BDSG and GDPR have high demands on the professional competence and independence of the data privacy officer (DPO).
Thus, an internal DPO enjoys similar job protection benefits as a member of the works council. Managers of HR, Legal or IT department may not be appointed as DPO due to conflicts of interest. The supervisory authorities demand permanent education of the named DPO. Depending on the company size, a full-time DPO may not be necessary.
The following may be a decision-making assistance
|External DPO||Internal DPO|
Substantial training expenditure to reach suitable qualification
Internal resources kept free
Engagement of internal resources
Training at the expense of the service provider
Regular further training at own expense required.
Literature available with the external DPO
Effort for technical literature
Incorporation into company specific operational conditions
Knowledge of company specific operational conditions
No right of co-determination of the works council when naming the data protection officer
(§ 99 BetrVG)
No employment relationship
Special protection against termination, termination of the employment relationship is only possible for important reasons
Experience from other companies
No experience from other companies
Neutral position (intermediary ability, for example between management and employees)
No neutral position within the company