In most cases, employees with the necessary knowledge of data protection law are only available in large corporations. Corporations often employ in-house lawyers who meet the necessary requirements. However, medium-sized companies usually do not have their own legal department. In smaller companies, the appointment of an external data protection officer can therefore pay off.
A legal entity (stock corporation, limited liability company, etc.), a partnership under civil law (GbR), an association (union, political party, etc.) or a natural person (architect, doctor, etc.) may be obliged to appoint a data protection officer.
The prerequisite for the obligation to order is that personal data is processed as part of the activities of an organization. The first question that arises is therefore whether personal data is processed. If this is the case, the legal obligation to appoint a data protection officer depends on how many people are involved in the ongoing processing of this data (§4f BDSG).
The legal requirement to appoint a data protection officer results from § 4f BDSG. According to this provision, non-public bodies that constantly employ more than nine people with the automated processing of personal data must appoint a data protection officer.
The nine people do not necessarily have to be employees of the organization. Employees of external service providers (e.g. freight forwarders, customs offices, shipping service providers), freelancers and their employees (e.g. management consultants) and employees of third-party companies (e.g. call centers, credit insurance companies, receivables management companies, factoring companies, payroll accounting offices) can be excluded from the nine people -Rule be recorded.
In this respect, even organizations that do not employ any employees can fall under the statutory obligation to appoint.