When must a data protection officer (DPO) be appointed?
Data protection officers play an important role in public authorities, companies and associations. They contribute to the protection of fundamental rights and help to minimise risks by monitoring compliance with legal provisions and preventing possible damage from data loss. This ultimately also strengthens the trust of citizens, customers and employees in the data processing of the respective organisations.
Today, the topic of data protection concerns all companies & authorities that work with sensitive customer or employee data. The Federal Data Protection Act (BDSG) regulates the appointment of a data protection officer in § 4f and § 4g. This officer must be appointed
in all public offices (e.g. authorities)
in all non-public bodies (doctors’ surgeries, law firms, businesses, associations, …) if:
a.) personal data is processed automatically and at least 10 persons have access to the data.
b.) personal data are processed manually and at least 20 persons have access to the data.
c.) the organisation carries out automated processing of personal data which is subject to
(c) the organisation carries out automated processing of personal data which is subject to prior checking or if personal data is passed on to third parties on a commercial basis (e.g. address trading), in which case the number of staff is irrelevant.
Data protection officers play an important role in public authorities, companies and associations. They contribute to the protection of fundamental rights and help to minimise risks by monitoring compliance with legal provisions and preventing possible damage from data loss. This ultimately also strengthens the trust of citizens, customers and employees in the data processing of the respective organisations.
Today, the topic of data protection concerns all companies & authorities that work with sensitive customer or employee data. The Federal Data Protection Act (BDSG) regulates the appointment of a data protection officer in § 4f and § 4g. This officer must be appointed
in all public offices (e.g. authorities)
in all non-public bodies (doctors’ surgeries, law firms, businesses, associations, …) if:
a.) personal data is processed automatically and at least 10 persons have access to the data.
b.) personal data are processed manually and at least 20 persons have access to the data.
c.) the organisation carries out automated processing of personal data which is subject to
(c) the organisation carries out automated processing of personal data which is subject to prior checking or if personal data is passed on to third parties on a commercial basis (e.g. address trading), in which case the number of staff is irrelevant.
With regard to the number of staff, the legislator does not differentiate between full-time and part-time employees! A data protection officer may only be appointed if he or she has the necessary faculties.