Becoming an internal data protection officer: qualification, appointment and proof according to GDPR
If you want to become a data protection officer in your own company, you need more than an online course. Art. 37 GDPR and Section 38 BDSG require specialist knowledge, independence and a verifiable appointment certificate. This guide shows the path from the employee to the appointed internal DPO.
An internal data protection officer is mandatory according to Art. 37 GDPR as soon as a company in Germany constantly employs at least 20 people with automated processing of personal data according to Section 38 Paragraph 1 BDSG, or processes extensive special data categories according to Art. 9 GDPR. Anyone who would like to take on this role from within their own team faces a double hurdle: He or she must have demonstrable expertise in accordance with Art. 37 Para. 5 GDPR and at the same time be free of conflicts of interest in accordance with Art. 38 Para. 6 GDPR. Both requirements must be fully documented in a supervisory audit.
The path to the appointment of an internal data protection officer is not an informal act. It begins with a written appointment document in accordance with Section 38 Paragraph 2 BDSG, goes through a report to the responsible supervisory authority in accordance with Article 37 Paragraph 7 GDPR and ends with a reporting line directly to the management in accordance with Article 38 Paragraph 3 GDPR. This guide describes the requirements, the steps, the pitfalls and the tools you will need from day one of ordering. It also shows when the internal variant makes sense and when an external DPO or the hybrid model of the CIVAC Compliance Platform is the more reliable solution.
Key Takeaways
- In Germany, the obligation to order a DSB applies to 20 or more people with constant automated processing in accordance with Section 38 BDSG, regardless of turnover.
- The specialist knowledge according to Art. 37 Para. 5 GDPR is not required to be certified, but must be verifiable at any time during a supervisory audit.
- Conflicts of interest are the most common appointment error: IT director, HR director, managing director and CFO cannot be DPO at the same time.
When an internal data protection officer becomes mandatory
The obligation to order results from two standards that must be checked in parallel. Art. 37 Para. 1 GDPR names three triggers: processing by an authority, core activity of extensive regular and systematic monitoring and core activity of extensive processing of special categories of data according to Art. 9 or data relevant to criminal law according to Art. 10 GDPR. Section 38 (1) BDSG significantly expands this for Germany: A DPO must always be appointed if at least 20 people are constantly involved in the automated processing of personal data. The legislature deliberately kept this threshold low because without it it would in fact never be reached for most SMEs.
In practice, the German threshold applies significantly more often than the European general clause. Even a medium-sized online retailer with 25 employees in customer service, marketing and sales regularly reaches the 20-person limit. This also includes practices, law firms and clubs as soon as patient data or member files are kept digitally. What is important are not full-time equivalents, but people including working students, interns and temporary employees. Managing directors without an employment contract count, as do volunteers in clubs, provided they have access to personal data.
Anyone who checks the threshold should document the status every quarter. As soon as the obligation arises, there is a reasonable deadline for placing an order. The supervisory authorities usually grant a few weeks, not months. A late order can be punished according to Art. 83 Para. 4 GDPR with up to 10 million euros or 2 percent of the global annual turnover. The obligation only ends when the threshold values are demonstrably and permanently undercut, which creates a tracking obligation in internal data protection management. In practice, a missing or late order regularly leads to orders according to Art. 58 Para. 2 GDPR and can also be viewed as an indication of structural compliance failure.
Expertise according to Art. 37 Para. 5 GDPR: What actually counts
Art. 37 Para. 5 GDPR requires a nomination based on the professional qualifications and in particular the specialist knowledge that the person has in the field of data protection law and data protection practice. The regulation does not require any specific certification. However, the supervisory authorities, such as the LfDI Baden-Württemberg or the HmbBfDI, require a level in their guidance that can only be achieved in comparable depth through structured training. In its series of short papers, the federal authority summarizes that specialist knowledge must be based on the risk of processing.
In practice, a three-part proof has been established. Firstly, legal knowledge of the GDPR, BDSG, TTDSG as well as industry-specific special laws such as SGB X, AO or GwG. Secondly, technical understanding of technical and organisational measures in accordance with Art. 32 GDPR, encryption, pseudonymization, logging and authorisation concepts. Thirdly, methodological competence for the register of processing activities according to Art. 30, the data protection impact assessment according to Art. 35 and the notification of data protection violations according to Art. 33 within 72 hours. These three pillars are queried individually in the audit.
Established certificates are TÜV-DSB, udis-DSB or GDD courses, each with 40 to 80 teaching hours plus a final exam. Anyone who comes from IT, auditing or legal affairs can compensate for parts of this with professional experience, but should prove this with project evidence. The specialist knowledge must be continuously updated: ECJ case law, EDPB guidelines and national supervisory decisions change the standard every year. An annual training requirement of at least 16 hours is considered a recognised industry standard and should be anchored in the appointment certificate. Without this anchoring, the certificate of specialist knowledge loses its resilience after three to four years because the regulatory landscape moves faster than any initial training.
Avoid conflict of interest: Who is not allowed to be a DPO in the company
Art. 38 Para. 6 GDPR allows the DPO to carry out other tasks, but prohibits conflicts of interest. The ECJ made it clear in decision C-453/21 of February 9, 2026 that a conflict always exists when the DPO has a say in processing operations that he is supposed to control at the same time. This means that managing directors, IT managers, HR managers, heads of marketing, heads of sales and CFOs are regularly excluded if they have extensive decision-making authority over personnel files, CRM systems or security architecture. Compliance officers can also get into the conflict if they order operational measures that the DPO would have to assess on a supervisory basis.
However, staff departments, compliance functions without authority to issue orders, the audit department or employees in the legal department without operational data sovereignty are suitable. Quality management, second-level data protection coordinators or specialised junior lawyers can also be considered. What is crucial is the demonstrable separation of operational responsibility and supervision over processing. A written task matrix with conflict analysis belongs in the order file and should be checked annually because roles change with promotions, restructuring or new tools.
If you overlook the conflict, you risk an incorrect order. The result is not only an order from the supervisory authority according to Art. 58 Para. 2 GDPR, but also a risk of a fine according to Art. 83 Para. 4 lit. a GDPR. For small companies without a suitable internal person, the only option is to order externally, ideally through a provider who documents the appointment certificate, reporting line and audit trail as standard. A pragmatic solution is the double appointment: an internal data protection coordinator for operational issues plus an external DPO for the formal function. CIVAC maps this model in the platform so that internal and external responsibility converge in one audit path. The reporting line to management remains unchanged, the separation of responsibilities is clearly documented in the workspace.
The formal order: certificate, report, reporting line
The order is made in accordance with Section 38 Paragraph 2 BDSG in conjunction with. V. m. § 6 para. 1 BDSG in writing. Verbal designation is ineffective. The appointment certificate must contain the name, function, date, scope of tasks and reporting line to the highest management level in accordance with Art. 38 Para. 3 GDPR. A time limit is possible, but unusual; It makes sense to have a permanent appointment with a termination rule parallel to the special protection against dismissal in accordance with Section 6 Paragraph 4 BDSG. In addition, a clause on resources is useful, which stipulates the proportion of jobs, training budget and free choice of external advice.
After the order has been placed, the contact details of the DSB must be published, in Germany regularly on the website in the data protection notice. At the same time, the responsible supervisory authority must be informed, Art. 37 Para. 7 GDPR. In Bavaria this is done via the BayLDA online portal, in North Rhine-Westphalia via the LDI NRW, and in the federal government via the BfDI reporting portal. The report includes the name, job title, postal address, telephone number and email address of the DPO. A later change must be reported within a reasonable period of time; a missed report is considered an administrative offense according to Section 43 BDSG.
The reporting line is more than an organisational chart entry. The DPO must report directly to the management, without an intermediate instance, and may not be disadvantaged because of his activities in accordance with Art. 38 Para. 3 GDPR. In practice, a monthly meeting with management, a quarterly report with measurable KPIs and an escalation path for data protection incidents within 24 hours are proven to be effective. An appointment certificate, signed, filed and verifiable, is the basis of any subsequent supervisory audit and should be located in the central compliance workspace together with the processing directory. If requested, it must be available within one hour, otherwise the audit will give the impression of an ad hoc organisation.
Special protection against dismissal and liability issues for internal DPOs
The internal DPO enjoys special protection against dismissal in accordance with Section 6 Paragraph 4 BDSG. Removal is only permitted for good cause in accordance with Section 626 of the German Civil Code (BGB), and the employment relationship may only be terminated for good cause within one year of the end of the appointment. This regulation protects the independence of the function and must be taken into account in every personnel decision. From an employer's perspective, this means that the selection of the person has strategic importance beyond the duration of the appointment. An employee who is appointed hastily binds the company in the long term, even if he or she does not meet expectations.
In terms of liability law, the DPO is rarely alone in the fire. The company remains responsible within the meaning of the GDPR in accordance with Article 4 No. 7. The DPO monitors, advises and trains, but does not make any processing decisions. According to § 43 BDSG and § 42 BDSG, personal liability only comes into consideration in the event of an intentional breach of duty, for example if the DPO covers a violation with his eyesight. Under civil law, Section 280 of the German Civil Code (BGB) applies within the framework of the employment contract with the usual liability relief for employees. In the event of gross negligence, proportional liability remains possible, but in practice this is rare.
Nevertheless, it is advisable to have your own D&O insurance or to explicitly include the DPO function in the existing manager policy. If ordered externally, the service provider assumes professional liability, which is an argument for the external DPO as officer-as-a-service model for many medium-sized companies. With an internal solution, the residual risk remains with the company, which makes careful selection, a clear task description and verifiable training all the more important. An annual risk analysis of the DPO's position is part of a mature compliance organisation and protects both the person and the company from later supervisory criticism.
Catalog of tasks: What the internal DPO actually does according to Art. 39 GDPR
Art. 39 Paragraph 1 GDPR defines five core tasks. Firstly, information and advice for those responsible and employees. Second, monitoring compliance with GDPR and other data protection regulations. Thirdly, advice related to data protection impact assessment. Fourth, cooperation with the supervisory authority. Fifth, contact point for the supervisory authority for all data protection issues. These five points are the basis of every job description and should be included verbatim in the appointment certificate because they serve as a reference in the audit.
In operational practice, concrete task packages result from this: maintaining and updating the list of processing activities in accordance with Art. 30 GDPR, evaluating new processing and order processing in accordance with Art. 28, monitoring data protection impact assessments in accordance with Art Rights of those affected in accordance with Art. 12 to 22 within a month and reporting of data protection violations to the supervisory authority within 72 hours in accordance with Art. 33. In addition, there are statements on new tools, advice on third-country transfers in accordance with Art. 44 ff. and the maintenance of internal data protection documentation.
The time required varies greatly depending on the size of the company and complexity. A typical medium-sized business function with 100 to 500 employees requires half a person-day per week, and in regulated industries such as healthcare or financial services it can quickly take up two to three days. If you want to plan realistically as an internal DPO, you should define the function with at least 20 percent of the job and document this in the appointment certificate. According to Article 38 Para. 2 GDPR, an allocation of time that is too limited is considered a violation of the obligation to provide resources and can trigger a supervisory order. A measurable task matrix with target and actual hours should be included in every monthly report to management and protects the function from creeping overload.
Tools and templates: What an internal DPO needs from day one
The most common mistake with newly ordered internal DSBs is starting without a toolbox. A pure email inbox solution does not carry the function through the first audit. At least six artifacts are required: a well-maintained directory of processing activities, a register of order processing, a catalogue of technical and organisational measures in accordance with Art. 32, a training certificate register, a reporting path protocol for data breaches in accordance with Art. 33 and an audit plan with annual deadlines. These six artifacts together form the basic equipment that every supervisory authority regularly requests.
CIVAC provides templates for each of these categories in the workspace. The platform delivers 490 ready-to-use audit templates adapted to German law, as well as a pre-configured reporting line to management. Experience shows that creating the processing directory takes two to four weeks instead of three to six months using templates instead of a free table. Whoever licences the workspace works as an internal DPO in the same environment in which an external representative would maintain the audit trail. This makes it possible to switch between internal and external functions later without loss of data.
Licence the workspace for your internal representatives, or have our representatives order it. This dual model is particularly useful in transition. An internal DPO starts with Workspace, external support steps in for data protection impact assessments or supervisory communication. The shared data remains in the EU data centre and the reporting line remains unchanged. A later shift to a purely external solution or back to the internal function is possible without data migration. This turns the often painful transition from Excel and Outlook to an audit-proof data protection organisation into an orderly project with clear stages, defined responsible persons and a reliable audit path in the platform.
Comparison: Internal DSB, external DSB and hybrid model in an audit perspective
The decision between internal and external DPO is rarely purely a question of cost. It concerns availability, expertise, independence and supervisory stability. An internal DPO knows processes, colleagues and data flows, but often has less than one day per week and is prone to blind spots in their own organisation. An external DPO brings specialization, industry comparison and distance, but costs between 800 and 3,000 euros per month from reputable providers, depending on the size of the company. For very small companies, this can be cheaper than the proportionate internal position.
In the audit comparison, the external DPO scores points through documented specialist knowledge, defined response times and standardised templates. The internal DPO scores points with its proximity to the business and faster decision-making processes. The hybrid model combines both: an internal data protection coordinator takes on operational tasks, an external DPO holds the formal function, signs the appointment certificate and appears before the supervisory authority. The reporting line runs parallel, the workspace bundles artifacts. This allows the reaction speed of an internal team to be combined with the audit robustness of an external function.
In the audit, supervisory authorities do not evaluate the model, but rather the evidence. They ask for the appointment certificate, proof of expertise, processing directory, reporting protocol, training plan and reporting line. Anyone who can present these six artifacts within an hour will have the first impression. The auditor calls, the evidence is ready. This can be achieved equally with internal, external and hybrid setups, provided the platform is sustainable. As a compliance platform and officer-as-a-service, CIVAC is built precisely for this audit case and replaces the classic SLA of two to six weeks with a response within two working days. This reduces the risk that artifacts will be missing or outdated in an emergency.
From reading to ordering: Next steps with CIVAC
If you want to clarify your own status using this guide, start with three questions. Firstly, is there an obligation to order according to Section 38 BDSG or Art. 37 GDPR? Secondly, is there a suitable internal person without a conflict of interest and with the required expertise? Thirdly, are the appointment certificate, reporting line, processing directory and reporting path documented in an audit-proof manner? Anyone who answers no to one of these questions has a concrete project in front of them that can usually be completed within eight to twelve weeks, provided a viable platform is used.
CIVAC supports this step in two variants. In the first model, you licence the workspace for your internal representatives and use 490 audit templates, a preconfigured appointment certificate, the processing directory and the 72-hour reporting path in accordance with Art. 33 GDPR. In the second model, you have our representatives appointed: an experienced external DPO takes over the formal function, your internal employees remain integrated as coordinators in the same workspace. Both paths lead to an audit-proof list with a clear reporting line to management, EU data residency and an audit trail in one hour.
Turn reading into a mandate. Send a short email to info@civac.de with the industry, number of employees and the question of whether you are seeking an internal, external or hybrid order. You will receive a written assessment, a proposal for the appointment certificate and an overview of the next 30 days within two working days. If you prefer a structured start, the CIVAC FAQ provides a checklist of the typical questions from supervisory audits as well as an overview of the common fine amounts in accordance with Art. 83 GDPR. An appointment certificate, signed, filed, verifiable, is the beginning of compliance that supports the audit and does not disrupt day-to-day business.
FAQ
What formal requirements must an internal data protection officer meet?
He or she must be able to demonstrate specialist knowledge in accordance with Article 37 (5) GDPR, be free of conflicts of interest in accordance with Article 38 (6) GDPR and be appointed in writing in accordance with Section 38 (2) BDSG. The appointment includes a certificate, the report to the supervisory authority in accordance with Art. 37 Para. 7 GDPR and a direct reporting line to the management without intermediate bodies.
Is a two-day online course sufficient as proof of expertise?
No. The supervisory authorities expect a comparable level to structured courses with 40 to 80 teaching hours, written examination and continuous training of at least 16 hours per year. A two-day course only covers a refresher course for experienced people. A well-founded initial qualification includes legal knowledge, technical understanding and methodological competence for directories, impact assessments and reports in accordance with Art. 33 GDPR.
Can the IT manager also be the internal data protection officer?
Regularly no. The ECJ confirmed in C-453/21 that a dual role triggers a conflict of interest under Article 38 (6) GDPR if the person helps shape processing that he or she is supposed to control as DPO. The same applies to managing directors, HR managers, CFOs and heads of marketing or sales with operational data sovereignty. In the case of dual roles, there is a risk of an order from the supervisory authority.
How long does it take to introduce an internal DPO in medium-sized companies?
With templates and clear responsibility, the formal order is completed in two weeks; the viable processing list takes another four to eight weeks. Experience shows that without templates and without a platform, the setup takes three to six months. A standardised solution like the CIVAC Workspace with 37 audit templates noticeably shortens the transition to around eight to twelve weeks.
How much does an internal data protection officer cost compared to an external appointment?
The internal costs consist of pro-rata salary, training and tools, often 25,000 to 45,000 euros per year for a 20 percent position including representation. Depending on the size, an external DPO costs between 9,600 and 36,000 euros per year. The hybrid model with CIVAC usually reduces overall costs by 20 to 30 percent compared to a purely internal solution.
What role does CIVAC specifically play in the internal DPO appointment?
CIVAC is a compliance platform and officer-as-a-service. You licence the workspace for your internal DPO with 37 audit templates, preconfigured appointment certificate, reporting line to management and 72-hour reporting path in accordance with Art. 33 GDPR. Alternatively, we provide the external DPO and your internal employees work as coordinators in the same workspace. Both models use EU data residency.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.