77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Combining External DPO and ISB: Opportunities, Limitations and Legal Framework
Platform & Strategy

Combining External DPO and ISB: Opportunities, Limitations and Legal Framework

27 May 202612 min readBy Dr. Henrik Bauer
CIVAC

Many mid-sized companies ask whether external DPO and ISB can be combined in a dual appointment. The answer is nuanced: legally permissible, but with conflict-of-interest pitfalls and capacity limits.

Art. 37 GDPR and §§ 30, 38 BSIG require two thematically related but legally distinct officer roles: the Data Protection Officer (DPO) and the Information Security Officer (ISB). Both deal with data and IT systems, but pursue different protection objectives and report to different parties. The same person assuming both roles is not expressly prohibited by law – but carries conflicts of interest and capacity risks that must be carefully weighed before appointment.

This article clarifies the requirements that GDPR and BSIG place on each role, where structural overlaps exist, where conflicts of interest arise, and which models work in practice for German mid-sized companies. You will receive a decision-making basis that you can translate directly into an officer concept.

Key Takeaways

  • The GDPR requires independence and freedom from instructions for the DPO (Art. 38 para. 3 GDPR); an ISB who is simultaneously operationally responsible for ISMS measures can encounter conflicts of interest.
  • The dual appointment of DPO and ISB is particularly critical to examine for companies within the NIS-2 scope, as the ISB is formally integrated into cyber governance there.
  • The mixed model – internal ISB on the workspace, external DPO via a service provider – offers the most practicable solution for many mid-sized companies.

Legal Basis: DPO under GDPR and ISB under BSIG

The Data Protection Officer is governed by Art. 37–39 GDPR. The obligation to appoint arises under Art. 37 para. 1 GDPR, inter alia, for companies whose core activities consist of the large-scale processing of special categories of personal data, and under § 38 BDSG for companies with 20 or more persons regularly engaged in automated data processing. The DPO is free from instructions under Art. 38 para. 3 GDPR, may not be dismissed or penalised and reports to the highest management level.

The Information Security Officer is anchored in the BSIG: § 30 BSIG obliges operators of critical infrastructure and particularly important entities under NIS-2 to designate an ISB. § 38 BSIG specifies the requirements for particularly important entities. Outside the NIS-2 scope, ISO/IEC 27001:2022 recommends an ISB as the role holder of the ISMS without creating a statutory obligation. The ISB's tasks encompass building and operating the ISMS, incident response, security policies and reporting to management.

Both roles share a reporting line to management and deal with IT systems, risks and incidents. The DPO role at CIVAC and the ISB role are closely interlinked in substance but deliberately modelled separately.

Conflicts of Interest: Where Do the Risks of the Dual Appointment Lie?

Art. 38 para. 6 GDPR permits the DPO to take on additional tasks, but requires that no conflicts of interest arise. The European Data Protection Board (EDPB) explicitly noted in its guidelines on Art. 37–39 GDPR (WP 243, rev. 01) that tasks the DPO is supposed to supervise must not simultaneously be the responsibility of that same person.

A conflict of interest arises concretely when the ISB is responsible for operational security measures such as access controls, patch management or incident response processes, and the DPO is the same person who is supposed to review those measures for GDPR compliance. Anyone reviewing their own work is structurally conflicted. Supervisory authorities such as the Hamburg Data Protection Authority or the Bavarian State Office for Data Protection Supervision (BayLDA) have reprimanded dual appointments where no discernible demarcation of activities existed.

The risk is not theoretical: a data breach attributable to a security gap in the ISMS is assessed critically when the DPO and ISB are identical. The question of whether the DPO fulfilled their review obligation vis-à-vis their own ISMS work can play a role in penalty proceedings under Art. 83 GDPR.

NIS-2 Context: Why Separation Becomes More Important for Affected Companies

§ 30 BSIG obliges particularly important and important entities under NIS-2 to take appropriate cybersecurity measures and to have their implementation supervised by management. The ISB is integrated into cyber governance in this context and is accountable to the senior management level, which is personally liable under § 38 BSIG.

For NIS-2-affected companies – around 29,500 in Germany – the clear separation of DPO and ISB is particularly relevant for two reasons. First, the reporting obligations differ. A cyberattack triggers a 24-hour initial notification to the BSI under § 32 BSIG; the same incident triggers a 72-hour notification to the data protection supervisory authority under Art. 33 GDPR. Both notifications require independent assessments with different protection objectives.

Second, the reporting obligations to management are structured differently: the DPO reports on data protection risks and processing activities; the ISB reports on security incidents, ISMS status and action plans. A dual appointment increases the risk that reports are consolidated and senior managers do not receive a clear picture of each risk dimension.

When Is the Dual Appointment Justifiable?

Despite the risks mentioned, there are constellations in which a time-limited or structurally safeguarded dual appointment is justifiable. First: companies outside the NIS-2 scope that wish to voluntarily introduce ISO/IEC 27001:2022 have no statutory ISB obligation. In this case, assigning a single person both roles on a transitional basis is possible, provided it is clearly defined which activities belong to the ISB function and which to the DPO function.

Second: if the combined officer fills the ISB role in a purely advisory capacity without operational responsibility – i.e. does not autonomously implement ISMS measures but only advises and documents – the conflict of interest is more manageable under EDPB guidelines. This demarcation must, however, be recorded in writing in the appointment certificate.

Third: for very small companies (50–100 employees) with limited processing depth and no particularly sensitive data categories, a pragmatic transitional solution may be sensible as long as no ISO 27001 audit and no NIS-2 obligation exists. The transition to separate roles should, however, be planned before a certification or a review by supervisory authorities is imminent.

The Mixed Model: External DPO Plus Internal ISB

The most frequently chosen solution in practice for German mid-sized companies is the mixed model: an external Data Protection Officer via a service provider, combined with an internal or likewise external Information Security Officer. This model offers three structural advantages.

First: the external DPO is free from instructions under Art. 38 para. 3 GDPR and can review the ISB's ISMS measures independently. No dual appointment, no conflict of interest. Second: the internal ISB knows the company's IT landscape from day-to-day operations – an advantage in incident response that an external ISB lacks. Third: costs and resources remain predictable, because the external DPO is billed on a flat-rate basis and the internal ISB does not generate separate licence costs if a shared workspace is used.

The mixed model only works if both officers communicate regularly and consolidate their findings. A shared platform – with a shared workspace but role-specifically separated access rights – is the technical prerequisite for this model. At CIVAC, the mixed model can be configured directly: licence the workspace for your internal officers or appoint our officers – or both in combination.

Appointment Process: Documentation Requirements for Both Roles

Regardless of whether DPO and ISB are appointed jointly or separately: both appointments require a written certificate. For the DPO, the appointment must be communicated to the supervisory authority under Art. 37 GDPR; many state data protection authorities operate notification portals. The appointment certificate must document scope of duties, freedom from instructions and reporting line.

For the ISB under BSIG, the appointment must also be formally documented and communicated internally for NIS-2-affected companies. § 30 BSIG requires that the designated person possesses the necessary expertise and receives sufficient resources to fulfil the role. Resources include time, a training budget and access to relevant IT systems.

Appointment certificate, signed, filed, verifiable – this applies to both roles. At supervisory visits, proof of formal appointment is usually the first question asked. Anyone unable to produce a written certificate signals to the auditor within the first minutes of the conversation that the compliance structure is not documentation-ready.

Expertise Requirements Compared: DPO versus ISB

The expertise of the DPO is governed by Art. 37 para. 5 GDPR: required are specialist knowledge of data protection law and practice as well as the ability to fulfil the tasks under Art. 39 GDPR. In practice this means: knowledge of the GDPR, the BDSG, the EDPB guidelines and the relevant sector regulation. Specific knowledge is required for sectors such as healthcare, finance or telecommunications.

The expertise of the ISB under BSIG and ISO/IEC 27001:2022 encompasses IT security technology, risk management under ISO/IEC 27005, incident response processes, network and systems security, and knowledge of the current BSI IT-Grundschutz Compendium. These requirements overlap with DPO expertise only partially – both deal with risks, but from different normative perspectives.

In practice, persons who can demonstrably fill both roles with competence are rare and correspondingly in demand on the market. Anyone seeking a dual appointment should document the expertise for both roles separately – ideally through certificates (TÜV DPO, CISM, CISSP, ISO 27001 Lead Auditor) and demonstrated practical experience.

Cost Comparison: Dual Appointment versus Separate Appointments

The obvious advantage of a dual appointment is the cost saving: one fee instead of two. For companies with limited compliance budgets this aspect is not trivial. External DPOs are available, depending on qualification and sector knowledge, for between €400 and €1,200 per month; external ISBs are typically in a similar range, with a higher spread for NIS-2-specialised profiles.

The actual costs of a dual appointment are, however, more than just the fee: an officer in a dual role requires more time per mandate. When capacity is lacking, the depth of review and documentation quality suffer. A deficient GDPR review that ends in penalty proceedings under Art. 83 GDPR quickly exceeds the savings from a dual appointment. For companies with 250 or more employees, a full-cost analysis is worthwhile.

A further consideration: if the combined officer is incapacitated or changes, the company is left without an officer in both roles. Separate appointments create redundancy. For NIS-2-affected companies an unplanned ISB change is particularly critical, because the ongoing reporting obligations under § 32 BSIG must not be interrupted.

CIVAC: DPO and ISB from a Single Source, Cleanly Separated

CIVAC is a compliance platform and Officer-as-a-Service provider that maps DPO and ISB as separate roles with their own workspace area, their own task set and their own reporting line. Both roles share the same platform infrastructure but are configured separately by role – thereby eliminating the conflict of interest of a dual appointment without the need to operate two separate systems.

For companies wishing to fill both external roles via CIVAC, the CIVAC partner network provides qualified and independent officers. Contract, appointment certificate and reporting line documentation are completed within two working days – without the usual lead time of traditional law firm mandates.

Turn reading into action: clarify whether your company needs separate appointments for DPO and ISB and contact the CIVAC team at info@civac.de. The needs assessment is free of charge.

FAQ

Is it legally permissible to appoint DPO and ISB in a dual role?

Art. 38 para. 6 GDPR permits the DPO to take on additional tasks, provided no conflicts of interest arise. A dual appointment with the ISB is possible if the ISB does not autonomously implement operational ISMS measures that the DPO is simultaneously supposed to review. For NIS-2-affected companies, separation is recommended.

What conflicts of interest typically arise with a dual DPO and ISB appointment?

The classic conflict arises when the ISB is responsible for ISMS measures that the DPO is supposed to review for GDPR compliance. Anyone reviewing their own work is structurally conflicted. Supervisory authorities have reprimanded dual appointments where no discernible demarcation of tasks existed.

Must DPO and ISB both be formally appointed in writing?

Yes. The DPO must be formally appointed under Art. 37 GDPR and notified to the competent data protection supervisory authority. The ISB must be formally designated for NIS-2-affected companies under § 30 BSIG. Both appointments require a written certificate with scope of duties, resources and reporting line.

How do the expertise requirements for DPO and ISB differ?

The DPO requires knowledge of data protection law and practice under Art. 37 para. 5 GDPR. The ISB requires IT security technology, risk management under ISO/IEC 27005 and knowledge of the BSI IT-Grundschutz Compendium. The requirements partially overlap but are not fully congruent.

What does an external DPO cost in German SMEs?

External DPOs are available, depending on qualification, sector and scope of service, for between €400 and €1,200 per month. For NIS-2-specialised ISBs the range is similar, with a higher spread. CIVAC provides a role-specific quote on request.

What documentation is required for a dual DPO and ISB appointment?

With a dual appointment, the appointment certificate must explicitly name both roles and set out the demarcation of tasks in writing – which activities belong to the DPO function and which to the ISB function. A missing demarcation increases the risk that supervisory authorities will cite a structural conflict of interest.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles