BDSG and GDPR have high demands on the professional competence and independence of the data privacy officer (DPO).
Thus, an internal DPO enjoys similar job protection benefits as a member of the works council. Managers of HR, Legal or IT department may not be appointed as DPO due to conflicts of interest. The supervisory authorities demand permanent education of the named DPO. Depending on the company size, a full-time DPO may not be necessary.
The following may be a decision-making assistance
| External DPO | Internal DPO |
|---|---|
Existing qualification | Substantial training expenditure to reach suitable qualification |
Internal resources kept free | Engagement of internal resources |
Training at the expense of the service provider | Regular further training at own expense required. |
Literature available with the external DPO | Effort for technical literature |
Incorporation into company specific operational conditions | Knowledge of company specific operational conditions |
Unrivaled approach | Blind to shortcomings in company processes |
No right of co-determination of the works council when naming the data protection officer | In case of appointment (employment or relocation) the right of co-determination of the works council (§ 99 BetrVG) |
No employment relationship | Special protection against termination, termination of the employment relationship is only possible for important reasons |
Experience from other companies | No experience from other companies |
Neutral position (intermediary ability, for example between management and employees) | No neutral position within the company |
No conflict of interest | Possible conflict of interest |