Data Protection Officer: Mandatory Appointment, Duties, and Designation Under Art. 37 GDPR
The Data Protection Officer (DPO) is a legal requirement for many organisations. Art. 37 GDPR and § 38 BDSG govern when appointment is mandatory, what qualifications the DPO must bring, and why the external solution is often the more cost-effective choice for mid-sized companies.
The Data Protection Officer (DPO) is the central compliance figure in European data protection law. Art. 37 GDPR and § 38 of the Federal Data Protection Act (BDSG) conclusively govern when appointment is mandatory, what requirements must be met, and how the role must be positioned within the organisation. Failing to make the appointment, or designating a formally inadequate DPO, risks a fine of up to EUR 10 million under Art. 83(4)(a) GDPR.
This article describes the statutory framework for the DPO appointment obligation, the core duties of the DPO in day-to-day business, the considerations involved in choosing between an internal and external DPO, and the formal requirements for the letter of appointment. At the end, you will learn how CIVAC — as a compliance platform and Officer-as-a-Service — enables external DPO appointment with full workspace integration.
Key Takeaways
- Under § 38(1) BDSG, the appointment obligation arises from 20 persons regularly engaged in automated data processing — in mid-sized companies with around 50 or more employees, this threshold is almost always met.
- Under Art. 38(3) GDPR, the DPO is functionally independent and may not be penalised for performing DPO duties — the DPO cannot simply be dismissed.
- CIVAC provides external DPOs within two working days: contract, letter of appointment, and workspace onboarding included.
Appointment Obligation: When Does an Organisation Need a DPO?
Art. 37(1) GDPR establishes the appointment obligation in three cases: where the processing is carried out by a public authority or body (Art. 37(1)(a)); where the core activities of the controller consist of regular and systematic large-scale monitoring of data subjects (Art. 37(1)(b)); or where the core activities consist of large-scale processing of special categories of data under Art. 9 or data relating to criminal convictions (Art. 37(1)(c)).
For German organisations, § 38(1) BDSG adds a national threshold: at least 20 persons permanently engaged in the automated processing of personal data. This figure is deliberately set low. In a mid-sized company of 100 employees, of whom 30 use a CRM in sales, 10 in HR maintain employee master data, and 5 carry out IT system administration, the threshold is exceeded more than twice over.
The appointment may also be made on a voluntary basis — but it is then subject to the same statutory requirements as a mandatory appointment (Art. 37(4) GDPR). An organisation that voluntarily appoints a DPO must protect them under the same rules and cannot informally revoke the appointment.
The appointment obligation applies regardless of whether the DPO role is filled internally or externally. Both options are expressly permitted under Art. 37(6) GDPR. For an external Data Protection Officer, a service contract is concluded instead of a letter of appointment, but it must cover the same content.
Qualifications and Independence: What the DPO Must Bring
Art. 37(5) GDPR requires that the DPO be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice and the ability to fulfil the tasks referred to in Art. 39 GDPR. The provision does not specify particular qualifications or certifications — the standard is determined by the risk level of the processing.
For an organisation that processes special categories of data on a large scale (e.g., a hospital or pharmaceutical company), in-depth knowledge of data protection law and, ideally, a recognised certification (TÜV, DEKRA, CIPP/E) are required. For a mid-sized company with standardised processing activities, a solid grasp of the GDPR text, the guidance of the Data Protection Conference (DSK), and the BDSG supplementary provisions is sufficient.
Art. 38(3) GDPR protects the DPO from instructions in the performance of their tasks. The DPO reports to the highest management level (Art. 38(3), third sentence), may not be dismissed or penalised for performing DPO duties, and must be provided with sufficient time and resources to carry out their tasks. A DPO who spends three days per week on other duties and only deals with data protection matters on the side does not structurally meet this requirement.
DPO Tasks Under Art. 39 GDPR
Art. 39(1) GDPR defines five core tasks of the DPO: informing and advising the controller and employees (Art. 39(1)(a)); monitoring compliance with the GDPR, other data protection provisions, and the organisation's data protection policies, including awareness-raising and training (Art. 39(1)(b)); providing advice on data protection impact assessments under Art. 35 (Art. 39(1)(c)); cooperating with the supervisory authority (Art. 39(1)(d)); and acting as the contact point for the supervisory authority on data protection matters (Art. 39(1)(e)).
In operational practice, this means: the DPO maintains or oversees the records of processing activities (Art. 30 GDPR), reviews data processing agreements (Art. 28), assesses new processing activities for DPIA obligations, coordinates breach notifications within 72 hours (Art. 33), handles data subject requests (Arts. 15–22), and documents all measures in a tamper-proof manner.
Importantly, the DPO does not make decisions on data protection matters for the organisation — the DPO advises; responsibility rests with the controller (Art. 24 GDPR). In the CIVAC workspace, all DPO tasks are mapped as recurring cadences: monthly RoPA review, quarterly training monitoring, annual TOM review. Every task generates an audit trail.
Internal vs. External DPO: Advantages and Disadvantages Compared
The decision between an internal and external DPO depends on the size of the organisation, data processing risks, and the internal expertise available. An internal DPO benefits from deep knowledge of the organisation — familiarity with systems, processes, and contacts. The disadvantage is that conflicts of interest may arise where the DPO's primary area of responsibility falls within the DPO's remit: an IT manager acting as DPO is effectively overseeing their own compliance in data protection-relevant IT projects.
Art. 38(6) GDPR permits the internal DPO to carry out other tasks but prohibits conflicts of interest. Data protection supervisory authorities have repeatedly made clear that the IT manager, HR manager, or legal counsel acting as DPO is structurally conflicted in many organisations.
An external DPO under Art. 37(6) GDPR, by contrast, offers: freedom from conflicts of interest, current market knowledge through concurrent mandates, immediate availability without staffing overhead, and predictable costs (flat fee rather than personnel costs). For mid-sized companies between 50 and 500 employees, the external DPO is almost always the more cost-effective solution. CIVAC provides certified external Data Protection Officers — with full workspace integration and a documented reporting structure.
Letter of Appointment and Service Contract: Formal Requirements
The DPO appointment must be documented — although the GDPR does not prescribe a particular form, supervisory authority practice expects either a written letter of appointment (internal) or a written service contract (external) that either mirrors or is combined with the data processing agreement under Art. 28 GDPR.
A letter of appointment for an internal DPO contains: the name of the appointed person, the start date, a description of duties under Art. 39 GDPR, a commitment to the necessary resources (time, budget, system access), a confidentiality obligation under Art. 38(5) GDPR, and the signature of senior management. For an external DPO, the service contract replaces the letter — it must additionally address availability, response times, and data access rights.
Under Art. 37(7) GDPR, the DPO must be notified to the supervisory authority — in Germany, this is done via the notification portal of the competent state data protection authority. This notification is not a mere formality: without it, the authority cannot verify in an inspection that a DPO has been properly appointed. Letter of appointment, signed, filed, verifiable — that is the standard in CIVAC's appointment processes for all 25 officer roles.
DPO and Information Security Officer: Distinction and Interfaces
The Data Protection Officer (DPO) and the Information Security Officer (ISO) are frequently confused or treated as a single function. The two roles are, however, substantively distinct. The DPO is responsible for the lawfulness of the processing of personal data — reviewing legal bases, data subject rights, transparency obligations, and processing records. The ISO, by contrast, manages the technical information security system, typically in accordance with ISO/IEC 27001:2022 or the BSI IT-Grundschutz.
The interface lies in the technical and organisational measures (TOMs) under Art. 32 GDPR: the DPO assesses whether the IT security measures are adequate from a data protection perspective; the ISO implements them technically. In the event of a data breach, both work together: the ISO coordinates the technical containment; the DPO manages notification to the authority under Art. 33 GDPR and the communication to data subjects under Art. 34.
A dual role — one person acting as both DPO and ISO — is not per se impermissible. It does, however, require that both functions can genuinely be fulfilled in terms of time and substance, which is rarely possible in larger organisations with around 200 or more employees. CIVAC enables the hybrid model: internal DPO with external ISO support — or both roles as an external ISO and external DPO through a shared workspace.
DPO Training Obligations: Raising Awareness Under Art. 39(1)(b) GDPR
Art. 39(1)(b) GDPR obliges the DPO to raise awareness and provide training for staff involved in processing operations. This obligation serves a dual function: it provides preventive protection for personal data and it protects the organisation in the event of an inspection, since documented training is treated as evidence of compliance.
Regular data protection training — at least once a year is recommended by the DSK — should cover the following areas: the core principles of the GDPR, recognising and reporting data breaches, handling data subject requests, the secure use of IT systems and communications, and sector-specific considerations (e.g., patient data in healthcare, customer data in retail).
In the CIVAC workspace, data protection training modules are available as pre-configured mandatory courses with a knowledge test and completion certificate. The DPO monitors training progress for all employees through the training module, which automatically sends reminders when certificates are about to expire. Each completion is stored in a tamper-proof manner with the date and test result — proof for the supervisory authority is thus available at any time.
Management Liability in the Absence of or with a Deficient DPO
The obligation to appoint a DPO falls on the controller under Art. 24 GDPR — in a GmbH (limited liability company) this is the managing director; in an AG (public limited company), the board of directors. If the obligation is not met or a formally inadequate DPO is appointed, management is personally liable. Art. 83(4)(a) GDPR provides for fines of up to EUR 10 million or 2 per cent of annual turnover for breach of the appointment obligation.
In addition, there is a risk of recourse claims against the organisation where the absence of a DPO contributed to data protection violations going undetected or uncorrected. Supervisory authorities take the presence of a validly appointed DPO as a mitigating factor in setting fines — and its absence as an aggravating factor.
Beyond the fine risk, civil law claims for damages by data subjects are possible under Art. 82 GDPR where deficient data protection management has caused harm. German courts have increasingly applied this provision in recent years — including for non-material damage, although quantification remains inconsistent. Those operating in a liability-sensitive context simply cannot afford a deficient DPO.
Turn Reading into Action: Appoint an External DPO Through CIVAC
Appointing a Data Protection Officer is not a formality — it is the organisational foundation for a functioning data protection management system. A DPO without adequate resources, without a workspace, and without a structured task cadence cannot fulfil the statutory function.
CIVAC combines the external DPO appointment with a fully configured workspace: processing records, DPIA project templates, incident response workflows, training modules, and documentation all run on a single platform. Licence the workspace for your internal DPO — or have our certified Data Protection Officers take on the function externally. Both options are operational within two working days.
Audit-proof, documented, GDPR-compliant. Turn reading into action. Write to us at info@civac.de — we will clarify the qualification requirements, the scope of the engagement, and integration into your existing compliance process.
FAQ
From how many employees must a Data Protection Officer be appointed?
Under § 38(1) BDSG, appointment is mandatory where at least 20 persons are permanently engaged in the automated processing of personal data. What counts is not the total workforce but the number of persons with regular data access — CRM users, HR staff, and IT administrators are included.
Can the IT manager simultaneously act as Data Protection Officer?
Art. 38(6) GDPR prohibits conflicts of interest. An IT manager who is responsible for data protection-relevant IT systems and who is simultaneously required to monitor their compliance as DPO is structurally in a conflict of interest. Data protection supervisory authorities regularly raise objections to this arrangement.
How long must a DPO remain in post — can the DPO simply be dismissed?
Art. 38(3), second sentence, GDPR protects the DPO from dismissal on account of the performance of their duties. Dismissal without objective grounds — particularly where the DPO has raised uncomfortable data protection questions — is unlawful and may be treated as a detriment. Objective grounds for dismissal (e.g., loss of qualification) remain possible.
Must the DPO be notified to the supervisory authority?
Yes. Art. 37(7) GDPR obliges the controller to communicate the contact details of the DPO to the competent data protection supervisory authority. In Germany, this is done via the notification portals of the state data protection authorities. The contact details must also be published in privacy notices under Art. 13(1)(b) and Art. 14(1)(b) GDPR.
What does an external Data Protection Officer cost for a mid-sized company?
Costs vary depending on the risk profile of the organisation, the scope of processing, and the agreed service package. For a mid-sized company between 50 and 500 employees with standardised processing activities, flat-fee models are common. Contact CIVAC for an individual assessment: appointment is completed within two working days.
What happens if a company fails to appoint a DPO despite being obliged to do so?
Art. 83(4)(a) GDPR provides for a fine of up to EUR 10 million or 2 per cent of total worldwide annual turnover. In addition, the absence of a central coordinating function in the event of data breaches or data subject requests makes further violations more likely and aggravates the fine calculation.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.