The obligation to appoint a data protection officer applies in accordance with GDPR primarily to public authorities and public bodies. But also companies whose core activity is the particularly extensive processing of personal data or the processing of special categories of data (in accordance with Article 9 and the 10(GDPR), must appoint a data protection officer in accordance with the GDPR. (see Article 37 GDPR)
An opening clause in the GDPR offers each member state the opportunity to create stricter conditions for the appointment of an in-house data protection officer. In the new Federal Data Protection Act, for example, Germany has, among other things, regulated the obligation to appoint company data protection officers more strictly than in the GDPR.
For example, the appointment of a data protection officer pursuant to Art 38 BDSG is mandatory for all companies in Germany, provided that at least 20 employees (Federal Council decision on 20 September 2019) constantly deal with the automated processing of personal data.
In summary, as a private company, it is easy to assess whether the appointment of a data protection officer is necessary on the basis of three criteria. If at least one of the three criteria applies, there is a legal obligation to appoint a data protection officer. The criteria are:
- The number of employees who regularly and recurrently work with personal data is at least 20 (employees are also auxiliary staff, trainees, temporary workers or freelancers)
- Processing of a special category of personal data takes place. (This includes race, ethnic origin, political opinion, religious beliefs, trade union membership, health, sexual life or criminal behaviour - see Article 9 and the 10 GDPR)
- Personal data are transferred, collected, processed or used on a business basis (i.e. the core activity of the company consists of these processing operations).
The intentional or negligent failure to appoint a company data protection officer constitutes an administrative offence subject to a fine.
Even if the company is not subject to the obligation to appoint a data protection officer according to legal requirements, the regulations of data protection law must nevertheless be fully complied with. This poses a particular challenge for smaller companies, as they simply lack data protection expertise. In such cases it makes perfect sense to voluntarily appoint a data protection officer.