Global Data and Cyber Handbook

Germany

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: 17 December 2024

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last review date: 17 December 2024

Yes.

If yes, under what circumstances?

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data
  • the organization employs more than a certain number of individuals in the jurisdiction:
    if an organization constantly employs as a rule at least 20 persons dealing with the automated processing of personal data
  • other:

    if an organization undertakes processing subject to a data protection impact assessment pursuant to Art. 35 GDPR, or if they commercially process personal data for the purposes of transfer, anonymized transfer or for market or opinion research

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: 17 December 2024

Yes.

If yes, what are these requirements?

  • legal qualifications / experience
  • other professional qualifications / experience

Pursuant to Art. 37 para. 5 GDPR, the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the DPO's tasks.

Pursuant to the Guidelines on Data Protection Officers, WP 243 rev. 01 of the Art. 29 Working Party, endorsed by the European Data Protection Board, the DPO's relevant skills and expertise include:

  • expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
  • understanding the processing operations carried out;
  • understanding the information technologies and data security;
  • knowledge of the business sector and the organization; and
  • ability to promote a data protection culture within the organization.

Pursuant to the guidelines, the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: 17 December 2024

No.

Except for the requirement to consult the data protection authority prior to the processing, where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Art. 36 GDPR).

{{ $store.state.loadingScreen.message }} ...