77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
DSB software: What a data protection officer really needs today
Data Protection & Privacy

DSB software: What a data protection officer really needs today

20 June 202612 min readBy Lena Vogt
CIVAC

DSB software does not replace an appointment certificate, but it makes the difference between filing cabinets and audit resistance. This article shows which modules Articles 30, 33 and 35 GDPR actually require, how good platforms can be identified and how CIVAC closes the gap between tool and mandate.

The obligation to appoint a data protection officer arises from Art. 37 GDPR in conjunction with Section 38 BDSG. Both regulations say who must be named. They say nothing about what software the agent works with. This is exactly where the operational risk begins. A list of processing activities in accordance with Art. 30 GDPR in Excel is formally permissible, but is rarely reliable in the test situation. Supervisory authorities ask for version statuses, releases, documented risk assessments and reporting paths within 72 hours in accordance with Art. 33 GDPR. A spreadsheet does not provide this evidence in the required minutes.

This article organises the market for DSB software according to the legal obligations. It shows which modules are really mandatory, which ones mean convenience and how you can recognise a test-proof platform. CIVAC operates a German compliance platform and officer-as-a-service. You licence the workspace for your internal representatives, or you have our officers appointed it. Both paths lead to the same mandatory table: directory, impact assessment, training, report, notification. The only question is how far your platform already supports these columns and how cleanly the appointment certificate, signed, filed and verifiable, is behind it. Anyone who recognises the difference not only saves themselves the risk of fines under Art. 83 GDPR, but also weeks in the event of an audit.

Key Takeaways

  • DSB software must at least reflect Art. 30 VVT, Art. 35 DPIA, Art. 33 reporting path and a versioned reporting line to management.
  • A tool does not replace the order. Mandatory proof remains the signed appointment certificate, stored in an audit-proof file.
  • CIVAC combines workspace licence and external data protection officer in one contract, EU data residency and SLA 2 working days included.

What DSB software must legally reflect

A platform for the data protection officer is a tool, not a mandatory requirement. The GDPR does not have any software paragraphs. However, it knows obligations that can hardly be fulfilled reliably without software. Art. 30 GDPR requires a complete list of processing activities with purpose, legal basis, data categories, recipients, deletion periods and technical and organisational measures. Art. 35 GDPR requires a data protection impact assessment for high-risk processing with a description, assessment, remedial measures and consultation with the supervisory authority. Art. 33 GDPR requires violations of the protection of personal data to be reported within 72 hours of becoming aware of them. The deadline expires as soon as we become aware of it.

In addition, Section 38 BDSG with the threshold of 20 employees in constant automated processing, Art. 38 GDPR with the reporting line directly to the top management level and Art. 39 GDPR with the catalogue of tasks consisting of information, advice, monitoring, training and contact point for supervision. DPO software that does not have these columns is an address list, not a compliance system. CIVAC maps each mandatory column as a separate file, with release logic, version status and unchangeable audit trail. Anyone who orders the external data protection officer via CIVAC receives the same platform, now with an officer at the other end of the table.

Others run compliance like a filing cabinet. We run it like software. This separation between file management and control decides in the audit meeting whether the evidence is available within minutes or after weeks. It also decides whether training certificates, AV contracts and deletion concepts belong in the same file or whether they are broken down into five parallel systems. The latter is the norm in German medium-sized companies, the former is the basis of a resilient data protection organisation from which supervision has no starting point.

List of processing activities: the hard core module

The list of processing activities in accordance with Art. 30 GDPR is the most common subject of the audit. Supervisory authorities in Bavaria, Baden-Württemberg and North Rhine-Westphalia have been publishing annual activity reports since 2024, in which incompleteness of the VVT ​​is regularly one of the three most common complaints. A suitable DSB software must therefore record at least fourteen fields per processing: name, controller, joint controller, processor according to Art. 28, purpose, legal basis, data subjects, data categories, recipients, third country transfer with protective measures, deletion periods, technical measures, organisational measures, risk class.

In practice, mandatory fields from Section 26 BDSG for employee data and from the TTDSG are added as soon as cookies, tracking or newsletters are in the game are. A table in Excel formally fulfils the requirement. In practice, it fails in three areas: versioning, differentiated access rights and the connection with the impact assessment and the deletion concept. CIVAC automatically links each VVT item with the associated data protection impact assessment, the AV contract, the deletion concept and the risk assessment. If the auditor asks where the VVT ​​for the HR platform is located, a single entry with all cross-references opens.

The auditor calls, the evidence is ready. This linking logic is what differentiates a compliance platform from a spreadsheet. Without them, every audit becomes a scavenger hunt between Sharepoint, contract folder and email inbox. In addition, there is the maintenance routine: new processes must be recorded, old ones deactivated, and changed ones versioned. CIVAC creates a master data record for each processing with defined responsibility, automatic reminders for maintenance and an audit report that is exported in regulatory format at the push of a button. Anyone who has ever seen a VVT export from Excel with ten tabs compete against a structured platform export in a supervisory procedure knows the difference.

Data protection impact assessment: the underestimated module

Art. 35 GDPR requires an impact assessment whenever processing is likely to pose a high risk to the rights and freedoms of natural persons. The supervisory authorities have published lists categorizing processing operations that necessarily trigger a DPIA: systematic surveillance, biometric data, profiling with legal effect, automated personnel decisions, AI-assisted applicant selection and tracking across multiple services. Anyone who uses Microsoft 365 in the EU practically cannot avoid a DPIA. Anyone who classifies an AI system as high risk according to the EU AI Act is not. The use of cloud telephony, outbound marketing tools and CRM systems with lead scoring also regularly falls under the DPIA obligation.

A DPIA software must carry out the DPIA in four steps: description of the processing, assessment of necessity and proportionality, risk assessment with probability of occurrence and amount of damage, remedial measures. The result is not a Word document. It is a versioned file in which each iteration can be traced with a time stamp, editor and release. CIVAC supplies 490 ready-to-use audit templates, several of which are for the DPIA, aligned with the standard methodology of the BSI and the Conference of Independent Data Protection Supervisory Authorities, or DSK for short. Audit-proof, documented, Art. 35-firm. The templates differentiate between existing and new processing, so that the testing effort for running systems is significantly lower than for new introductions.

Anyone who mandates the external DPO via CIVAC will receive the DPIA as the result of the order with a signed audit note. Anyone who just licences the workspace carries out the DPIA themselves, but in the same system, with the same templates and the same evidence. Experience from numerous mandates shows that the most common weak point is not the initial DPIA, but the follow-up maintenance. A DPIA that is not updated when the system changes loses its significance within months. A platform with trigger logic forces re-evaluation with every relevant master data update and automatically closes this typical gap. This also significantly reduces the liability risk of management in accordance with Section 130 OWiG.

72-hour reporting path according to Art. 33 GDPR

The reporting obligation according to Art. 33 GDPR is the operationally strictest provision of the entire regulation. As soon as a personal data breach becomes known to the controller, the 72-hour period begins. Delay must be justified. Supervisory authorities regularly publish fines in the six-figure range in which the delay alone, without the consequences of a data leak, was the offense. A DPO software must therefore map a clear reporting path: receipt, classification, escalation, report to the responsible supervisory authority, information to those affected in accordance with Art. 34 GDPR and complete documentation of all steps. Each step receives a time stamp, a responsibility and a trail of evidence.

In practical terms this means: a defined mailbox, a triage logic, prepared reporting forms for the responsible state authorities, an escalation scheme with availability times and an audit-proof protocol. CIVAC implements this path directly in the workspace and adopts it in the officer-as-a-service model with an SLA of 2 business days for the initial response and 24-hour availability in the acute reporting path. Anyone who licences the workspace sees the same path and can maintain it themselves. Deadline begins as soon as we become aware of it. These four words replace any training slide because they precisely define the operational question.

If you discover an injury four days later, you still have 72 hours, but from the time of discovery. This distinction is regularly not clearly documented in Excel lists. In a timestamped platform with an immutable audit trail, it is non-negotiable. Anyone affected on NIS-2 has an additional 24-hour early warning plus 72-hour follow-up notification, the data protection reporting path overlaps but is not identical. CIVAC interlinks both reporting paths in a single triage, so that a data breach that is also a security incident does not have to be classified twice by hand. This interlinking is the critical lever in the stress test of an emergency and reduces the risks from parallel reporting.

Reporting line and appointment certificate

Art. 38 Para. 3 GDPR requires that the data protection officer reports directly to the highest management level. Section 38 BDSG adds that the order is made in text form. Both sound formal, but have severe operational consequences. Anyone who connects the DPO to the IT management is violating the reporting line. Anyone who places the order verbally or by email does not have any reliable proof of obligation. In every second procedure, supervisory authorities first check the appointment document, then the reporting line and finally the accessibility of the representative to those affected and supervisory authorities. A missing or formally deficient order is not just a proof problem, but an independent offense.

DSB software must reflect this triad. Appointment certificate with date, signature and list of tasks in accordance with Art. 39 GDPR. Reporting line with escalation path, escalation frequency and report templates. Accessibility data in the legal notice, data protection information and to the supervisory authority. CIVAC creates the appointment certificate in the workspace, has it signed electronically and stores it in an audit-proof manner in the compliance file. The appointment certificate, signed, filed, verifiable. In the officer-as-a-service model, CIVAC provides the representative and takes over the appointment with a contract term, replacement arrangements and contact details for the responsible supervisory authority.

The FAQ collection answers the most frequently asked detailed questions about appointments, dismissals and switching between internal and external solutions. Both models use the same file, the same templates, the same versioning. Once you have properly set up the reporting line, you benefit from ready-made quarterly reports, automatic escalation reminders and audit-proof storage. This saves management from the reflex of requesting a PDF once a year without acknowledging receipt. Instead, ongoing documentation is created that can be used as evidence in supervisory proceedings and makes it easier to prove proper organisation in liability proceedings in accordance with Section 130 OWiG.

Interfaces to IT security, NIS-2 and EU AI Act

Data protection does not stand alone. Anyone who maintains a processing directory indirectly maintains the asset list for an information security management system according to ISO/IEC 27001:2022. Anyone who carries out a DPIA affects the risk methodology of the NIS 2 directive. Anyone who uses AI systems must interlink the obligations of the GDPR, in particular Article 22 on automated decisions, with the obligations of the EU AI Act on risk classification and conformity assessment. DPO software that only knows data protection creates duplication of work. A platform that brings together DPOs, ISBs and compliance officers under one file saves time and prevents contradictory statements to different supervisory authorities.

CIVAC manages all 25 officer roles in one workspace. The data protection officer sees the VVT. The information security officer sees the same assets in the ISMS context, now linked to 93 controls according to ISO 27001:2022. The compliance officer sees both views and can derive obligations from Section 130 OWiG. Anyone affected by NIS-2 does not use the 24/72 reporting path twice, but once. Anyone who also fulfils ESG or supply chain obligations benefits from the same data pool.

The approximately 29,500 companies in Germany affected by NIS 2 will be faced with a choice in 2026: three tools, three invoices, three audit trails or one platform. CIVAC provides the second variant with EU data residency and a German legal basis. This bundling is not a convenience, but rather reduces the likelihood that a supervisory process will search in ten sources instead of finding one file. It also reduces the effort involved in audit preparation and supplier inquiries, which typically affect three to five representatives at the same time in medium-sized companies. Practice shows that interlinked files can withstand audit pressure better than isolated solutions that run side by side. They also reduce the overall licence costs and enable consolidated reporting to management.

Selection criteria: What to look out for with DSB software

The market for data protection software is confusing. Providers range from Excel add-ons to enterprise GRC platforms with six-figure licence costs. Seven criteria separate tool from platform. First: EU data residency with a traceable hosting location. Since the Schrems II ruling, servers in the USA are unsustainable without the EU-US Data Privacy Framework and without additional guarantees. Second: versioning and unchangeable audit trail for all mandatory documents. Third: complete coverage of the mandatory modules VVT, DPIA, reporting path, AV contracts, deletion concept, training and reporting in one system.

Fourth: a template library that is based on German supervisory practice and DSK resolutions, not on international templates. Fifth: Integration with IT security according to ISO 27001:2022 and compliance management according to Section 130 OWiG, so that double maintenance is eliminated. Sixth: possibility to integrate external representatives without having to change the system. Seventh: transparent SLA and a clearly named contact person who can be reached in German. These seven points can be systematically checked in a provider demo.

CIVAC meets all seven criteria and also offers the officer-as-a-service model, in which the platform is combined with an external representative. The SLA is 2 business days for initial response. Classic external DSB mandates often last 2 to 6 weeks. If you extrapolate this difference over a year, you will see the difference between filing cabinets and software, not in marketing terms, but in days. The ability to switch between the licence and agent models without having to migrate data is also a crucial lever in market research. An eighth, often overlooked point: Anyone who chooses a platform should clarify in advance who owns the data when the mandate ends. The answer can only be: the client, completely, without lock-in and without remaining stocks at the service provider.

Typical errors when using DSB software

Recurring patterns can be derived from the activity reports of the supervisory authorities. First: The VVT ​​is created once and is not maintained. New processes do not appear, old ones are not switched off. Second: The DPIA is kept as a Word document and can no longer be found during the next audit. Third: The reporting path only exists in the minds of those involved, not in software, with the result that the 72-hour deadline is exceeded. Fourth: The report to the management is sent once a year as a PDF without the management acknowledging receipt. These four error classes appear in almost every second supervisory procedure that is documented in the activity reports.

Fifth: AV contracts are not managed centrally, but are stored in contract folders. Sixth: Training courses are carried out via external learning platforms without the DSB software seeing the participation rate. Seventh: The appointment certificate is not available, but will only be submitted later in the event of an audit. Each of these errors has a simple solution path: mandatory module in one platform, versioning, automatic reminders, one file per processing with all cross-references. If you don't want to process these points by hand, you need a system with trigger logic instead of a collection of Excel tabs.

CIVAC delivers exactly this bundle in the workspace. In the officer-as-a-service model, the external DPO takes over the maintenance and reports quarterly to management with a signed report and receipt. Audit-proof, documented, Section 38-proof. Anyone who establishes this routine shortens their audit response from weeks to hours and substantially reduces the risk of fines in accordance with Art. 83 GDPR. The most common errors are less substantive than procedural. It's not the knowledge that's missing, but the routine. A platform that enforces this routine prevents most complaints before they arise and provides proof without lead time from the day of launch.

Turn reading into an assignment

If you have read this far, you have two options. First: You appoint or retain your internal data protection officer and provide him with a workspace in which he maintains VVT, DPIA, reporting path, appointment document, reporting line and training. Second: You mandate CIVAC as an external data protection officer and have the platform and officer ordered as a package. Both models run on the same German infrastructure with EU data residency, both use 490 audit templates, both clearly reflect the 72-hour deadline according to Art. 33 GDPR.

The next step is always the same: a 30-minute conversation in which the obligations are clarified. What types of processing are involved? Is there an obligation to order according to Section 38 BDSG? Which DPIA is pending? What is today's reporting line? Which tools are in use, which contracts exist? After this conversation, you will receive an offer with a fixed price, contract term of 12 months and an SLA of 2 working days. Those who prefer the workspace will receive access within two working days. Whoever appoints the representative will receive the appointment certificate in the same period.

Licence the workspace for your internal representatives, or have our representatives appoint them. Write to info@civac.de or use the contact form and the FAQ collection at civac.de/faq. Turn reading into an assignment. Anyone who decides to use the workspace can expand it to include an external representative at any time. Anyone who starts with Officer-as-a-Service keeps the platform if they later fill their own officer position. This reversibility is the most important decision you make when purchasing a tool, because data protection obligations do not end, they just change shape with the company.

FAQ

Is DSB software required by law?

No. The GDPR and the BDSG do not prescribe any specific software. However, they prescribe obligations that can rarely be reliably fulfilled in Excel files: list according to Art. 30, impact assessment according to Art. 35, report according to Art. 33 within 72 hours. A platform is a means to an end, not an end in itself. What is important is the audit robustness of the documentation, not the brand of the tool, and above all the traceability of every change over time.

When is it mandatory to appoint a data protection officer?

According to Section 38 BDSG with at least 20 employees with constant automated processing of personal data. Regardless of this, the order is mandatory for activities subject to DPIA, for special data categories according to Art. 9 GDPR and for systematic monitoring. In the case of group structures, the threshold applies per responsible person, not per group, and associations or public bodies can also be included.

What differentiates DSB software from a GRC platform?

GRC stands for Governance, Risk and Compliance and usually includes all compliance obligations of a company. DSB software focuses on data protection. CIVAC combines both views. The workspace represents 25 representative roles, from DSB to ISB to ESG, each with their own templates and files, but a common asset list and audit trail. This eliminates the need for double maintenance between parallel systems.

Is an external DSB without software sufficient?

Formally yes, practically rare. An external DPO without a platform typically works in its own tools, which are not owned by the client in the event of an audit. If the mandate comes to an end, the database remains with the consultant. CIVAC ensures that all files remain with the client, even after the contract has ended, with an export function and audit-proof archiving of mandatory documents.

How long does implementation take?

CIVAC delivers the workspace within two working days of signing the contract. Depending on the size of the company, the initial filling of the VVT ​​takes two to six weeks, depending on the preparatory work. In the officer-as-a-service model, the external DPO takes over filling the defined SLA. A complete DPIA takes one to two weeks for standard processing with clear methodology.

Where is the data located?

CIVAC operates the platform with EU data residency. All servers are located in the European Union, all processors are based in the EU or are bound by current standard contractual clauses. Transfers to third countries without an adequacy decision will not take place. The architecture is aligned to ISO/IEC 27001:2022 and is subject to annual internal audits and independent penetration tests.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles