Section 38 BDSG · Art. 37 GDPR

Do you need a Data Protection Officer?

Four trigger criteria decide whether you are obliged to appoint one under BDSG or GDPR. Our checker walks through them with you in 60 seconds, anonymously, without sign-up, without storing data.

Check your obligation nowView costs
60s
Time to complete
0
Data stored
5
Questions, done

Four triggers

One is enough

20+ people with automated processing

Section 38 BDSG

Core activity: large-scale monitoring

Art. 37 GDPR

Processing of special categories of data

Art. 9 GDPR

Public authority / public body

Art. 37 GDPR

No trigger?Voluntary appointment recommended

Interactive checker

5 questions. A clear assessment.

Answer Yes or No. For every "Yes" on a trigger, the checker immediately shows whether the obligation applies, and on which legal basis.

DPO obligation checker

5 questions based on Section 38 BDSG and Art. 37 GDPR. No sign-up, no data stored.

DPO obligation check
1

Is a core activity of your company the large-scale, regular and systematic monitoring of data subjects?

Examples: behavioral tracking, behavioral targeting, location tracking, AI-based personalization at large scale.

2

Is a core activity of your company the large-scale processing of special categories of data (Art. 9 GDPR)?

Health data, biometric data, ethnic origin, religious or political beliefs, trade union membership, sex life or criminal-offense data.

3

Do at least 20 people, as a rule, constantly process personal data in an automated way?

If 20 or more people permanently work with personal data, e.g. in the CRM, ERP, accounting or newsletter tool, Section 38 BDSG applies.

4

Does your company carry out processing that requires a data protection impact assessment?

E.g. large-scale profiling, video surveillance of public areas, biometric identification, credit scoring.

5

Are you a public authority or public body (except courts acting in their judicial capacity)?

Federal authorities, state authorities, municipalities, public-law institutions, universities.

This assessment does not replace legal advice. When in doubt, engage a DPO or a specialist IT lawyer.

What a violation risks

Art. 83(4) GDPR

up to 10 million EUR

or 2% of worldwide group turnover

, whichever is higher

Pure appointment violations are 5,000 to 50,000 EUR in practice. But: a missing DPO function points to structural data protection deficits, and those draw further violations into the proceedings.

Three prominent cases

H&M

35.3 million EUR

2020 · HmbBfDI

Extensive employee monitoring in the service center. Personal data collected for years without a legal basis.

Deutsche Wohnen

14.5 million EUR

2019 · BlnBDI

Personal data of former tenants kept without necessity. Violation of storage limitation (Art. 5 GDPR).

AOK Baden-Württemberg

1.24 million EUR

2020 · LfDI BW

Data breaches in a member prize draw. Addresses processed further without valid consent.

Sources: press releases of the relevant supervisory authorities. The amounts stated are the fines originally imposed.

The legal bases

One EU norm. One German tightening.

Art. 37 GDPR defines three triggers for all of Europe. Section 38 BDSG adds the employee threshold for Germany, which no other EU country has in this form.

Art. 37 DSGVOEU

Three constellations, obligation applies.

  • a

    Public authority / public body

    Federal government, states, municipalities, public-law institutions. Exception: courts acting in their judicial capacity.

  • b

    Core activity monitoring

    Large-scale, regular, systematic monitoring. Behavioral targeting, location tracking, AI profiling, large-scale web analytics.

  • c

    Core activity special data

    Large-scale processing of health, biometric, genetic, religious or trade union data.

§ 38 BDSGGermany only

A 20-person threshold on top.

Beyond the GDPR, Section 38(1) BDSG requires a DPO as soon as as a rule at least 20 people are constantly engaged in the automated processing of personal data.

"Working students, temps and interns count too if they regularly work in the CRM, ERP or newsletter tool. The threshold is reached faster than most people think."

2019 update: the old 10-person rule was raised to 20 with the BDSG reform. Anyone planning with the 10-person threshold is using outdated figures.

Even without an obligation

Three reasons to appoint one voluntarily.

Investor hygiene factor

By Series A at the latest, VCs expect a DPO plus records of processing and a DPIA workflow. Early structures cost less than retrospective remediation.

Enterprise sales readiness

Large customers require proof of an appointed DPO during vendor onboarding. Without a DPO, you fail at the first compliance question.

Growth threshold

With rapid hiring, the 20-person threshold tips within 6–12 months. Organizing it retroactively is unpleasant, doing it proactively is cheap.

What does a voluntary DPO cost?View costs

Frequently asked questions about the obligation

Request an external Data Protection Officer (DPO)

We match you with a certified DPO from the Kopexa partner network, matched to your industry, location and language. Response within one business day.

A partner network, not a lone consultant

Access to certified DPOs with a range of industry specializations.

Complete GRC suite in the Pro plan

Kopexa Pro (599 EUR/month): unlimited frameworks, OSCAL support, vendor and asset management, cross-framework mapping, audit & assessments. Not just DPO tooling.

Transparent flat-rate pricing

DPO flat rate and platform license shown separately. No hidden tool costs.

By submitting, you agree to our Privacy Policy .

More in the hub

External Data Protection Officer (DPO)

Overview: what an external DPO does, when one is mandatory and how the Kopexa partner network places them.

Cost & packages

Pricing models for external DPOs compared: hourly fee, monthly flat rate, packages by company size.

Locations

External DPOs by region: Berlin, Munich, Stuttgart, Cologne, Bremen and more.