In the Federal Republic of Germany, §§ 4f, 4g BDSG currently regulate the appointment and tasks of the data protection officer. If there is a legal obligation to appoint, companies often ask themselves whether the position should be filled by an internal employee or an external service provider. From the point of view of the unbiased third party, the latter are often to be regarded as more independent.

How is it in the middle class?

In most cases, employees with the necessary knowledge of data protection law are only available in large corporations. Corporations often employ in-house lawyers who meet the necessary requirements. However, medium-sized companies usually do not have their own legal department. In smaller companies, the appointment of an external data protection officer can therefore pay off.

Who can order?

A legal entity (stock corporation, limited liability company, etc.), a partnership under civil law (GbR), an association (union, political party, etc.) or a natural person (architect, doctor, etc.) may be obliged to appoint a data protection officer.

When do you have to order?

The prerequisite for the obligation to order is that personal data is processed as part of the activities of an organization. The first question that arises is therefore whether personal data is processed. If this is the case, the legal obligation to appoint a data protection officer depends on how many people are involved in the ongoing processing of this data (§4f BDSG).


The legal requirement to appoint a data protection officer results from § 4f BDSG. According to this provision, non-public bodies that constantly employ more than nine people with the automated processing of personal data must appoint a data protection officer.

The nine people do not necessarily have to be employees of the organization. Employees of external service providers (e.g. freight forwarders, customs offices, shipping service providers), freelancers and their employees (e.g. management consultants) and employees of third-party companies (e.g. call centers, credit insurance companies, receivables management companies, factoring companies, payroll accounting offices) can be excluded from the nine people -Rule be recorded.

In this respect, even organizations that do not employ any employees can fall under the statutory obligation to appoint.


According to §4f paragraph 1 sentence 1 BDSG, the data protection officer must be appointed in writing. He is to be ordered within one month after starting the respective data protection-related activity, §4f paragraph 1 sentence 2 BDSG.

1. Are personal data processed?

If you can answer yes here, check step 2.

2. How many people are involved?

If there are more than 9 people, step 3 must be checked.

3. Is it an automated processing?

If so, there is an obligation to order.

Can we answer your questions?