Ready for the new Google Consent Mode v2? Learn more »

GDPR Data Protection Officer: Does your company need one?

Graphic for the GDPR data protection officer:

The legal articles of the GDPR describe in detail, in three different sections, the appointment of a data protection officer (DPO), his/her position and his/her tasks. This raises the question: under what conditions is the appointment of a DPO for your company not only optional, but mandatory under the GDPR?

In this article, we will answer this question and explain in detail the responsibilities of a DPO and the differences between internal and external DPOs.

What are the tasks of the data protection officer?

Roles and responsibilities of a GDPR data protection officer

The role of the data protection officer is to act as a bridge between your company and the supervisory authorities. He or she is at the heart of data protection management, monitoring compliance with the GDPR and other relevant data protection laws. A DPO should be able to advise your company on all data protection challenges and promote preventative measures, such as training your employees.

According to the GDPR, a data protection officer has to carry out the following tasks

  1. Ensure compliance: Monitor compliance with all relevant data protection laws and regulations.
  2. Monitoring processes: This includes monitoring privacy impact assessments to assess the risks of data processing.
  3. Employee training and awareness: Promoting data protection awareness among employees.
  4. Liaise with supervisory authorities: Acting as a point of contact for data protection authorities.
  5. Accessibility and advice: The DPO should be available at all times to deal effectively with data protection issues.
  6. Record keeping: Keeping detailed records of the organisation’s data processing activities.
  7. Avoiding conflicts of interest: A DPO should be free from any conflict of interest.

Who needs a data protection officer under the GDPR?

Every public organization needs a data protection officer, and private companies must appoint a data protection officer if their data processing activities meet certain criteria. If you already know that you are processing personal data, the following section is important for you, as the processing of such data under the GDPR requires special care and attention.

When is a data protection officer mandatory under the GDPR?

The obligation to appoint a DPO under the GDPR arises when the processing of personal data by a company meets certain criteria:

  1. The main activity of the company involves carrying out activities which, due to their nature, scope and objectives, require regular and systematic, intensive monitoring of data subjects .
  2. The main activities include the extensive processing of special categories of personal data pursuant to Article 9 of the GDPR and data relating to criminal convictions and offences pursuant to Article 10 of the GDPR.

In addition, the GDPR requires the appointment of a data protection officer for every public authority or organization (with the exception of courts in their judicial activities).

Internal or external data protection officer?

Deciding whether an internal or external DPO is more appropriate for your company depends on two factors: the specific needs of your organisation and your resources. An internal DPO may be an efficient choice if the relevant expertise already exists within the organisation, as the position can be taken over or efficiently developed by an employee of the organisation. On the other hand, if a high level of expertise, objectivity and efficiency is required to implement data protection, it may be advantageous to choose an external DPO. Our partner, an accredited external DPO service provider, offers professional support that meets these criteria.

The advantages and disadvantages of both options are summarized below.

Internal Data Protection Officer


  1. Familiarity with the company: Internal DPOs know the company, its processes and employees very well, which enables deeper integration of data protection into daily processes.
  2. Costs: Often cheaper because no new employees need to be hired and no external consulting costs are incurred.


  1. Resource and task conflicts: The additional tasks of a DPO can make it difficult to manage the existing workload. A new employee may need to be hired.
  2. Protection against dismissal: There are legal peculiarities regarding protection against dismissal that can make personnel decisions more difficult.

External data protection officer


  1. Specialized expertise: External data protection officers are often highly qualified and always informed about the latest developments in data protection law.
  2. Objectivity: Their external position enables DPOs to provide a more objective perspective on data protection issues within the company.
  3. Acceptance: External data protection officers are often viewed as more neutral by works councils and employees, which can facilitate cooperation.


  1. Accessibility: Employees may be hesitant to contact an external DPO with questions or problems.

Regardless of whether an internal or external DPO is chosen, the ultimate responsibility for data protection lies with the company. It is therefore advisable to carefully evaluate both internal capabilities and external options to ensure the optimal solution for your organisation.

Bottom line

Deciding whether and what type of DPO (internal or external) is best for your organisation should be based on a thorough assessment of your specific needs.

For more information and professional assistance, please visit the website of our partner , an experienced provider of external DPO services. Leverage their expertise to effectively manage your business in compliance with GDPR, while optimising data protection standards.

more comments

Webinar mit Google: Google Consent Mode v2 verstehen und nahtlos integrieren

Webinar with Google: Understanding and seamlessly integrating Google Consent Mode v2

Due to the high demand for information on setting up and dealing with the new requirements of Google Consent Mode v2, consentmanager and Google have organized another webinar on this topic on June 12, 2024. The webinar took place in German. You missed it? No problem! The PDF of the webinar can be downloaded here […]

Newsletter 05/2024

New integration for Slack, MS Teams and more With the current update, a new integration function for Slack, MS Teams, Zapier and n8n is now available in the system. The function conveniently notifies you in Slack, Teams or any other tool about important changes and news (e.g. new cookies found) in your CMP account. You […]