In times of increasing digitalization and stricter data protection laws, data protection in companies has long been more than a mere legal obligation. It is a strategic issue that builds trust among customers, partners, and employees-while at the same time protecting against substantial fines.
A key role in this context is played by the data protection officer (DPO). But when is the appointment mandatory, what responsibilities does the role include-and which mistakes should companies avoid?
In this article, you will learn in a concise and practical manner what Articles 37 to 39 GDPR mean for your organization.
1. When Is a Data Protection Officer Mandatory? (Art. 37 GDPR)
Not every company is required to appoint a data protection officer-but many are obliged to do so without realizing it.
A data protection officer is required under Article 37 GDPR if, within the company:
- extensive, regular, and systematic monitoring of individuals takes place, e.g., through tracking, monitoring, or video surveillance,
- special categories of personal data are processed-such as health data, biometric characteristics, or information on religious or political views,
- or if § 38 BDSG applies:
- At least 20 persons are permanently engaged in the automated processing of personal data-regardless of their form of employment.
Practical tip: The obligation applies regardless of legal form-thus also to associations, public authorities, or church institutions. Even if there is no legal obligation, voluntary appointment may be advisable-for example, to better manage data protection risks.
Conclusion: Regularly review whether an obligation to appoint a DPO exists. With growing teams, new digital processes, or international data flows, the obligation status can change quickly.
2. What Is the Position of the Data Protection Officer Within the Company? (Art. 38 GDPR)
Once a data protection officer has been appointed, Article 38 GDPR governs their legal position.
The focus is on the independence of the DPO.
- The data protection officer must not receive instructions when performing their tasks.
- They must not be disadvantaged or dismissed simply because their activities are inconvenient for the company.
- The DPO reports directly to senior management-not to department heads.
Important:
The data protection officer must not have conflicts of interest. Individuals who themselves determine the purposes and means of data processing (e.g., IT management, executive management) are not suitable.
External consultants must also ensure independence if they provide other services in parallel.
In addition, the company is obliged to provide the DPO with the necessary resources: time, budget, training, and access to all relevant information. Only in this way can data protection be implemented effectively.
3. Tasks of the Data Protection Officer (Art. 39 GDPR)
The data protection officer is not merely an auditor-they are an advisor, control body, and point of contact at the same time.
Article 39 GDPR defines five core tasks:
- Information and advice
→ Training and awareness-raising among employees, and advising management on all data protection obligations.
- Monitoring compliance
→ Regular audits, review of technical and organizational measures (TOMs), and examination of data processing agreements.
- Advice on data protection impact assessments (DPIAs)
→ Support in risk assessment and methodology.
- Cooperation with the supervisory authority
→ Point of contact for inquiries, audits, or data protection incidents.
- Contact point for data subjects
→ Handling access requests, complaints, or erasure requests.
In short:
The data protection officer is a central element of risk management. They do not make decisions but identify risks, outline alternatives, and support the implementation of GDPR-compliant solutions.
4. Common Implementation Mistakes in Data Protection
Despite clear requirements, many companies make similar mistakes-often with legal consequences.
Typical pitfalls:
- Missing or incorrect appointment of a DPO (e.g., IT manager = conflict of interest)
- Insufficient allocation of time and budget
- Late involvement in projects (“data protection by reaction”)
- Missing or incomplete documentation
- No employee training
Practical tip:
Involve your DPO early in projects – especially when introducing new tools, software, or processes. This helps avoid subsequent data protection issues and unnecessary costs.
5. Recommendations for DPOs and Companies
For data protection officers
- Position your role visibly within the company.
- Insist on involvement in decision-making processes-both strategic and technical.
- Stay professionally up to date (e.g., through annual training).
- Document your activities carefully and transparently.
For companies
- Take the role of the DPO seriously – even in cases of voluntary appointment.
- Provide sufficient resources and support.
- Promote a data protection culture: data protection is teamwork, not a one-person project.
- Integrate data protection from the outset into new processes (“privacy by design”).
Conclusion: Data Protection as an Opportunity for Trust and Security
Articles 37 to 39 GDPR form the foundation for effective data protection within companies.
They define when a data protection officer is required, which rights they have, and which tasks they perform.
What matters, however, is implementation:
Only if the DPO can act independently, competently, and with proper integration does data protection become a lived practice – rather than a mere formality.
Use the legal requirements as an opportunity:
for greater trust, security, and resilience in your company.
Frequently Asked Questions (FAQ)
When is a data protection officer mandatory?
If more than 20 persons regularly process personal data in an automated manner or if special categories of data are processed.
Can the managing director act as data protection officer?
No, this would constitute a conflict of interest-the function must be exercised independently.
Does the data protection officer have to be trained?
Yes, continuous training is mandatory to ensure professional expertise and up-to-date knowledge.
Final tip: Document data protection easily
The work of a data protection officer requires structured documentation and ongoing training. With PLANIT // PRIMA, you can organize your data protection processes simply, efficiently, and in compliance with the law-including employee training and templates.
Test // PRIMA free for 14 days now!
