Most important points

• A data protection officer is a person who monitors and advises on data protection compliance within an organization. They act as a point of contact for employees and supervisory authorities on data protection issues.

• According to Art. 37 GDPR and Section 38 BDSG, certain bodies are obliged to appoint a DPO, for example if at least 20 people are permanently involved in the automated processing of personal data or if extensive sensitive data is processed (regardless of the number of employees).

• The DPO can be appointed internally (employee with appropriate expertise) or externally (expert providing services). They must be knowledgeable and reliable and enjoy freedom from instructions in data protection matters as well as special protection against dismissal.

• DPO tasks: monitoring GDPR compliance, training employees, supporting data protection impact assessments, liaising with supervisory authorities and advising those responsible in data protection matters.

• Startups should check whether they need a DPO. Even if there is no obligation, a voluntary appointment can be useful to ensure data protection-compliant growth at an early stage.

Designation obligation

The GDPR (throughout Europe) requires the appointment of a data protection officer for certain controllers (Art. 37 GDPR), namely if:

• the core activity of the controller consists of extensive, regular monitoring of individuals (e.g. operator of a social media platform, scoring company),

• or if particularly sensitive data (Art. 9 GDPR: e.g. health data) is processed extensively.

The German Federal Data Protection Act (Section 38 BDSG) also specifies that a DPO must be appointed if at least 20 employees are generally entrusted with automated data processing. Even regardless of this number of employees, if the company carries out processing operations that are subject to a data protection impact assessment in accordance with Art. 35 GDPR (in practice, e.g. extensive video surveillance, scoring procedures) or processes personal data on a commercial basis for the purpose of transmission (list brokers, address traders).

Start-ups with only a few employees are often not initially subject to the obligation (unless they are active in a sensitive area such as health). However, if the team grows beyond 20, the obligation must be kept in mind.

Position and tasks

The data protection officer has a supervisory and advisory role:

• Monitoring: It checks whether the requirements of the GDPR and the BDSG are being complied with in the company. To this end, it can inspect processing directories, audit processes and make suggestions for improvement.

• Advice: He advises those responsible (management, department heads) on new projects with regard to data protection-compliant design (“privacy by design/default”). For example, he supports the planned introduction of a new CRM system by reviewing the order processing contracts and technical and organizational measures.

• Training: Employees are made aware of data protection by the DPO, e.g. in the form of training on handling personal data, password security and dealing with data breaches.

• Contact point: The DPO is the point of contact for supervisory authorities and for data subjects who have information or complaints. The contact details of the DPO must be publicly accessible (e.g. in the privacy policy).

• Data protection impact assessment (DPIA): If a processing operation is likely to pose a high risk to rights and freedoms and a DPIA needs to be carried out, the DPO participates, provides advice and reviews the results.

• Reporting data breaches: It advises on the assessment of whether a data breach is reportable and, if necessary, provides support in reporting it to the authorities.

Independence and protection of the DPO

An internal DPO has a special position:

• He is free from instructions in the performance of his duties (Art. 38 para. 3 GDPR). He may not be disadvantaged because of the fulfillment of his tasks.

• They can only be dismissed under difficult conditions. Under the BDSG, an internal DPO can only be dismissed for good cause (protection against dismissal during the appointment and for one year thereafter).

• The DPO must not hold a position in the company that could lead to conflicts of interest. Typically, senior managers such as managing directors, IT managers and HR managers are therefore excluded as DPOs, as they would have to control their own processes.

Many companies therefore choose an external DPO who fulfills these tasks as a service provider. The advantage of this is that you buy in specialist knowledge and do not have to permanently retain a person internally.

Relevance for startups

Even if a start-up is below the personnel threshold at the beginning, it should take data protection seriously. As soon as growth is underway:

• Assessments: Regularly check whether the threshold has been reached or whether special processing operations are taking place that require a DPO.

• Preparation: Set up processes for data protection management (register of processing activities, consent management, contracts with service providers). This makes the subsequent DPO’s work easier and reduces the risk of infringements.

• Budget for an external DPO: Above a certain size, it can make sense to voluntarily appoint an external DPO at an early stage. He or she will help to set up a data protection-compliant structure, which will prevent problems and fines later on.

In a data protection-conscious business environment (keyword: customer trust, compliance with B2B partners), professionalization by a DPO can also be a quality feature for a startup. Nevertheless, the obligation should not be rushed: the right timing is important when the criteria are met or are likely to be met in order to be on the safe side.