What the DPO Requirement Check evaluates
The DPO Requirement Check evaluates, per Art. 37 GDPR and § 38 BDSG, whether your organization is subject to a DPO appointment obligation. Decision tree with the 20-staff threshold, core activity, and special categories of personal data.
Legal foundations
GDPR Art. 37(1) (core activity, special categories); BDSG § 38 (20-person threshold; reform status 2026 editable in the Admin CMS). Placeholder — Phase 46 provides the editable ContentBlock.
How the check works
1. Provide staff count and core activity 2. Answer questions on processing of special categories under Art. 9 GDPR 3. Receive a clear yes/no verdict with statutory references
Your benefits
• Free and without registration • § 38 BDSG reform status up to date • Clear decision tree instead of gray area • Legal status April 2026
Frequently asked questions
- How many employees trigger a mandatory DPO?
- Per § 38(1) BDSG, from 20 people constantly engaged in automated processing of personal data. Independently, Art. 37 GDPR (core activity, special categories) may apply earlier.
- What counts as a core activity under Art. 37 GDPR?
- Processing without which the core business would not be possible — e.g., customer data for online shops, patient data in medical practices.
- Can the DPO be internal or external?
- Both are permitted. External DPOs often have better subject-matter independence; internal DPOs are more cost-effective when there are multiple areas of responsibility.
This initial assessment is not legal advice and does not replace consultation with a qualified lawyer. Legal status: April 2026.