Liability of the internal data protection officer

by Manfred Wöller

Publication date

Management should keep an eye on their internal data protection officers and be informed about the current status of data protection. A sleepy head can quickly become a problem for management.


Exactly five months have passed since May 25, 2018, when the General Data Protection Regulation (GDPR) became applicable. One of my many lessons learned is that not all DPOs in companies are aware of their duties. It is possible that someone does not have the necessary expertise. Or perhaps one or the other person has simply been thrust into this role?

If a responsible party simply imposes the role of DPO on an employee, he should keep in mind that ultimately he himself always remains responsible according to the GDPR. Management is also responsible for the actions (or inactions) of the DPO.

With this legal obligation, every responsible party should ensure the competence of the DPO by providing him with continuous training. Only then will the DPO be able to implement his tasks in compliance with the GDPR.


Either way, the management is always the responsible person in the sense of the GDPR who is responsible for data protection-relevant events, not the DPO. The DPO is only responsible for ensuring that the GDPR and the BDSG are implemented in the company. Only if the DPO acts with gross negligence or intent is he or she subject to limited liability as an employee. Then the German Civil Code (BGB) applies. With an external DPO, the situation is quite different.

Liability of the external data privacy officer

The external data protection officer shall be liable for any fault in connection with the performance of his duties.

"The data protection officer shall be appointed on the basis of his professional qualifications and, in particular, the expertise he possesses in the field of data protection law and practice, as well as on the basis of his ability to perform the tasks referred to in Article 39 GDPR." Art. 37(5) GDPR

The DPO's responsibilities include:

  • Informing and advising the controller
  • Monitoring compliance with the GDPR
  • Raising awareness and training employees
  • Advice in connection with the data protection impact assessment


When it comes to liability issues, the advantage clearly lies with the appointment of an external data protection officer, who also has the necessary expertise per se.