SITTIG LAW

+49 40 808 125 550
SITTIG LAW Law Firm Blog

Who is responsible for compliance with data protection in the company?

Who is responsible for data protection in your company? The GDPR's clear answer: the company itself, represented by management or the owner. A Data Protection Officer (DPO) is an important supervisory body, but cannot assume overall responsibility. Do not underestimate this accountability principle, as violations can lead to significant fines and criminal consequences. Ensure clear internal structures and train your employees.
Read more
Read more
Contact us now
Table of Contents

The most important facts at a glance

  • The controller within the meaning of the GDPR is the company itself – i.e., the legal or natural person who decides on the purposes and means of data processing. In the case of sole proprietorships, this is the owner personally; in the case of legal entities, it is the representative body.
  • The obligation to appoint a Data Protection Officer (DPO) depends on company size and processing type – A data protection officer is required for 20 or more people who regularly handle personal data.
  • Data protection violations can lead to significant fines and criminal consequences. – responsibility for compliance is non-delegable and rests with the company and its executives.

Data Protection in Business: A Question of Responsibility

Data protection is not an abstract compliance issue. It affects every company that processes personal data – and almost every company does so today. Customer data, employee data, applicant data, supplier information: there are touchpoints with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) everywhere.

The crucial question many companies ask themselves is: Who is actually responsible? Is it management? The IT department? The data protection officer? Or everyone together?

The answer is legally clear - and at the same time complex in practical implementation. Depending on the legal form of the company, the responsible parties differ, as do the specific obligations that arise from this.

Legal Basis: What the GDPR and BDSG Regulate

The „controller“ according to Art. 4 No. 7 GDPR

The core of the question of responsibility can be found in Art. 4 No. 7 GDPR. According to this, a „controller“ is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The accountability principle according to Art. 5(2) GDPR

The so-called accountability principle obliges the controller not only to comply with the data protection principles, but also to be able to prove this compliance.

Liability by Business Structure: Who Is Specifically Liable?

The legal responsibility for data protection is not the same for all companies. It depends significantly on the company's legal structure – an aspect that is often underestimated in practice.

Sole Proprietorship

In the case of a sole proprietorship, the owner is the data controller under the GDPR. There is no distinction between the business owner as an individual and the business as a legal entity. This means that the sole proprietor bears personal and direct responsibility under data protection law—he or she cannot fully delegate this responsibility to employees or third parties.

Legal Entities: GmbH, AG, UG

In the case of legal entities—such as GmbHs, AGs, UGs, or registered associations—the entity itself is the data controller. Since legal entities do not have legal capacity, this responsibility is assumed by the management or the board of directors.

In a GmbH, the management, according to § 43 of the GmbHG (German Limited Liability Companies Act), bears the general duty of care, which also includes data protection. The managing directors must ensure that data protection-compliant structures are in place within the company. Delegating this responsibility to employees or a data protection officer does not absolve them of this overall responsibility – it remains with the company in external relations.

Partnerships: General Partnership, Limited Partnership, Civil Law Partnership, Partnership Company

In the case of partnerships, the legal situation is more complex. Partnerships with legal capacity, such as an OHG or a KG, can themselves be data controllers under the GDPR. The personally liable partners—all partners in the case of an OHG, and the general partners in the case of a KG—may also be personally liable.

In the case of a GbR, which does not have its own legal personality, the partners are jointly liable. In practice, this can mean that all partners in a group practice or law firm organized as a GbR are jointly liable for data protection violations.

For professional partnerships (PartGG), which are often used by self-employed professionals—such as doctors, lawyers, and architects—the following applies: The partnership itself has legal capacity and is therefore liable; the partners are responsible for exercising due diligence internally.

The Role of the Data Protection Officer: Responsibility ≠ Delegation

A common misconception is: „We have a data protection officer, so they are responsible.“

The Data Protection Officer (DPO) is not a data controller but rather a supervisory and advisory body. According to Article 39 of the GDPR, the DPO’s duties include: providing information and advice to data controllers, monitoring compliance with the GDPR, cooperating with the supervisory authority, and serving as a point of contact for data subjects.

The responsibility for ensuring actual compliance with data protection regulations always rests with the company itself—that is, with its management or board of directors.

When is a DSB required?

According to Section 38 of the BDSG, non-public entities must appoint a data protection officer if, as a rule, at least 20 people are constantly involved in the automated processing of personal data. This figure does not refer to the total workforce, but specifically to the group of individuals who regularly process data.

Regardless of this threshold, there is an obligation to appoint a DPO if:

  • a data protection impact assessment under Article 35 of the GDPR is required
  • The core activity in the extensive processing of special categories of personal data consists, for example, in healthcare.

Internal or external?

The DPO can be appointed either internally from among the staff or externally. An external DPO often offers advantages: he or she brings up-to-date expertise to the role, is not subject to internal conflicts of interest, and is more independent in his or her oversight role.

Among other services, we act as an external data protection officer for companies—a pragmatic solution, particularly for small and medium-sized businesses that are unable or unwilling to allocate internal resources to this task.

Practical tips for companies

Tip 1: Clearly assign responsibilities internally: Even though the legal responsibility lies with the company, it needs an internal „data protection owner“—a specific person or department that coordinates data protection processes and maintains an overview.

Tip 2: Keep a record of data processing activities: Article 30 of the GDPR requires data controllers to maintain a record of processing activities.

Tip 3: Systematically enter into data processing agreements: Anyone who has a service provider process personal data must enter into a data processing agreement in accordance with Article 28 of the GDPR. Without this agreement, a data protection violation has occurred, regardless of whether any damage results.

Tip 4: Be aware of data breaches and report them: Art. 33 GDPR requires data breaches to be reported to the supervisory authority within 72 hours. Many companies are unsure what constitutes a reportable data breach. An internal policy and clear escalation paths help to react correctly in an emergency.

Tip 5: Train employees: The most common starting point for data breaches is human error. Regular employee training – especially in data-sensitive areas like HR, sales, or IT – is not a nice-to-have, but part of accountability.

Are you wondering if your company meets all data protection requirements? We advise companies nationwide on all matters of data protection law – from the initial assessment to ongoing support as an external data protection officer. Get in touch.

Checklist: Data Privacy Responsibility in the Company

  • Responsible parties identified: It is clear who is legally responsible within the company (owner, management, board of directors)?
  • DSB obligation checked: Do more than 20 people regularly have access to personal data? If so, has a DPO been appointed?
  • Record of processing activities maintained Does a current register of all processing activities pursuant to Art. 30 GDPR exist?
  • AVV closed with all service providers: Were contracts concluded with all external order processors (cloud, IT, payroll, etc.) in accordance with Article 28 GDPR?
  • Technical and organizational measures documented: Are the TOMs (Technical and Organizational Measures) laid down in writing and up to date according to Article 32 GDPR?
  • Data Breach Litigation Process Established: Is there an internal reporting chain for data breaches with clear responsibilities?
  • Employees trained: Are employees regularly trained on data protection?
  • Privacy Policy Update: Are the privacy policies on the website and in contracts up-to-date and complete?
  • Data Protection Impact Assessment: Were new, high-risk processing operations subjected to a DPIA in accordance with Article 35 GDPR?

Recommendation for action

The question of who is responsible for data protection compliance within a company has a clear legal answer: the company itself – represented by its governing bodies. In the case of sole proprietorships, the owner is personally liable. Depending on the legal form, different liability scenarios arise, which can have very specific consequences in practice.

A data protection officer – whether internal or external – is an important compliance tool, but it does not replace the overall corporate responsibility. Those who take this responsibility seriously not only protect the personal data of their customers and employees but also the company itself from significant fines and – in serious cases – criminal consequences.

If you have questions about data protection responsibility in your company or need legal support for implementation, we are happy to assist you – by phone, video, or in person.

Frequently asked questions
No. The data protection officer has an advisory and supervisory function. The legal responsibility for complying with the GDPR always remains with the company, i.e., with management. A delegation in the legal sense is not possible.
Generally not. The DSB's personal liability only arises if they themselves have violated their duties – for example, through incorrect advice or failure to take necessary measures. The primary liability lies with the company.
According to § 38 BDSG, this applies for 20 or more persons regularly processing personal data automatically. Additionally, there are case-related obligations, for example, when processing special categories of personal data (health data, biometric data, etc.).
Yes. The GDPR applies to any natural or legal person processing personal data – regardless of company size. Small and sole proprietors are affected to the same extent as large corporations.
The failure to order constitutes a separate data protection violation and can be subject to fines.
At a minimum: records of processing activities, technical and organizational measures, data processing agreements, proof of consent, and, if applicable, data protection impact assessments.
Yes. Section 42 of the BDSG (Federal Data Protection Act) criminalizes particularly serious data protection violations – such as the unauthorized transfer of personal data for payment or with the intent of enrichment. In such cases, seeking legal assistance early on is advisable.
An internal assessment must be carried out immediately to determine whether a reportable data breach has occurred. If so, the responsible supervisory authority must be informed within 72 hours. If the affected individuals' freedoms or rights are at significant risk, notification of the data subjects is also required. Early legal advice helps to limit the damage.

Further contributions

SITTIG LAW
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
Law firm
Criminal defense
Further skills
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form