How much does a privacy policy cost

Who needs a data protection officer?

The Federal Data Protection Act (BDSG) defines when a company is obliged to appoint a data protection officer. A legal obligation exists in the following three cases:

  • The company employs at least nine people who automatically process personal data. Whether it is a permanent employee, freelancer or temporary worker is irrelevant. If this work is carried out on the computer, it can be assumed that the data will be processed automatically. The legal basis is § 4f Paragraph 1 Clause 3 BDSG.
  • The company transmits, collects or processes personal data on a business basis. Examples of such companies are credit agencies, address publishers or market research companies. The number of employees then does not matter. Legal basis: § 4f paragraph 1 sentence 5 BDSG.
  • The company processes particularly sensitive data, such as creditworthiness or health data. In such a situation, regardless of the number of employees, there is a fundamental obligation to appoint a data protection officer. The legal basis is Section 4f Paragraph 1 Clause 5 BDSG.

At personal data it concerns individual details that provide information about personal or factual circumstances. These include:

  • Name, age, marital status, date of birth
  • ID card number, social security number
  • Address data as well as telephone number, email address
  • Account and credit card number
  • Motor vehicle number, license plate
  • Health data and genetic data
  • Value judgments such as certificates
  • Criminal record

Personal data that companies process is predominantly customer data. However, it must not be forgotten that Personal data are also personal and must therefore be taken into account in the context of data protection.

The form in which relevant data is processed and, for example, saved, does not matter. Therefore, audio recordings, photos, videos or x-rays can also be classified as personal data.

A data protection officer ensures that no mistakes are made when handling this data and the company is thus on legally secure terrain. If the appointment of a data protection officer is not required by law, the company management must ensure data protection. There is the option of appointing an external data protection officer voluntarily.

Here you can find out more about the tasks of a data protection officer.