Which Companies Need a Data Protection Officer?
· Wolfgang Dittrich

Which Companies Need a Data Protection Officer?

Back to all articles

§ 38 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and Article 37 of the General Data Protection Regulation (GDPR) govern the appointment of a data protection officer for companies.

  • Under § 38 (1) BDSG, every company that permanently employs at least 20 persons - whether directly or on its behalf - in the automated processing of personal data requires a data protection officer.

  • Under § 38 (1) BDSG, every company that carries out - whether directly or on its behalf - processing operations subject to a data protection impact assessment under Article 35 GDPR requires a data protection officer, regardless of the number of persons engaged in the automated processing of personal data.

  • Furthermore, under § 38 (1) BDSG, all companies that process personal data on a commercial basis for the purpose of transmission, anonymised transmission, or for the purposes of market or opinion research require a data protection officer, regardless of the number of persons engaged in the automated processing of personal data.

  • Under Article 37 (b) GDPR, every company that monitors individuals regularly, extensively, and systematically - whether directly or on its behalf - requires a data protection officer.

  • Under Article 37 (c) GDPR, every company that processes - whether directly or on its behalf - special categories of data on a large scale requires a data protection officer. Special categories of data include:

    • Genetic data
    • Biometric data
    • Health data (the view of the data protection supervisory authorities in Germany is, however, that the designation of data protection officers at medical practices and other healthcare professionals is generally only required from a minimum of ten persons engaged in automated processing, or in the case of large-scale processing of special categories of data)
    • Data concerning sex life or sexual orientation
    • Racial and ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
  • Furthermore, under Article 37 (c) GDPR, every company that processes - whether directly or on its behalf - personal data relating to criminal convictions and offences pursuant to Article 10 GDPR on a large scale requires a data protection officer.

  • A group of companies may, under Article 37 (2) GDPR, appoint a single data protection officer, provided that the officer can be easily reached from each establishment of the group.

  • A company may appoint a data protection officer internally or externally. Under § 6 (4) BDSG, dismissal of an internal data protection officer is only possible where there is an important reason justifying summary dismissal. Only one year after the officer's removal from post is dismissal again possible. The data protection officer is appointed under Article 37 (5) GDPR on the basis of their professional qualifications and, in particular, their expert knowledge in the field of data protection law and data protection practice, as well as their ability to fulfil the tasks referred to in Article 39 GDPR. You must therefore ensure that appropriate continuing professional development opportunities are available to an internal data protection officer.

  • The competent supervisory authority is entitled to impose a fine for a breach of the obligation to appoint a data protection officer.

Please do not hesitate to contact us if you have any questions on this topic.