External DPO in Germany: When You Must Appoint One and How to Do It Properly

Germany applies a stricter threshold for appointing a data protection officer than any other Member State of the European Union. Under § 38 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) in force since 25 November 2019, any controller or processor that constantly employs at least 20 persons in the automated processing of personal data must designate a DPO. The European baseline under Article 37 GDPR adds further triggers: core activities involving large-scale, regular and systematic monitoring of data subjects, or large-scale processing of special categories under Article 9. The German rule sits on top of the European one, not instead of it, and supervisory authorities apply both in parallel.

For companies with German operations, the practical question is not whether the role exists, but who fills it. An external data protection officer is permitted under Article 37(6) GDPR and is the dominant model in German mid-market and group structures. This article explains when the appointment becomes mandatory, what the supervisory authorities such as the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), the Hamburgischer Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), or the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen examine in a desk audit, what the documentation file must contain, and how CIVAC operates the external DPO mandate as a fully documented service rather than a hand-shake arrangement that collapses on first inspection.

Section 38 of the Bundesdatenschutzgesetz is the rule most foreign parent companies overlook. The wording is unambiguous: a DPO must be designated where at least twenty persons are constantly involved in the automated processing of personal data. The count includes employees, working students, freelancers acting under instruction, members of leased-personnel arrangements, and external contractors with access to internal systems. A receptionist who maintains a digital visitor log counts. A salesperson with a CRM seat counts. A working student running marketing automation counts. The accountant entering invoices into the bookkeeping system counts. The threshold of twenty is reached far earlier than founders expect, often in the first year of operations, and the supervisory authorities apply a substance-over-form test rather than a payroll headcount.

The second trigger of § 38 BDSG is independent of headcount. Any controller that performs processing subject to a Data Protection Impact Assessment under Article 35 GDPR, or that processes personal data for purposes of transmission, anonymised transfer, or market and opinion research, must appoint a DPO regardless of staff numbers. Health platforms, AdTech vendors, market research firms, and HR analytics providers therefore fall into the obligation from day one. Supervisory authorities have publicly confirmed enforcement priority on the twenty-employee rule since the BDSG reform of 2019, and recent audit letters from the BayLDA and the Berliner Beauftragte für Datenschutz und Informationsfreiheit ask for the Bestellurkunde of the data protection officer as the first document. Companies that cannot produce it within a short response window face Article 83(4) GDPR fines of up to ten million Euro or two percent of worldwide annual turnover, and a public reprimand on the authority's annual activity report.

Article 37(6) GDPR allows the DPO to be a staff member or to fulfil the tasks on the basis of a service contract. In Germany the external model is dominant for three structural reasons. First, the position carries a special dismissal protection under § 6(4) BDSG that lasts a full year after the role ends. An internal appointment therefore creates long-term employment-law exposure that survives even a clean termination for unrelated reasons, and case law from the Bundesarbeitsgericht has confirmed that the protection applies to any internally designated DPO. Second, the conflict-of-interest rules in Article 38(6) GDPR exclude most plausible internal candidates. The head of HR, IT, marketing, or any other function that decides on processing purposes cannot supervise themselves. In a company of fifty employees, the pool of conflict-free internal candidates is often empty. Third, the role requires technical, legal, and organisational expertise simultaneously, a profile that is rare and expensive to maintain on payroll for a single mandate.

External appointment removes these frictions in a structurally clean way. The service contract under § 611 BGB sets the scope, the fee, the term, and the termination conditions. The DPO carries independent professional liability insurance with a sum insured that matches the controller's risk profile, typically between one and ten million Euro. Supervisory authorities accept the external model without question, provided the appointment is properly documented in a Bestellurkunde and the DPO is genuinely reachable within the meaning of Article 38(4) GDPR. The CIVAC compliance platform and Officer-as-a-Service model addresses both requirements through a structured workspace with audit templates, a documented reporting line to the management board, and a registered contact point. License the workspace for your internal officers, or have our officers appointed under the same audited process. Both routes produce the identical documentation file.

The task catalogue in Article 39 GDPR is short, but the operational work it generates is not. The DPO informs and advises the controller and its employees, monitors compliance with the GDPR and § 38 BDSG, advises on Data Protection Impact Assessments under Article 35, cooperates with the supervisory authority, and acts as the contact point for data subjects under Article 38(4). In practice this translates into a recurring cycle of work. A typical month at a mid-market manufacturer with five hundred employees includes review of two to four new processor contracts under Article 28 GDPR, one DPIA for a new HR tool or marketing automation pilot, three to five Article 15 access requests from former employees or applicants, an annual review of the records of processing under Article 30, a quarterly status report to the management board, and ad hoc advice on customer projects that involve personal data of European data subjects.

The external DPO is also the responder when an incident hits the 72-hour notification window under Article 33 GDPR. The clock starts when the controller becomes aware of the personal data breach, not when forensic analysis is complete. A documented response playbook, a tested escalation path, a pre-drafted notification form to the competent supervisory authority, and a register of past incidents under Article 33(5) are the difference between a controlled response and a missed deadline. The CIVAC workspace provides 37 audit templates, including the standard breach report aligned with the European Data Protection Board guidelines 9/2022 on personal data breach notification, the DPIA template aligned with the WP248 methodology, and the records of processing template aligned with the standard data protection model of the Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder. Every document carries a version stamp, an author, and a review date.

External DPO fees in Germany cluster in clear bands by company size and processing complexity. A small business with twenty to fifty employees and standard office processing typically pays between 180 and 450 Euro per month for a flat-fee external DPO. A mid-market company with two hundred to one thousand employees and three to ten group entities sits between 1,200 and 4,500 Euro per month, depending on the number of subsidiaries, the presence of special category processing under Article 9 GDPR, the volume of data subject requests, and whether the company operates cross-border with third-country transfers under Chapter V. International groups with a German GmbH at the centre of a European operation commonly negotiate annual mandates between 35,000 and 120,000 Euro, including DPIA support, supervisory authority liaison, board reporting, and training across the group entities.

Cost varies less by hourly rate than by what is included in the published scope. A bargain offer at 99 Euro per month usually excludes DPIAs, contract reviews, training, incident response, and on-site presence. The total cost of ownership emerges only when an audit letter arrives and the controller discovers that every line item carries a separate fee. CIVAC quotes the mandate on a fixed-fee basis with a published scope, an SLA of two working days for new contract reviews and data subject requests, and a documented escalation path for incidents inside the 72-hour window. The dual-model frame applies cleanly: license the workspace for your internal officers, or have our officers appointed under the same scope. The price is transparent in either case, the deliverables are identical, and the contract carries no hidden surcharges for templates, training, or out-of-hours response. Procurement teams can compare on a like-for-like basis.

The first document a German supervisory authority requests in an audit is the Bestellurkunde, the formal appointment certificate signed by management and the DPO. It must state the legal basis (Article 37 GDPR, § 38 BDSG), the date of appointment, the term, the scope of duties, the right of direct access to the highest management level, the independence safeguards under Article 38(3), and the contact data used for the supervisory authority notification under § 38(2) BDSG. A Bestellurkunde without a signature date or without the independence clause is treated as if the appointment had not happened, and the controller has to repair the file under time pressure during the audit window. Several decisions of the Landesbeauftragten in 2024 and 2025 have applied this strict reading and imposed fines for missing documentation alone.

Beyond the appointment certificate the authority expects the records of processing under Article 30 GDPR, the technical and organisational measures under Article 32, the list of processor contracts under Article 28, the documented data protection management system, the training log, the data breach log under Article 33(5), the most recent DPIAs under Article 35, the transfer impact assessments for non-EEA recipients, and the consent management evidence where consent is the legal basis. The CIVAC platform stores each document in a versioned, audit-trail-enabled workspace hosted within the European Union, with role-based access for the DPO, the management board, and the audit committee. Bestellurkunde, signed, filed, evidenced. When the auditor calls, the evidence is ready, and the chain of custody is intact across every export the supervisory authority may request, including timestamped change histories and access logs.

Some sectors trigger the DPO obligation at the first employee. Health platforms processing patient data under § 22 BDSG and Article 9(2)(h) GDPR fall into mandatory appointment from day one, as do clinical trial sponsors under the Medizinforschungsgesetz and the Verordnung über klinische Prüfungen mit Arzneimitteln am Menschen. Financial services firms regulated by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) operate under § 25a Kreditwesengesetz and the BAIT and VAIT requirements, which interlock with the DPO function. The DPO does not replace the information security officer, but the two roles share evidence, governance, and reporting lines, and the controller must avoid creating two parallel documentation tracks that drift apart over time.

HR analytics, applicant tracking, and people-data platforms are the highest-risk SME category in Germany. Algorithmic screening of candidates is automated processing in the sense of Article 22 GDPR and almost always requires a DPIA, in addition to a works council co-determination process under § 87(1) No. 6 of the Betriebsverfassungsgesetz. AdTech operations involving real-time bidding, cookie consent stacks, and audience matching with European data subjects need DPO support across consent management under § 25 TTDSG, Schrems II transfer impact assessments, and the new Digital Services Act obligations under Regulation (EU) 2022/2065. CIVAC role specialists are assigned by sector. A health DPO mandate is staffed by an officer with hospital and MedTech audit experience. A BaFin-regulated mandate is staffed by an officer who has handled § 44 KWG inspections. The platform routes the workload, the officer signs the work, and the audit trail is built into every record.

The classic onboarding for an external DPO mandate in Germany takes between two and six weeks. The bottlenecks are predictable: scoping calls that drift across schedules, conflict-of-interest checks that wait for a CV that never arrives, a Bestellurkunde that travels by post for review, an NDA that needs three rounds of redlines with external counsel, a procurement workflow that adds two weeks of vendor onboarding, and a kick-off that gets pushed into the next quarter. The result is a gap between the regulatory obligation and the operational appointment, and that gap is exactly what supervisory authorities will ask about in an audit letter that arrives in the meantime.

CIVAC compresses the onboarding to two working days through a structured intake that runs in parallel rather than in sequence. Day one covers the scoping questionnaire (entities, headcount, processing categories, existing documentation, prior incidents, sector triggers, group structure), the conflict-of-interest check against the officer roster, the service contract drafted from the master template that has already been reviewed by external counsel, the NDA executed under the same template, and the data sharing protocol for the workspace. Day two delivers the signed Bestellurkunde, the registered contact at the supervisory authority where required under § 38(2) BDSG, the publication of the contact data on the controller's privacy notice under Article 13 GDPR, and the first kick-off with the management board to confirm the reporting line. From that point the SLA of two working days governs every new contract review, every data subject request, and every DPIA assignment. The dual-model frame stands: license the workspace for your internal officers, or have our officers appointed under the same process.

The first pattern is the silent appointment. A name appears on the supervisory authority register, but no Bestellurkunde exists, no reporting line is documented, and the DPO has not been onboarded by management. When the authority asks for the appointment certificate, there is nothing to send. The fine under Article 83(4) GDPR can reach ten million Euro or two percent of worldwide annual turnover. Multiple decisions of the Landesbeauftragten in 2024 and 2025 have applied this provision against mid-market controllers that operated without a documented DPO setup, including a publicly reported case of a Berlin-based platform that received a six-figure fine for the missing appointment certificate alone, before the substantive review of any processing activity began.

The second pattern is the conflicted appointment. The head of HR or IT is named as DPO to save money. Article 38(6) GDPR prohibits this where it leads to a conflict of interests, and the European Court of Justice confirmed the wide reading of that provision in Case C-453/21 (X-FAB Dresden) and Case C-560/21. The conflicted appointment is treated as no appointment at all, and the supervisory authority may demand the immediate designation of a new DPO together with a fine for the period of non-compliance. The third pattern is the unreachable external DPO. A service provider is appointed but offers only a generic email address, never holds a kick-off, never appears on a board call, and cannot be reached during an incident. Article 38(4) GDPR requires that data subjects can contact the DPO with regard to all issues related to processing. A DPO that does not respond to a data subject request inside the 30-day window of Article 12(3) is treated as absent. CIVAC publishes a reachable contact, a named officer, and a documented escalation path inside the workspace, with response times logged.

Most external DPO decisions in Germany are made under time pressure. An auditor sends a letter, a new processing activity goes live, a customer demands proof in a vendor questionnaire, a board meeting flags the missing appointment in a risk report, or a data breach forces an immediate response. The window between the trigger and the supervisory response is usually short, sometimes a matter of days. The decision in front of you is not whether to appoint a data protection officer. The decision is which model gives you a documented setup that survives the audit and a contact who responds inside an SLA that is written into the contract rather than promised verbally during the sales call.

CIVAC is a compliance platform and Officer-as-a-Service. License the workspace for your internal officers, or have our officers appointed. Both routes deliver the Bestellurkunde, the records of processing under Article 30 GDPR, the 72-hour breach response playbook, the DPIA template library, the transfer impact assessment templates, the training materials for staff, and a named officer reachable inside two working days. The dual-model frame fits the realities of a German mid-market company that may move from external to internal as it grows, and from internal to hybrid as it acquires subsidiaries across the European Union. Turning this article into a mandate is one email. Write to info@civac.de or use the contact form on the CIVAC site. The intake document is sent the same day, the Bestellurkunde is signed within two working days, and the audit-ready workspace is live the same week. Bestellurkunde, signed, filed, evidenced. When the auditor calls, the evidence is ready.