SITTIG LAW

+49 40 808 125 550
SITTIG LAW Law Firm Blog

External Data Protection Officer When Required: The Complete Overview

According to § 38 of the BDSG, companies with 20 or more employees involved in automated data processing are required to appoint a Data Protection Officer (DPO) — however, smaller companies may also be obligated. This article explains the thresholds that apply, who is counted, and why an external DPO is often the legally safer choice for many SMEs.
Read more
Read more
Contact us now
Table of Contents

The most important points in brief

  • According to § 38 of the BDSG, an external data protection officer is mandatory for companies with 20 or more employees involved in automated data processing.
  • Even smaller companies can be obliged to do so, for example, if scoring, data transfer, or particularly sensitive data are involved.
  • Whoever ignores their duty risks fines.

Article 37 GDPR and Section 38 BDSG address the obligation to order.

The question of the right time to appoint a data protection officer concerns many companies – often only when an inspection by the authority is imminent or a data protection incident has occurred. However, the starting point can be clearly determined. Anyone acting as an external data protection officer must be proficient in both the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) – because both sets of regulations apply in parallel. We support companies nationwide as External data protection officer for your company and check individually whether and from when the ordering obligation applies to you.

The obligation to appoint a data protection officer arises from two levels of regulation. Article 37(1) GDPR directly obliges controllers and processors if their core activities consist of the extensive processing of special categories of data pursuant to Articles 9 and 10 GDPR, involve systematic and extensive monitoring of individuals, or – in the case of authorities – are generally exercised in the exercise of official authority. This obligation applies regardless of the company's size or number of employees.

In addition, § 38 of the BDSG obliges non-public entities to appoint a data protection officer as soon as, as a rule, at least 20 people are constantly engaged in the automated processing of personal data. The word „constantly“ is decisive: it does not mean full-time employment exclusively in data processing, but rather that the automated processing of personal data represents an essential and regular part of the respective activity. Someone who handles customer inquiries by email daily, uses a CRM system, or maintains personnel data generally meets this criterion. The decisive factor is the number of people, not full-time equivalents: part-time employees, mini-jobbers, trainees, interns, and functionally integrated freelancers are all counted.

Who is among the 20 people – and who is not?

The correct counting of responsible individuals is often underestimated in practice. This includes all natural persons who are actually and regularly involved in the automated processing of personal data, regardless of their employment status. This includes permanent employees, part-time workers, mini-jobbers, working students, apprentices, interns, and also functionally integrated freelancers or temporary workers, provided they regularly handle personal data. The rule of thumb is: anyone who regularly works at a PC workstation and processes personal data counts. This typically includes all employees in administration, accounting, sales, marketing, HR, and customer service. The criterion for assessment is an ex-ante consideration of the typical operational setup, not a snapshot.

Does the 20-person limit always apply, or are there exceptions?

The answer is clear: no. Section 38 of the BDSG governs special cases where the appointment obligation applies regardless of the number of employees. This concerns companies that (1) carry out processing operations that are subject to a Data Protection Impact Assessment (DPIA) according to Article 35 GDPR, (2) process personal data commercially for the purpose of transmission or anonymized transmission, or (3) process data for market or opinion research purposes. In all these cases, an appointment obligation exists even if the company only employs five people. This regulation comes as a surprise to many SMEs and startups – especially if their core business involves high-risk processing without them being aware of the DPIA relevance.

What's the difference between an internal and external Data Protection Officer?

Companies can outsource the role of Data Protection Officer either internally or externally. With an internal DPO, an existing employee is entrusted with the function in addition to their actual duties – this is legally permissible as long as there is no conflict of interest. However, practice shows that many companies encounter limitations with this solution: the internal DPO is often insufficiently qualified, lacks the time budget for the task, or is in a conflict of interest due to their dual role, which endangers their freedom of instruction. The external Data Protection Officer, on the other hand, offers clear advantages: they bring specific expertise, are independent, are not subject to any conflicts of interest within the company, and do not have to claim the special protection against dismissal under § 6 BDSG after the termination of their mandate, which applies to internally appointed mandatory DPOs. For many SMEs, the external DPO is therefore not only the simpler but also the legally compliant solution.

What are the specific tasks of an external data protection officer?

Art. 39 GDPR definitively sets out the tasks of the Data Protection Officer. These include informing and advising the controller and its employees on data protection obligations, monitoring compliance with the GDPR, the BDSG and other data protection regulations, as well as internal strategies, advising on the performance of data protection impact assessments, and cooperating with the competent supervisory authority. The DPO is also the first point of contact for data subjects who wish to exercise their rights of access, erasure, or rectification. A qualified external DPO also acts proactively: they provide data protection advice for new IT projects, review data processing agreements, train employees, and create the register of processing activities according to Art. 30 GDPR. This breadth of tasks clearly illustrates why the requirements for expertise in data protection law and practice are high.

What are the risks if a data protection officer is not appointed?

The failure to appoint a mandatory data protection officer constitutes a violation of Article 37 GDPR and Section 38 BDSG. According to Article 83 GDPR, the responsible supervisory authority can impose fines for this. In addition to the financial risk, there is a threat of reputational damage, which can have significant consequences for companies that have customer contact.

Many companies underestimate the complexity of the appointment obligation assessment. The question of whether the 20-person threshold has been reached sounds simple – but correctly counting and assessing whether certain activities qualify as „constant automated processing“ requires data protection expertise. The assessment of special circumstances is even more demanding: Whether a DPIA is required for specific processing is an individual assessment based on Article 35 GDPR and the positive lists of the German data protection authorities. We will assess for you whether and from when your company is obligated to appoint a data protection officer – and will take on the function of an external data protection officer if necessary. Contact us.

Frequently asked questions
The obligation to appoint a data protection officer arises from two levels of regulation. Art. 37 GDPR directly obliges controllers and processors if their core activities consist of the extensive processing of special categories of personal data or the systematic monitoring of persons. In addition, § 38 BDSG further specifies a threshold for the German legal area: if at least 20 people are generally and regularly involved in the automated processing of personal data, the appointment obligation exists regardless of the European requirements. In addition, the law provides for activity-related exceptions where the threshold applies regardless of the number of employees – namely, when using scoring procedures, for processing requiring DPIAs, and for commercial data transfer.
Yes. The threshold is based on heads, not full-time equivalents. Part-time employees, mini-jobbers, trainees, interns, and functionally integrated freelancers are also included, provided they regularly process personal data automatically.
Not that data processing is the sole activity. It is sufficient that the automated processing of personal data constitutes a substantial and regular part of the activity – for example, through CRM systems used daily, email communication with customer data, or HR management software.
Yes, if either Art. 37 GDPR or § 38 para. 1 sentence 2 BDSG applies: for processing operations requiring a data protection impact assessment, commercial data transmission, or market and opinion research.
A DPIA is a systematic prior risk assessment according to Art. 35 GDPR. It is mandatory, among other things, for profiling and scoring, for extensive processing of special categories of data (e.g., health data), and for widespread video surveillance. If the DPIA obligation is triggered, a DPO must also be appointed.
Scoring refers to automated procedures used to evaluate specific characteristics of natural persons, such as creditworthiness, probability of payment, or insurance risk. According to Article 35(3)(a) GDPR, such processing is subject to data protection impact assessment (DPIA) obligations. Consequently, pursuant to Section 38(1), sentence 2 of the BDSG, there is an obligation to appoint a data protection officer (DPO), regardless of the number of employees.
Yes, that is legally permissible. However, the internal Data Protection Officer must not be in a conflict of interest – for example, an IT manager who decides on data protection-relevant systems cannot simultaneously act as the Data Protection Officer. In such cases, an external Data Protection Officer is the legally safer choice.
Independence, specific expertise, and no conflict of interest with one's own operational role. Furthermore, an external data protection officer does not have the special protection against dismissal that applies to internally appointed data protection officers.

Further contributions

SITTIG LAW
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
Law firm
Criminal defense
Further skills
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form