HR management, which are not permitted according to Art. 38 Para. 6 GDPR. External brings liability, insurance, independence and predictable costs starting at around 4,000 euros per year. For many medium-sized companies, the external solution is faster, cheaper and more audit-proof.

What does a data protection audit check first?

Supervisory authorities almost always ask for four components first: the data protection officer's appointment certificate, the current processing directory in accordance with Art. 30 GDPR, proof of technical-organisational measures in accordance with Art. 32 GDPR and the reporting path in the event of data breaches with a real example. Anyone who keeps these four clean will regularly gain room for argument from the supervisory authority. Evidence of training and the procedure for the rights of those affected are also relevant.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles