Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
All officer roles
DPO / DSB

Data Protection Officer

Data breaches, DPIAs, DPA reviews, records of processing, privacy policies. Appointed externally or handled in-house, with the 72-hour breach clock always running.

Focus areas
DPIABreach <72hRoPADPA review
Legal basis

Art. 37 GDPR · § 38 BDSG

Quick contact

Talk to us about Data Protection Officer

Three lines and you are in our inbox. We reply within one business day.

By sending you agree to our privacy notice. We use the data only to reply to you.

What does a Data Protection Officer do?

The Data Protection Officer (DPO) supervises GDPR and German Federal Data Protection Act (BDSG) compliance inside an organisation. The role acts as the interface between management, data subjects and the supervisory authority. Under Article 39 GDPR, the DPO informs and advises controllers, monitors compliance with data protection rules, advises on Data Protection Impact Assessments under Article 35, and cooperates with the supervisory authority.

The DPO is not a decision-making role but an advisory and oversight function. Legal responsibility for data protection remains with management as the controller within the meaning of Article 4 No. 7 GDPR. Despite this, the position is instruction-free: Article 38 Para. 3 GDPR explicitly prohibits the employer from giving the DPO instructions on how to perform their duties.

In practice the DPO handles concrete tasks: maintaining the records of processing activities (RoPA) under Article 30, reviewing data processing agreements under Article 28, drafting and updating privacy notices, training staff, handling data breaches within the 72-hour notification window under Article 33, and managing data-subject requests under Articles 15 to 22 GDPR. Larger organisations add vendor audits, tool risk assessments, and contributing to DPIAs.

DPO duties

  • Inform and advise the controller and all staff processing personal data (Art. 39 Para. 1 lit. a GDPR).
  • Monitor compliance with GDPR, BDSG and internal data protection policies.
  • Maintain and continuously update the records of processing activities under Article 30 GDPR.
  • Review and approve data processing agreements (DPAs) under Article 28 GDPR.
  • Advise on Data Protection Impact Assessments (DPIAs) for high-risk processing under Article 35 GDPR.
  • Manage personal data breaches, including the 72-hour notification to the supervisory authority under Article 33 GDPR.
  • Ensure data-subject rights under Articles 15 to 22 GDPR (access, rectification, erasure, objection).
  • Run regular data protection training for every employee with access to personal data.
  • Act as point of contact for the supervisory authority and accompany regulatory audits.
  • Deliver an annual activity report to management covering risk posture and improvement recommendations.

Appointment and qualifications

The obligation to appoint a DPO stems from two parallel norms. Article 37 Para. 1 GDPR requires appointment when core activities consist of regular and systematic monitoring of data subjects on a large scale or large-scale processing of special categories under Article 9. § 38 Para. 1 BDSG broadens the obligation: appointment is mandatory once at least 20 persons are continuously engaged in automated processing of personal data.

The appointment must be in writing, define position and scope clearly, and be reported to the supervisory authority. The DPO can be internal staff or external on a service contract. Article 37 Para. 6 GDPR explicitly permits both models. The professional qualification must match the risk of the processing: demonstrable expertise in data protection law and IT security is mandatory, while certifications such as TÜV-DPO or IAPP CIPP/E are common market practice but not legally required.

  • 20 or more employees engaged in automated processing of personal data (§ 38 Para. 1 BDSG).
  • Core activities involve large-scale regular monitoring of data subjects (Art. 37 Para. 1 lit. b GDPR).
  • Large-scale processing of special categories (Art. 9) or criminal data (Art. 10 GDPR).
  • Public bodies regardless of size (Art. 37 Para. 1 lit. a GDPR).
  • Processors typically meet the same thresholds as their controllers.
  • Voluntary appointment is advisable for any organisation with material data protection risk.

Sectors most affected

  • Healthcare (clinics, hospitals, care providers)
  • Banking, insurance, financial services
  • Staffing, HR-tech, recruiting platforms
  • Online marketing, AdTech, market research
  • Telecoms and internet services
  • E-commerce and online marketplaces
  • Mid-market manufacturing, retail, logistics
  • Public administration and municipal bodies
  • Education above primary level
  • SaaS and cloud providers (typically as processors)
CIVAC

How CIVAC delivers the DPO role

CIVAC offers both models on one platform: external DPO appointment or workspace licence for your in-house team. Within 48 hours your engagement is set up, the written appointment recorded and the workspace operational.

The workspace covers every mandatory task: versioned records of processing activities, DPA templates aligned with Article 28 GDPR, guided DPIAs under Article 35, breach workflow with the 72-hour clock and pre-set notification paths, training library with proof of completion, and an append-only audit trail every inspector recognises.

Frequently asked questions about the DPO

Need this officer role for your organisation?

Appoint our experts as your external officer or license CIVAC for your in-house team. Get in touch and we walk you through the right setup.

Talk to CIVACSee all 25 roles
Other officer roles