Your requirements – Who needs a data protection officer?

Who needs a data protection officer?

A data protection officer is mandatory according article 37 GDPR for any company in which personal date are processed. Per definition this contains e. g. name, e-mail, bank account, location, etc.

For small enterprises there is an exception according to German law: Data protection officers have to be appointed if minimum 20 employees are  regulary working with personal data (§38 BDSG). But any employee counts - even if he is only once a week proceeding personal data or only part time working. Means as soon as more than 19 employees are on the payroll and they use mainly PC for their work ANY responsible should evaluate if he needs to apoint a data protection officer. Almost by any task whilst using a PC employees are getting in contact with personal data. Just by saving an e-mail address of a customer is processing personal data...

Responsibles have to take into account even if they are not obliged to appoint a data protection officer to follow accordingly the regulations and laws - they are not absolved of data protection laws. Either you appropirate the knowledge - or you get consultation. We cover any of these constellations - without regular appointment of a data protection officer - we consult you on demand. In this cases our terms are per hour or day - for more details please get in contact.


Independantly of number of persons a company needs in addition by law a Data Protection Officier in following situations:

  1. Processing of data for which a data protecton impact assessment is mandatory. Espescially for sensitve data or if there is a high risk for concerned persons in case of misuse of their data like data of ethical origin, sexual orientation, economic situation, religious believe or health (medic, physiotherapists, etc. may be counted without doubt). Also in case a company installs a surveillance system on factory premises those records are defined as sensitve data.
  2. A company transfer personal data to third party - like classical address trading - or processing for marketing or opinion research reasons.
  3. If the company was/is in conflict with GDPR the authority may request the apointment of a data protection officer.

As soon as you took a decision to go ahead or if you have been requested by authorities the process is as following:

  • Initial Meeting
  • Agreement of conditions
  • Audit
  • Audit report
  • Project plan
  • Transformation
  • Check

External Data Protection Officers from - be safe - we support you - assured!

Go back