Legal Obligation to appoint a Data Protection Officer

In the Federal Republic of Germany, §§ 4f, 4g FDPA regulate the appointment and duties of the data protection officer. If there is a legal obligation to appoint one, enterprises often ask themselves whether the position should be filled by an internal employee or an external service provider. The latter are often seen as more independent from the perspective of the impartial third party.

How is it in the middle-sized Sector?

Usually, employees with the necessary knowledge of data protection law are only available in the large corporation. Corporations often employ in-house lawyers that fulfill the necessary prerequisites. However, middle-sized enterprises generally do not have separate legal departments. In smaller companies, the appointment of an external data protection officer may therefore be expected.

Who may be subject to the Appointment Duty?

Legal person (stock company, limited liability company, etc.), a partnership under civil law (GbR), an association (trade union, party etc.) or a natural person (architect, physician etc.) may be subject to the duty to appoint a data protection officer.

When shall the Appointment be carried out?

A prerequisite for designation is that the processing of personal data takes place within the framework of the activity of an organization. The question arises, therefore, as to whether personal data are processed. If this is the case, the statutory obligation to appoint a data protection officer depends on how many persons are involved in the continuous processing of this data (§ 4f FDPA).


The statutory requirement for appointing a data protection officer is set out in § 4f FDPA. According to this provision, non-public bodies in which more than nine persons are permanently engaged in the automated processing of personal data have to appoint a data protection officer.

The nine persons do not have to be employees of the organization. Employees of external service providers (e.g. freight forwarders, customs offices, shipping service providers), freelancers and their employees (e.g. company consultants) and third-party employees (e.g. call centers, credit insurances, claims management companies, factoring companies, salary bureaus) may be covered by the nine persons rule.

In this respect, even organizations that do not employees can be subject to the statutory appointment requirement.


Pursuant to § 4f (1) sentence 1 FDPA, the data protection officer must be appinted in writing. He or she is to be ordered within one month after the commencement of the activity relevant to the data protection, § 4f (1) sentence 2 FDPA.

1. Are Personal Data processed?

If you can respond with “yes”, proceed to Step 2.

2. How many Persons are involved?

When more than 9 persons are involved, Step 3 should be examined.

3. Is that the Case of Automated Processing?

If yes, there is an obligation to appoint.