These companies need a data protection officer
The German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (DSGVO) regulate the question of when companies need a data protection officer.
The DSGVO has significantly expanded the group of companies that require a data protection officer. It is now no longer only the size of the company that matters. Even small companies with fewer than 20 employees are often required to appoint a DPO.
A DPO is required in the following cases:
1. as a rule, at least 20 persons are permanently employed with the automated processing of personal data in the company (Section 38 BDSG). This provision essentially corresponds to the existing legal situation. Automated data processing exists if the data processing is carried out with the aid of data processing equipment (e.g. on a computer).
2. the core activity of the company consists in carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive, regular and systematic monitoring of data subjects (Art. 37(1)(b) GDPR). This is the case if the data processing in question is a central component of the entrepreneurial activity / business strategy. For example, the processing of health data for a hospital or the processing of address data for credit agencies is a central element of their activity. The management of personnel data within a company, on the other hand, is usually classified as a secondary activity.
3. The core activity of the company consists of the extensive processing of special categories of data (Art. 37 (1) (lit) c DSGVO, Artt. 9, 10 DSGVO).
Special categories of data include health data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data and biometric data. 4.
4. the company is obliged to carry out a so-called data protection impact assessment (Art. 35 DSGVO, Section 38 BDSG). The state data protection authorities, as supervisory authorities, have now published so-called blacklists listing industries and processing operations for which a data protection impact assessment is mandatory. This is the case, for example, if there is a high risk of rights being violated due to the use of certain technologies.
5. business processing of personal data for the purpose of transmission, anonymized transmission or for the purpose of market or opinion research (Section 38 BDSG).
Accordingly, even smaller companies are required to appoint a data protection officer if they process a particularly large amount of personal data or sensitive data.