Skip navigation

BDSG and GDPR have high demands on the professional competence and independence of the data privacy officer (DPO).

Thus, an internal DPO enjoys similar job protection benefits as a member of the works council. Managers of HR, Legal or IT department may not be appointed as DPO due to conflicts of interest. The supervisory authorities demand permanent education of the named DPO. Depending on the company size, a full-time DPO may not be necessary.

The following may be a decision-making assistance


External DPOInternal DPO

Existing qualification

Substantial training expenditure to reach suitable qualification

Internal resources kept free

Engagement of internal resources

Training at the expense of the service provider

Regular further training at own expense required.

Literature available with the external DPO

Effort for technical literature

Incorporation into company specific operational conditions

Knowledge of company specific operational conditions

Unrivaled approach

Blind to shortcomings in company processes

No right of co-determination of the works council when naming the data protection officer

In case of appointment (employment or relocation) the right of co-determination of the works council (§ 99 BetrVG)

No employment relationship

Special protection against termination, termination of the employment relationship is only possible for important reasons

Experience from other companies

No experience from other companies

Neutral position (intermediary ability, for example between management and employees)

No neutral position within the company

No conflict of interest

Possible conflict of interest