Section 38 BDSG (DPO Requirement)
German extension of the DPO requirement under Article 37 GDPR
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Section 38 BDSG mandates the appointment of a DPO from 20 persons who are constantly engaged in automated processing of personal data — stricter than Article 37 GDPR.
What is Section 38 BDSG (DPO Requirement)?
DPO appointment thresholds in DACH:
- Germany: 20+ persons engaged in automated processing (Section 38 BDSG) OR Article 37 GDPR triggers
- Austria: Article 37 GDPR only (no threshold; public bodies, high risk, Article 9 core activity)
- Switzerland: nDSG Article 10 — voluntary but recommended
Practical example
A mechanical engineering firm with 35 employees: 28 use CRM, ERP and email daily. The Section 38 BDSG threshold is reached — appointment of a DPO is mandatory. Breach: fine of up to EUR 50,000.
Frequently asked questions
Who counts as 'engaged in automated processing'?
Everyone who regularly (>10 min/day) processes personal data in IT systems — practically all office employees.
Is an external DPO sufficient?
Yes, on equal footing with an internal DPO. Advantages: competence and independence. Disadvantages: distance.
Fine for missing DPO?
Up to EUR 50,000 (BfDI practice 2024-2025) — median EUR 15-25k.