The German Federal Data Protection Act (BDSG) oblige a data privacy officer (DPO) to companies in which more than nine persons are regularly processing personal data.
The BDSG expressly mentions persons and not employees. Therefore Employees of service providers (for example payroll accounting) must be included as well.
The EU-GDPR requires the appointment of a DPO from all companies processing special categories of data pursuant to Article 9 (for example, health data), irrespective of the number of persons processing personal data.
The DPO function can be taken over by own employees as well as by external experts.
Even if you are not obliged to appoint a DPO, you are nevertheless obliged as an owner / managing director to ensure data privacy required by law.
An external expert taking over the DPO role will help you.