What is a DPO?

Article 37 of the GDPR is amended by §38 of the

Federal Data Protection Act (BDSG 2017):


"Data Privacy Officer (DPO)"
  "(1) Public and non-public bodies where 10 or more employees  are involved with collection, processing or the use of personal data by automated means shall appoint a data privacy officer in writing in due course."
  The law requires the DPO to possess the necessary expertise and reliability. High standards apply especially to his/ her expertise:

  • He/she shall be able to apply the data privacy laws of the federation and the federal states (of Germany), and all other regulations concerning data privacy,
  • he /she shall understand the organizational structures of the business concerned, and shall understand current IT applications.
  • It is expected that the DPO shows sensitivity in relating to people, be able to present himself and have organizational talents.
  • He /she shall be able to resolve conflicts related to his/her person, position and function in a reasonable way.

The DPO should preferably have lots of experience with general business procedures, and should not be limited to one field, like IT specialist or lawyer. Frequently it is difficult to find a suitable candidate within your own organization, because the persons are either overloaded already, or there are conflicts of interest. The IT manager will hardly be able to objectively supervise himself.