The new General Data Protection Regulation (GDPR - or "DSGVO" in Germany) applies and there is a Europe-wide obligation to appoint a company data protection officer (Art. 35ff. GDPR). This is binding if a company carries out an activity that requires special checks from the perspective of data protection law.

In addition, every company can appoint a data protection officer on a voluntary basis.

The GDPR obliges all public and non-public bodies that process personal data (e.g. name, age, date of birth, address, criminal record, genetic data, account number) to automatically appoint an expert data protection officer.




A data protection officer (DPO) works within an organisation (company) to ensure compliance with data protection. The person may be an employee of the organisation or appointed as an external data protection officer. The task and activity of a data protection officer in Germany is regulated in the Federal data protection act [BDSG] as well as in the corresponding provisions of state law.  An essential task is to check and monitor the proper use of data processing programs.




The data protection officer in a company works on the compliance with the data protection provisions (but has no right to issue instructions). In particular, the DPO shall monitor the proper use of the computers and computer programs. A key focus is that only authorised persons can carry out processing limited to the purpose and that the owner of the data can exercise their right of self-determination to information, correction, blocking and deletion. In addition, they are responsible for training employees to make them aware of data protection issues.

The Data Protection Officer is not bound by instructions and is independent of superiors. Only those who have the necessary expertise (certification) and reliability may be appointed as data protection officers.




The obligation to appoint a data protection officer applies to

» All public bodies

» All non-public bodies - companies with more than nine employees that process personal data automatically


If none of these points apply, however, the company is not exempt from compliance with data protection law, but must also ensure compliance with the Federal data protection act. Data subjects must be given the opportunity to contact the data protection officer at any time (§ 4f (5) cl. 2 of the Federal data protection act).




External DPO:


+ Certified, already existing and immediately applicable expertise

+ Risk minimisation for the company

+ Clear cost structure through contractually fixed prices

+ No commitment of company resources

+ Uses 100% of their resources for data protection

+ Costs for further training are covered by SACO

-  Familiarisation period with the operating procedures necessary,


+ Approach with an eye for detail

+ Removal or termination of the appointment

   possible at any time

+ Expertise from other companies

+ Neutral position in the company, both externally (e.g. vis-à-vis

   authorities) and within the company (e.g. vis-à-vis employees)

+ No conflicts of interest

+ Works council has no right of co-determination with the external


Internal DPO:


-  Time-intensive and costly further training measures to obtain the

   professional qualification and time off for the duration of the


-  Liability within the scope of limited employee liability. The

   managing director is liable in full (incl. their private assets)

-  Non-transparent costs for literature, office, work absences, further

   training incl. costs for overnight stays and subsistence

-  Internal DPOs can no longer fully perform their main job

-  Barely use their resources for data protection

-  All costs for further education and training are borne by the


+ Operating procedures are more or less known

-  Operational blindness of the int. DPO often prevails

-  Dismissal only for important reasons (§ 626 BGB [German civil

   code], § 4f para. 3). Also one year of protection against dismissal

   after withdrawal

-  Often no expertise and no possibilities for comparison

© 2022 SACO Software and Consulting GmbH | Mühlgasse 5 | 97840 Hafenlohr | Germany