Skip to main content
Datenschutz / DSGVO

Data Protection Officer (DPO)

The person designated under Art. 37 GDPR to oversee data protection compliance within an organisation.

The Data Protection Officer (DPO) is a key figure in operational data protection. Under Art. 37 GDPR, public bodies and organisations whose core activities involve large-scale processing of special categories of data or systematic monitoring of individuals are required to designate a DPO. In Germany, national law goes further: Section 38 of the Federal Data Protection Act (BDSG) requires organisations to designate a DPO if at least 20 persons are regularly engaged in automated processing of personal data.

The DPO may be an internal employee or an external service provider. They must possess expert knowledge of data protection law and practice. The DPO's tasks are set out in Art. 39 GDPR: informing and advising the controller and employees, monitoring compliance with the GDPR, cooperating with the supervisory authority, advising on DPIAs, and acting as a contact point for data subjects and the supervisory authority. The DPO must act independently and may not be dismissed or penalised for performing their duties.

Even where there is no statutory obligation to designate a DPO, voluntarily appointing one makes strategic sense for many organisations. A DPO signals trustworthiness to customers and business partners, helps identify risks early, and facilitates communication with supervisory authorities. Any designation must be communicated to the competent data protection supervisory authority.

Legal Basis

Art. 37 GDPR

Practical Example

A software company with 35 employees — 22 of whom regularly process customer data in a CRM and ticketing system — asks whether appointing a DPO is legally required. As compliance officer, you assess the requirements and conclude that the threshold of 20 persons engaged in automated processing is exceeded. You recommend appointing an external DPO with relevant certifications, initiate the designation process, and notify the supervisory authority. A service contract is concluded with the external DPO covering regular audits, handling of data subject requests, and advisory support for new projects.

FAQ

Under the GDPR, a DPO is required for public bodies and organisations whose core activities involve large-scale processing of special categories of data or systematic monitoring. In Germany, Section 38 BDSG additionally requires a DPO when at least 20 persons are regularly engaged in automated processing of personal data.
Yes, an external DPO is explicitly permitted and widely used in practice. The external DPO must possess the same expert knowledge and independence as an internal DPO. The advantages are specialist expertise and easier assurance of the required independence.
The DPO monitors GDPR compliance, advises the controller, must be involved in DPIAs, trains staff, and acts as a contact point for data subjects and the supervisory authority. The DPO acts independently and may not be penalised for performing their duties.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Record of Processing Activities (ROPA) Data Protection Impact Assessment (DPIA) Data Subject Rights Accountability Data Protection Compliance
Back to Glossary