Clear question, short answer:
Anyone working with personal data is obliged to comply with the regulations of GDPR and BDSG.
This includes groups of persons who are subject to professional or official secrecy, such as doctors, psychologists, therapists, lawyers and tax consultants.
Compare it with the traffic rules. As long as you are not controlled and nothing happens, you do not have to worry about penalties if you should not stick to speed limits, red lights or stop signs. However, if you are controlled, or are involved in an accident, perhaps even "unencumbered," and you have not adhered to the rules, you will face massive consequences.
A data privacy offense can endanger your company by the significantly increased fines imposed by the EU General Data Protection Regulation.