Data Protection Officer: When Is a DPO Required in 2026?

· Category: GDPR · Reading time: 4 min · As of 2026-05-02
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Germany: Mandatory from 20 employees with regular data access (Section 38 BDSG — German Federal Data Protection Act)
  • EU-wide: Mandatory regardless of size when core activity involves profiling, monitoring, or special-category data (Art. 37 GDPR)
  • Austria: No employee threshold under Section 5 DSG — DPO duty triggers earlier than in Germany
  • External DPO typically costs EUR 1,500–8,000 per year — usually cheaper than an internal hire
  • Termination protection under Section 6(4) BDSG — DPOs can only be dismissed for good cause

1. DPO obligation in Germany

Three alternative tests apply — meeting any one triggers the DPO requirement:

  1. Section 38 BDSG: 20 or more permanent employees regularly engaged in personal data processing.
  2. Art. 37(1)(b) GDPR: Core activity involves regular and systematic monitoring of data subjects on a large scale.
  3. Art. 37(1)(c) GDPR: Core activity involves large-scale processing of special categories (Art. 9) or criminal-conviction data.

Working students, apprentices, and marginally employed staff count toward the 20-person threshold if they touch personal data.

2. Austria and Switzerland

CountryThresholdLegal basis
Germany20 permanent employees with data accessSection 38 BDSG
AustriaNo employee threshold — Art. 37 GDPR + Section 5 DSGStricter than DE: applies earlier in small companies
SwitzerlandNot mandatory under the new FADP (effective September 2023) — recommended onlyArt. 10 revFADP

3. Internal vs. external DPO

CriterionInternalExternal
SME costEUR 50,000–100,000/year (FTE)EUR 1,500–8,000/year
Company knowledgeHighLow (initially)
IndependenceMediumHigh
AvailabilityFull-timeBy the hour
Conflict riskHigh (dual roles, e.g. with IT lead)Low

About 70 percent of SMEs choose an external DPO. Hybrid models are possible.

4. DPO duties (Art. 39 GDPR)

  1. Inform and advise the controller and employees.
  2. Monitor compliance with the GDPR.
  3. Train staff and run awareness programs.
  4. Advise on Data Protection Impact Assessments (DPIA).
  5. Cooperate with the supervisory authority.
  6. Serve as contact point for the supervisory authority.
  7. Serve as contact point for data subjects.

5. Market prices for an external DPO

Company sizeExternal DPO price
1–20 employeesEUR 1,500–3,000/year
20–100 employeesEUR 3,000–5,000/year
100–250 employeesEUR 5,000–8,000/year
250–1,000 employeesEUR 8,000–15,000/year
1,000+ employeesEUR 15,000–50,000/year

6. Termination protection

Section 6(4) BDSG limits termination of the DPO to good cause analogous to Section 626 BGB (German Civil Code). The CJEU confirmed in Case C-453/21 (Werner Müller, 2023) that this protection applies regardless of group structure. The DPO cannot be dismissed for performing their duties.

7. DPO appointment checklist

  1. Verify the obligation: Section 38 BDSG or Art. 37 GDPR.
  2. Decide internal vs. external (cost and availability).
  3. Draft the mandate contract (external) or appointment deed (internal).
  4. Document the appointment in writing.
  5. Notify the supervisory authority (informal letter).
  6. Add DPO contact details to the website privacy notice.
  7. Inform employees about the DPO.
  8. Establish an annual DPO activity report to management.

Summary

In Germany the DPO threshold is 20 employees with data access; Austria has no threshold; Switzerland leaves the role optional. EU-wide special obligations override every threshold when core activity involves profiling or special-category data. External DPOs are typically the cheapest path for SMEs.

View GDPR Kit →

Frequently Asked Questions

From how many employees is a DPO mandatory?
In Germany, from 20 permanent employees who are engaged in the processing of personal data (Section 38 BDSG, German Federal Data Protection Act). Plus special obligations under Art. 37 GDPR irrespective of headcount: where the core activity involves profiling/monitoring or special categories of data (Art. 9).
Do interns count towards the headcount?
Yes, provided they work with personal data. Working students, trainees, and marginally employed persons also count. NOT included: purely technical personnel without data access.
External or internal DPO?
An external DPO is usually more cost-effective and more independent. An internal DPO has deeper company knowledge. In practice: 70% of SMEs choose an external DPO. A hybrid model is possible.
What does an external DPO cost?
EUR 1,500-8,000/year depending on size + complexity. SMEs with 50-100 employees: approx. EUR 3,000-5,000. Corporate group: EUR 15,000-50,000. Compliance-Kit GDPR Kit + external DPO contract = full compliance from EUR 5,000/year.
Does the DPO have protection against dismissal?
Yes, Section 6(4) BDSG: dismissal of the DPO only for cause (analogous to Section 626 BGB, German Civil Code). Revocation of appointment only based on facts that would justify cause by analogy. CJEU C-453/21 (Federal Labor Court/Werner Müller): protection against dismissal also applies within corporate group affiliation.
Does the DPO need legal training?
No. Art. 37(5) GDPR: 'on the basis of professional qualities and expert knowledge'. In practice: certified data protection professionals (TÜV, GDD, Udacity), often with an IT security background + compliance experience.
Do corporate group subsidiaries need their own DPOs?
Not necessarily. Art. 37(2): a corporate group may designate a single DPO — provided that the DPO is easily accessible from each establishment. In practice: a central corporate group DPO + local data protection coordinators.
What happens if the DPO position is vacant?
Risk: supervisory proceedings in case of breach of duty. In practice: a short vacancy (1-3 months) is still tolerable if documented. A longer vacancy = fine risk.

Sources

Related