When Is a DPO Mandatory Under GDPR: The Four Triggers Explained

Article 37(1) GDPR (Regulation (EU) 2016/679) defines three independent situations in which a controller or processor must appoint a Data Protection Officer (DPO). Section 38(1) of the German Federal Data Protection Act (BDSG) adds a fourth, lower threshold of 20 persons constantly engaged in automated processing of personal data. Together, these four triggers determine whether an organisation has a legal obligation, not a free choice, to designate a DPO, to put the appointment in writing, and to publish the contact details to the competent supervisory authority. The assessment is performed per legal entity, not per group.

This article walks you through each trigger in order, with the wording of the statute, a worked example, and the documentation that a German supervisory authority such as the Bayerisches Landesamt für Datenschutzaufsicht will request during a routine review. You will also see how the appointment is recorded, where the appointment letter (Bestellurkunde) is filed, and how an internal or external DPO is bridged into day-to-day processing activities, breach response, and supervisory contact. The aim is a single answer you can hand to your management board with the four triggers ticked or rejected on one page.

Article 37(1) GDPR lists three independent situations. Public authorities and bodies, except for courts acting in their judicial capacity, must appoint a DPO under Article 37(1)(a). The status of the organisation is decisive; the volume of processing is not relevant. A municipal water utility with twelve employees is in scope. So is a federal agency with twelve thousand. The same applies to statutory health insurance funds, public broadcasters, and universities, regardless of whether they process personal data in large quantities or only incidentally.

Article 37(1)(b) addresses controllers and processors whose core activities consist of processing operations which, by their nature, their scope, or their purposes, require regular and systematic monitoring of data subjects on a large scale. The European Data Protection Board guideline WP 243 (endorsed by the EDPB on 25 May 2018) clarifies that core activities are the primary business operations, not ancillary functions such as payroll or office IT. Examples include telecommunications providers, advertising networks, fitness tracking platforms, credit reporting agencies, and security firms running CCTV across multiple sites.

Article 37(1)(c) covers controllers and processors whose core activities consist of large-scale processing of special categories of data under Article 9 GDPR (health, biometric, genetic, religious, trade union, sexual orientation) or personal data relating to criminal convictions under Article 10 GDPR. Hospitals, occupational health providers, insurance carriers with health portfolios, and clinical research organisations sit squarely in this trigger. An external Datenschutzbeauftragter can satisfy the requirement if independence and absence of conflicts under Article 38(6) GDPR are evidenced in writing and reviewed at least annually.

Section 38(1) of the German Federal Data Protection Act (BDSG, as amended on 23 June 2021) extends the GDPR obligation. Any non-public body that, as a rule, constantly employs at least 20 persons with the automated processing of personal data must appoint a DPO. The threshold counts persons, not full-time equivalents. A 50 percent part-time employee counts as one person. Working students, trainees, and freelancers are counted if they regularly access personal data through company systems. The decisive question is not the contract type but the actual access to and processing of personal data through automated means.

The word constantly (staendig) excludes one-off project staff but includes anyone who, in their day-to-day work, accesses HR records, customer data, CRM entries, support tickets, or any other personal data through a computer. In practice, in any office-based business with 20 or more knowledge workers, the threshold is met. Section 38(1) BDSG sentence 2 adds two further triggers regardless of headcount: processing that requires a Data Protection Impact Assessment under Article 35 GDPR, and the commercial processing of personal data for the purpose of transfer, anonymised transfer, or market research.

The combination of Article 37 GDPR and Section 38 BDSG means that for a typical German SME with office IT, the practical question is rarely whether a DPO is needed, but who fills the role. The role can be filled internally by a qualified employee or externally by a service provider. Both are explicitly permitted under Article 37(6) GDPR. The substantive requirements (expertise, independence, sufficient resources, direct reporting line to the highest level of management) are identical regardless of contracting model. Bestellurkunde, signed, filed, evidence-ready.

The phrase large scale is not defined numerically in the GDPR. The EDPB guideline WP 243 rev.01 supplies a four-factor test that supervisory authorities apply. The factors are: the number of data subjects concerned, either as a specific number or as a proportion of the relevant population; the volume of data and the range of different data items being processed; the duration or permanence of the processing activity; and the geographical extent of the processing activity. Each factor is weighted in the assessment; no single number forces a yes or a no.

An example given by the EDPB itself: processing of patient data in the regular course of business by a hospital is large-scale. Processing of patient data by an individual physician is not. A bank processing customer data in the regular course of business is large-scale. A lawyer processing client data is not. The boundary is not a single number but the combination of all four factors. When the boundary is unclear, supervisory authorities such as the Berliner Beauftragte für Datenschutz recommend appointing a DPO voluntarily under Article 37(4) GDPR. Voluntary appointment triggers the same statutory protections and duties as a mandatory appointment, which is why the documentation has to match in every respect.

For multi-entity groups, the assessment is performed per controller, not per group. A holding company with a small core team and several operating subsidiaries each crossing the threshold can appoint a single group DPO under Article 37(2) GDPR if that DPO is easily accessible to every establishment. Bestellurkunde, unterschrieben, abgelegt, belegbar. The group structure does not waive the documentation duty; it consolidates it.

When a supervisory authority opens a routine review or responds to a complaint, the first request is rarely about the technical processing. It is about the governance file. Specifically: the appointment letter (Bestellurkunde) signed by the controller and the DPO, the qualification evidence of the DPO (training certificates, professional background, references), the role description with reporting line directly to the highest level of management under Article 38(3) GDPR, and the contact details that have been communicated to the supervisory authority under Article 37(7) GDPR and published in the privacy notice on the website. Missing any one of these documents is a finding in its own right.

The second request covers the operating model: the records of processing activities under Article 30 GDPR, the Data Protection Impact Assessments under Article 35 GDPR, the incident response procedure aligned with the 72-hour notification window under Article 33 GDPR, and the training plan that ensures awareness across the workforce. CIVAC, the Compliance-Plattform und Officer-as-a-Service, ships 490 audit-ready templates that map each of these documents to a single workspace, with version control, signatures, and a tamper-evident audit trail that can be exported to the auditor in one click.

If the appointment is external, the supervisory authority will also ask for the service contract, the proof that the DPO has been granted unrestricted access to processing operations, and the evidence that there is no conflict of interest under Article 38(6) GDPR. The same documentation applies whether the DPO is internal or external, public sector or private. The Prüfer ruft an, der Nachweis liegt bereit, that is the standard the workspace is built around.

Both Article 37(6) GDPR options are equally valid. The decision is operational and commercial. An internal DPO has the advantage of proximity to processes, faster reaction times, and lower marginal cost once headcount is in place. The disadvantages are conflict-of-interest risk (the DPO cannot also be CIO, HR Director, or anyone who determines the purposes and means of processing under Article 38(6) GDPR), the need for ongoing training to keep pace with regulation, and the difficulty of replacing an absent or departing DPO without a documented succession plan.

An external DPO has the advantage of independence by design, breadth of cross-industry experience, scalable workload coverage including holidays and sickness, and a fixed monthly fee that is easier to budget than headcount cost plus training plus litigation insurance. The disadvantages are the onboarding effort, the need for a clear interface to internal stakeholders, and the contractual care required to ensure that the external party has sufficient access and sufficient hours to perform the role effectively. A well-drafted service contract with named contact persons solves most of these issues.

The CIVAC dual model addresses both. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen. The first option provides 25 role templates, 93 ISO/IEC 27001:2022 controls, and 37 audit forms to the internal DPO. The second option appoints a qualified external DPO who works inside the same workspace with a defined SLA of two working days. The decision matrix, including a cost comparison for typical company sizes, is documented in the CIVAC FAQ and can be shared with the management board.

Joint controllers under Article 26 GDPR each retain their own DPO obligation. A joint controller arrangement does not transfer or pool the obligation; it allocates responsibilities between the parties, but each entity assesses independently whether it is in scope under Article 37 GDPR or Section 38 BDSG. The joint controller agreement should name the DPO of each party and the lead point of contact for data subjects under Article 26(3) GDPR, with a contact address that resolves within reasonable time.

Processors under Article 28 GDPR are assessed against the same three GDPR triggers. A processor whose core activity is large-scale monitoring (for example, a managed security services provider operating SIEM platforms for multiple clients, or a marketing automation provider running behavioural analytics) is in scope. A processor whose work is incidental to its main business, such as a generalist accounting firm, is not. The 20-person threshold of Section 38 BDSG applies to processors in the same way as to controllers if the processor is established in Germany.

Public bodies are always in scope under Article 37(1)(a) GDPR. The only exception is courts acting in their judicial capacity. Municipal utilities, schools, universities, federal agencies, and statutory health insurance funds (gesetzliche Krankenkassen) must appoint a DPO regardless of size. For groups of municipalities, a shared DPO under Article 37(3) GDPR is permitted. The appointment must still be in writing for each public body and the contact details must still be published in each privacy notice, with no exception for joint arrangements.

Failure to appoint a DPO when required is an infringement under Article 83(4)(a) GDPR, with administrative fines of up to 10 million euros or 2 percent of the worldwide annual turnover of the preceding financial year, whichever is higher. The supervisory authority assesses the fine using the criteria of Article 83(2) GDPR, including the nature, gravity, and duration of the infringement, the categories of personal data affected, the number of data subjects, and the degree of cooperation with the authority during the investigation.

The German pattern over the past five years has been clear. The Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Wuerttemberg and other authorities have issued fines for missing or formally appointed but functionally absent DPOs. The pattern is not the headline-grabbing case; it is the steady stream of mid-range fines (often in the 5,000 to 50,000 euro range) issued in the context of complaints or breach notifications where the supervisory authority then notices the structural defect and adds it to the proceedings as a secondary finding.

Beyond fines, the practical consequence is reputational and operational. A missing DPO is a finding in every external audit, every customer due diligence (especially in B2B SaaS, healthcare, and financial services), and every certification process for ISO/IEC 27001:2022 or TISAX. The Bestellurkunde is one page; the absence of that one page generates downstream cost across every commercial relationship for years. Frist laeuft ab Kenntnis, the supervisory authority does not wait for tidiness to catch up.

Once the legal assessment confirms the obligation, the appointment itself is a short project. Week one: identify the candidate (internal or external), check the qualifications against the EDPB criteria (expert knowledge of national and European data protection law, sufficient knowledge of the processing operations, sufficient understanding of information technology and information security, and sufficient resources), and confirm absence of conflicts under Article 38(6) GDPR through a written conflict-of-interest screening.

Week two: draft the appointment letter with start date, scope of duties, reporting line directly to the highest level of management, resource allocation, training budget, notice period, and indemnification. The controller and the DPO both sign. The contact details are reported to the competent supervisory authority through its online form and published in the privacy notice on the website. The records of processing activities under Article 30 GDPR are handed over and reviewed within the first 30 days, with a remediation plan for any gaps found.

The CIVAC role catalogue contains the appointment letter template, the role description, and the reporting line for each of the 25 Beauftragten-Rollen. The Workspace records the signatures with a tamper-evident audit trail and ensures the EU-Datenresidenz of every document. The default SLA for an externally bestellter Beauftragter is two working days, compared with two to six weeks for a classic appointment process. The same workspace handles internal Beauftragte under licence, with no parallel toolset and no parallel evidence base, which is what keeps the audit file consistent across business units. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.

If the four triggers above (three under Article 37(1) GDPR plus Section 38(1) BDSG) yield a yes for your organisation, the next step is a one-page decision: internal or external, single appointment or group appointment, start date, and reporting line. CIVAC, the Compliance-Plattform und Officer-as-a-Service, supports both routes from the same workspace. The platform ships with 25 Beauftragten-Rollen, 490 audit templates, the 93 controls of ISO/IEC 27001:2022, and the 24/72-hour notification path for NIS-2 and Article 33 GDPR, all hosted in the EU under a documented data residency that can be shared with the procurement team.

The dual model gives you the choice that matches your operating reality. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen. The first route keeps the role inside the organisation with the toolkit, the templates, and the controls already in place. The second route appoints a qualified external DPO with a two-working-day SLA, a written Bestellurkunde, a defined reporting line, and a single point of contact for the supervisory authority. Both routes produce the same outcome: a documented appointment, an active operating model, and a complete audit trail that survives a change of auditor or a change of management.

Aus dem Lesen einen Auftrag machen. If you need the obligation assessment in writing, or want to commission the appointment directly, write to info@civac.de or use the contact form on civac.de. The first response outlines the assessment basis, the proposed model, and the expected start date in writing, within two working days, signed by the responsible CIVAC Beauftragter.