SITTIG LAW

+49 40 808 125 550
SITTIG LAW Law Firm Blog

Data Protection Officer for Sensitive Data: When is it Mandatory?

If a company extensively processes special categories of data according to Art. 9 or criminal data according to Art. 10 GDPR as part of its core business, it is obliged to appoint a data protection officer. The article explains which data is affected, when the obligation applies, and what fines are threatened in case of violations.
Read more
Read more
Contact us now
Table of Contents

The most important points in brief:

  • Art. 9 GDPR protects special categories of personal data – including health, religious, and biometric data – through a general prohibition of processing.
  • Art. 10 GDPR extends this enhanced protection to data concerning criminal convictions and offences.
  • Whoever processes this sensitive data extensively as part of its core business is obliged to appoint a Data Protection Officer (DPO) in accordance with Art. 37 GDPR.

What is sensitive data according to Art. 9 GDPR?

When is a data protection officer legally required due to the processing of sensitive data? The answer lies in the connection of three GDPR provisions: Article 9 GDPR (special categories of personal data), Article 10 GDPR (criminal convictions and offenses), and Article 37 GDPR (mandatory designation). As an experienced law firm in data protection and IT law, SITTIG LAW guides companies and organizations through these complex requirements.

In the following post, you will learn which data categories are considered particularly sensitive, when the naming obligation arises, and what practical consequences a violation has.

The General Data Protection Regulation distinguishes between ordinary personal data – such as name, address, or email address – and data categories that carry a particularly high risk to the fundamental rights and freedoms of data subjects. These special categories are listed in Article 9 GDPR.

Special categories include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health, and data relating to sex life or sexual orientation.

The legislator has deliberately kept this catalog narrow and exhaustive. No further categories can be added through interpretation. However, indirect data is also covered: information that indirectly allows conclusions to be drawn about one of these categories also falls under the protection of Art. 9 GDPR.

Why is this particular data so worthy of protection?

The background for the increased protection standards is the prohibition of discrimination. Data on ethnic origin, religion, or sexual orientation can be used for discrimination if they fall into the wrong hands. Biometric data allow for the unambiguous identification of individuals; a compromise is practically irreversible.

Health data pertains to the most intimate aspects of human existence. According to prevailing opinion, even the mere fact that a person has visited a doctor is considered health data. The same applies to information from fitness apps, lab results, or diagnoses. This is particularly relevant for employers: even a simple sick note falls under this category.

Genetic data is also particularly sensitive because it not only describes the person concerned but also allows inferences to be made about biological relatives. The disclosure of genetic data therefore always affects the data protection of third parties.

What does Art. 10 GDPR regulate, and why is it next to Art. 9?

Art. 10 GDPR systematically supplements Art. 9 GDPR. It governs the processing of personal data concerning criminal convictions and offenses, as well as related safeguards. These data are not part of the catalog in Art. 9 GDPR, but are given their own level of protection through Art. 10 GDPR.

In principle, such data may only be processed under the supervision of an authority or if a legal basis under Union or Member State law expressly permits it. For private companies, this means: Without an explicit legal basis, the processing of criminal records is prohibited.

When does the obligation to appoint a data protection officer arise?

Under Article 37 of the GDPR, a data protection officer must be appointed if both of the following conditions are met:

The processing of sensitive data must constitute a core activity of the controller or processor.

The processing must be comprehensive, that is, it must go beyond mere routine tasks.

The term „core activity“ should be understood in a narrower sense than the overall operations of a company. It refers to the primary business areas that shape the company’s strategic direction—not support processes such as internal human resources management or accounting. A medical practice, whose core business is treating patients, processes health data as part of its core activity; a small business that merely manages the income tax data of its few employees, on the other hand, does not.

What is the difference between an internal and an external data protection officer?

The GDPR regime permits both models. Pursuant to Article 37(6) GDPR, the data protection officer may be an employee of the controller or may perform these tasks on the basis of a service contract as an external DPO.

An in-house data protection officer is fully integrated into the company, has direct insider knowledge, and is always available. However, this also creates structural conflicts of interest—the officer may not perform any duties that could lead to a conflict of interest and is subject to special protection against dismissal.

An external data protection officer, on the other hand, typically offers greater professional depth, cross-industry experience, and genuine structural independence. For many small and medium-sized enterprises – as well as for organizations that cannot present a suitable internal candidate – the external solution is the more practical and often more cost-effective option.

What responsibilities does the data protection officer have according to Article 39 GDPR?

The list of duties of the data protection officer is set forth in Article 39 of the GDPR and includes, at a minimum:

  • Instruction and advice to the controller and the employees on data protection obligations
  • Monitoring compliance with the GDPR, other EU data protection regulations, and internal data protection requirements
  • Raising awareness and providing training for employees involved in processing
  • Consulting on Data Protection Impact Assessments (DPIA)
  • Cooperation with and point of contact for the supervisory authority

Under what circumstances is it permissible to process sensitive data?

Article 9 of the GDPR establishes a general prohibition on processing. Processing is permitted only in exceptional cases, if one of the exhaustively listed grounds for authorization in Article 9(2) of the GDPR applies. All exceptions must be interpreted restrictively. The most significant ones in practice are:

  • Express consent of the data subject—implied or tacit consent is not sufficient.
  • Processing for the fulfillment of labor or social law obligations – requires a corresponding legal basis in Union or national law.
  • Protection of the vital interests of the data subject or another person – only applies if the data subject is unable to give their consent.
  • Processing for healthcare, occupational medicine, or the administration of social security systems – subject to confidentiality obligations.

What are the potential consequences of violating the disclosure requirement?

A violation of the obligation to appoint a data protection officer pursuant to Art. 37 GDPR is subject to a penalty. Pursuant to Art. 83 GDPR, supervisory authorities can impose fines.

In addition to the immediate risk of fines, the absence of a data protection officer leads to structural compliance deficiencies: Without a DPO, reporting requirements in the event of data breaches, the obligation to conduct a data protection impact assessment, and the monitoring of technical and organizational measures are not coordinated—which can lead to further violations and fines.

What should you do if it is unclear whether there is a disclosure requirement?

In many cases, the question of whether a data protection officer must be appointed is not a trivial subsumption, but rather requires an individual risk analysis. The following steps are recommended:

  • Inventory of all processing activities in the company and identification of those that concern sensitive data according to Art. 9 or Art. 10 GDPR.
  • Determining whether these processing activities constitute the company's core business or are merely ancillary activities.
  • Assessment of the „scope“ (number of people affected, duration, geographical extent, data volume).
  • Consideration of national requirements: § 38 (1) BDSG stipulates designation requirements for non-public bodies already from 20 persons permanently employed in automated data processing.
  • Documentation of the review in the record of processing activities.
Frequently asked questions
In practice, this will likely be true for most medical practices. The processing of patient data constitutes health data within the meaning of Art. 9 GDPR – and therefore special categories of data, the extensive processing of which, according to Art. 37 GDPR, directly triggers the obligation to appoint a data protection officer. Since the processing of patient data is part of the core business of every medical practice, this criterion is likely to be regularly met. In addition, Section 38 BDSG applies as soon as at least 20 people are constantly engaged in automated data processing – thus providing an additional point of reference for larger practices and medical care centers. However, smaller individual or group practices should still have the matter reviewed individually, as the scope of processing can vary depending on the specific case.
Article 9 of the GDPR protects special categories of personal data (health, religion, biometrics, etc.). Article 10 of the GDPR independently regulates the processing of data concerning criminal convictions and offenses. Both provisions are referred to in Article 37(1)(c) of the GDPR as equally triggering a designation requirement.
Yes. According to Art. 37 GDPR, the contact details of the data protection officer must be published and communicated to the competent supervisory authority. In Germany, this is done via the reporting portals of the state data protection commissioners.
Group companies may appoint a joint data protection officer pursuant to Art. 37 GDPR if they are easily accessible from each establishment – spatially, temporally, and linguistically.
Yes. Voluntary designation is an expression of the accountability principle and can act as a compliance signal to the supervisory authority. In practice, it protects against structural enforcement deficits.
No. Art. 9 GDPR requires explicit consent.

Further contributions

SITTIG LAW
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
Law firm
Criminal defense
Further skills
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form