Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
The Data Protection Officer (DPO) under Articles 37-39 GDPR is the central data protection function within a company. Mandatory: under Section 38 BDSG from 20 permanent employees with data access onwards; under Article 37 GDPR where the core activity involves profiling/monitoring or special categories of data.
What is a Data Protection Officer (DPO)?
DPO tasks (Article 39 GDPR): informing and advising, monitoring compliance, training, advising on the DPIA, cooperating with and serving as the contact point for the supervisory authority and data subjects. Obligation of independence, adequate resources, and direct reporting to top management.
Protection against dismissal under Section 6(4) BDSG — termination is permitted only for cause (analogous to Section 626 BGB).
Practical example
Practical scenarios:
- External DPO for SMEs: EUR 1,500-8,000 per year
- Internal DPO: EUR 50,000-100,000 per year (FTE)
- Group DPO: a shared function is permissible (Article 37(2))
Frequently asked questions
Must the DPO have legal training?
No. Article 37(5): 'on the basis of professional qualities and expert knowledge'. In practice: certified data protection professionals (TÃœV, GDD).
Can the roles of Head of IT and DPO be combined?
There is a risk of conflict — the Head of IT decides on processing operations, while the DPO monitors them. The CJEU in C-453/21 confirmed: a dual role is only possible where no conflict scenario arises.
What should be done if the DPO position is vacant?
Appoint a successor without delay. Inform the supervisory authority. A prolonged vacancy carries the risk of fines.