Darf mein/e DSB disziplinarisch einer Bereichsleitung unterstellt sein?

Nur dann, wenn die Bereichsleitung keine operative Datenschutzverantwortung trägt und die Weisungsfreiheit deiner/deines DSB strukturell gewährleistet ist.In der Praxis ist das selten der Fall. Eine Unterstellung unter CCO, IT-Leitung oder Personalleitung begründet regelmäßig einen Verstoß gegen Art. 38 Abs. 3 S. 2 DSGVO.

Was ist ein Interessenkonflikt nach Art. 38 Abs. 6 DSGVO?

Ein Interessenkonflikt liegt vor, wenn DSB über Zwecke oder Mittel der Datenverarbeitung entscheiden (sollen). Auch die funktionale Kombination aus DSB + CCO, DSB + IT-Leitung oder DSB + Datenschutzmanager mit operativer Verantwortung ist daher in aller Regel problematisch.

Kann ein/e DSB abgemahnt werden, weil er/sie ein Datenschutz-Assessment initiiert hat?

Nein. Die Initiierung eines Datenschutz-Assessments ist Bestandteil der gesetzlichen Überwachungsaufgabe nach Art. 39 Abs. 1 lit. b DSGVO.Eine Abmahnung wegen dieser Aufgabenwahrnehmung ist ein klarer Verstoß gegen das Benachteiligungsverbot des Art. 38 Abs. 3 S. 2 DSGVO.

Was ändert sich rechtlich, wenn § 38 BDSG abgeschafft wird?

Wer nicht förmlich benannt ist, verliert vor allem den gesetzlichen Schutzrahmen und den gesetzlichen Sonderkündigungsschutz.ABER: die DSGVO-Pflichten bleiben bestehen. Das gilt auch für die Benennungspflicht von DSB – die Schutzarchitektur von DSB wird ohne förmliche Benennung erheblich geschwächt. Durch die nationale Regelung in Deutschland mit § 38 BDSG ist eine solche Benennung bereits ab einer Beschäftigung von 20 Mitarbeitenden mit regelmäßiger Datenverarbeitung verpflichtend.

Können externe DSB genauso wirksam sein wie interne?

Ja – und unter den beschriebenen strukturellen Bedingungen häufig sogar wirksamer: Externe DSB unterliegen keiner disziplinarischen Unterstellung, verfolgen keine Karriereinteressen im Unternehmen und können Mandate aufkündigen statt strukturellem Druck ausgesetzt zu sein.Art. 38 DSGVO gilt für externe DSB in gleicher Weise.

Structural limitations of independence from DSB: Is there a need for reform?

The most important thing in advance

In the exercise of their activities, data protection officers are protected by law against instruction, discrimination and conflicts of interest. Both the wording in Article 38 GDPR, case-law and the EDPB 2023 Coordinated Enforcement Framework (CEF) measure leave no doubt about this. The weakness lies not in the legal text, but in its enforceability against structural pressures.

In this article, we analyse where the normative guarantees end, where organisational practice fails and what this means for the ongoing debate about the abolition of § 38 BDSG.

Why this post is important now

Since the 4th On 1 December 2025, the Minister-Presidents’ Conference adopted a resolution providing for the repeal of Section 38(1) of the Federal Data Protection Act (BDSG), which in Germany imposes a national obligation to appoint data protection officers, by the end of 2026.

As early as January 2024, the EDPB published the results of its 2023 CEF measure on the designation and positioning of DPOs: A survey of more than 17,000 organisations in 26 Member States showed that both independence and resource allocation are systematically absent and conflicts of interest occur regularly.

Is less regulation the answer to structural implementation deficits? The current political logic seems to be attacking right here, which is subjecting this contribution to critical scrutiny.

What Art. 38 GDPR actually guarantees the DPO

Article 38 GDPR contains protective frameworks, the scope of which is often underestimated in practice:

Freedom of instruction (Art. 38(3), first sentence)

DSBs do not receive instructions when performing their tasks. According to the EDPB (WP 243 rev.01), this includes any form of informal influence on risk presentations, reporting content, audit methods and the communication of compliance reports to management bodies.

Prohibition of discrimination (Article 38(3), second sentence)

DSBs may not be dismissed or disadvantaged because of the performance of their tasks.

The term ‘disadvantage’ must be interpreted broadly and covered by the CJEU (C-534/20 ?). Leistritz, 22.06.2022) any decision with a sanctioning effect resulting from the exercise of legal obligations.

Direct reporting line (Article 38(3), second sentence)

DSB report directly to the highest management level. This is not an organizational preference, but a normative requirement that excludes disciplinary embedding in operational hierarchies.

Prohibition of conflicts of interest (Art. 38(6))

Further tasks of DSB may not give rise to a conflict of interest.

The CJEU clarified in C-453/21 (X-FAB Dresden, 09.02.2023) that there is already a conflict of interest as soon as DPOs exercise decision-making power over purposes or means of data processing in another function.

What the case-law has specified

CJEU C-534/20 ? Leistritz (22/06/2022): Prohibition of discrimination applies directly

The CJEU declared the German protection against special termination pursuant to Paragraph 6(4) of the BDSG to be in conformity with EU law and at the same time confirmed that the prohibition of discrimination laid down in the second sentence of Article 38(3) of the GDPR is directly applicable and applies irrespective of the national right of termination.

Disciplinary measures, career disadvantages or structural disabilities in the performance of tasks in response to the exercise of legal obligations fall within this scope of protection.

CJEU C-453/21 ? X-FAB Dresden (09.02.2023): Conflict of interest is to be understood broadly

The court stressed that the "functional independence" DSB as a protection objective of the GDPR requires a broad interpretation. A conflict of interest therefore exists if DSB exercised influence over the purposes and means of the processing in another function and independent monitoring is practically impossible under these conditions.

Both judgments of the CJEU in 2022 and 2023 have significantly sharpened the legal protection framework.

The BAG has joined these decisions and integrated them into German labour law (BAG, 25.08.2022, 2 AZR 225/20 and 9 AZR 383/19).

Where practice fails

The EDPB action under the 2023 CEF provided for the first time an inventory of DPO practice in Europe. Whether and to what extent this inventory is also empirically robust, should not be explained further at this point.

However, it identifies the following main shortcomings: lack of independence, no or insufficient direct reporting line, conflicts of interest and resource deficits.

Recurring structural patterns can also be derived from the practice of national supervisory authorities.

Disciplinary insinuation under operational management

DPOs are subordinated to executives who themselves bear operational data protection responsibility.

This already structurally violates the legal requirement of the second sentence of Article 38(3) GDPR, regardless of whether instructions are actually given in individual cases.

Paal/Pauly said: The de facto dependence of a worker on his superior cannot be completely dissolved by formal assurances of freedom of instruction.’

Filtering of risk reports

DSB's risk reports are modified or withheld before being passed on to management bodies. The governing body receives an incomplete picture of data protection compliance, which means a violation of the first sentence of Article 38(3) of the GDPR in conjunction with the advisory mandate pursuant to Article 39(1)(a) of the GDPR.

Obstruction of the monitoring task

DSBs are prevented from initiating analyses or assessments, commissioning external auditors or independently taking stock of data protection compliance.

This is a direct violation of Article 39(1)(b) GDPR. The monitoring task is not a recommendation, but a legal obligation.

Time asymmetry in internal investigations

If DPOs report restrictions or disabilities internally and investigations are initiated, there is no explicitly standardized interim protection until completion.

If the investigation takes too long, DSB will leave the company before the result is available. The internal investigation result ?, even if it confirms a rule violation ? then no longer has a protective effect.

Conflicts of interest through operational delegation

The systematic transfer of operational data protection tasks to DPOs makes them controllers and controllers in a personal union and thus a constellation that expressly prohibits Article 38(6) of the GDPR and the case-law of the Court of Justice of the European Union.

What this means for the debate on § 38 BDSG

The patterns shown lead to a conclusion that directly contradicts the political reform project: The normative basis of the safeguards is the formal order.

Anyone who is not formally designated as a DPO does not have the full legal prohibition of discrimination, the special termination protection and the right to inclusion under Article 38(1) GDPR.

The abolition of § 38 BDSG not only creates an organisational obligation from ? it erodes the institutional basis on which all protection guarantees are built.

The EDPB draws the opposite conclusion on the German reform project from its own reports on the CEF: He recommends more enforcement, more structural protection, more control and here not less regulation.

In its own evaluation of the BDSG, the Federal Ministry of the Interior concludes that DSBs play an important contact role for supervisory authorities and opposes a reduction in the obligation to appoint.

The crucial question is therefore not whether companies need DSB. Rather, it reads: How are DPOs protected when they fulfil their tasks and duties?

What 2fink Consulting derives from this

Structural independence from DSB does not arise from laws and jurisprudence alone.

It arises from conscious organizational decisions that separate DSB from its operational dependency. External DPOs are the consistent answer under the conditions described – no disciplinary or career-related motivation for (self-)censorship, no labour law dependence on the person responsible.

2fink Consulting checks for your company:

Is the DSB really structurally independent or only formal?
Does the disciplinary classification meet the legal requirements?
Are there conflicts of interest due to operational delegation?
Is the management reporting line really direct?

The most important findings at a glance

Art. 38 GDPR guarantees freedom of instruction, prohibition of discrimination, direct reporting line and protection of interests ? the CJEU further strengthened these guarantees in 2022 and 2023
The EDPB CEF 2023 demonstrates for a significant proportion of participating companies that legal protection frameworks are structurally ineffective
Five recurring patterns undermine the independence of DSB ? from disciplinary attribution to temporal asymmetry in internal investigations
The legal protection framework of Article 38 GDPR is linked to the formal designation ? an abolition of § 38 BDSG weakens not only the organisational obligation, but the entire protection framework
external DPOs structurally eliminate labour law dependency and are the consistent response to identified weaknesses

Frequently Asked Questions (FAQ)

Can my DPO be subject to disciplinary supervision?

Only if the divisional management has no operational data protection responsibility and the freedom of instruction of your DSB is structurally guaranteed.

In practice, this is rarely the case. An insinuation under CCO, IT management or personnel management regularly establishes a violation of Article 38(3), second sentence, GDPR.

What is a conflict of interest under Article 38(6) GDPR?

A conflict of interest exists if DSB decides (should) on the purposes or means of data processing. The functional combination of DSB + CCO, DSB + IT management or DSB + data protection manager with operational responsibility is therefore usually problematic.

Can a DPO be warned because he/she has initiated a data protection assessment?

No. The initiation of a data protection assessment is part of the statutory monitoring task pursuant to Art. 39 (1) (b) GDPR.

A warning on account of this performance of duties is a clear violation of the prohibition of discrimination laid down in the second sentence of Article 38(3) of the GDPR.

What will change if § 38 BDSG is abolished?

Who is not formally named, loses above all the legal protection framework and the legal special termination protection.

BUT: GDPR obligations remain. This also applies to the designation obligation of DSB ?, which significantly weakens the protection architecture of DSB without formal designation. As a result of the national legislation in Germany with § 38 BDSG, such designation is obligatory from the time of employment of 20 employees with regular data processing.

Can external DPOs be as effective as internal ones?

Yes ? and often even more effective under the described structural conditions: External DPOs are not subject to disciplinary insinuation, do not pursue career interests in the company and can terminate mandates instead of being subject to structural pressure.

Art. 38 GDPR applies to external DPOs in the same way.

Conclusion: Not less regulation, but more enforcement

The normative protection framework for DPOs is legally consolidated.

The vulnerability lies in its enforceability against structural pressures and the lack of safeguards in internal conflicts.

The correct policy response to the EDPB report on the CEF 2023 is therefore: targeted improvements in enforceability and not by dismantling the base on which a protective framework is built.

We will soon publish our white paper and a checklist here.

Resources & Basics

Article 38(2), (3) and (6) GDPR | Article 39(1)(a) and (b) GDPR | Article 83(4) GDPR | § 38 BDSG | § 6(4) BDSG | ECJ C-534/20 (Leistritz, 22.06.2022) | ECJ C-453/21 (X-FAB Dresden, 09.02.2023) | BAG 2 AZR 225/20 and 9 AZR 383/19 (25.08.2022) | Guidelines on Data Protection Officers (?DSB?) – WP 243 rev.01 | Coordinated enforcement on the designation and position of data protection officers (DPOs), EDPB Report 2023 | EDSB Supervisory Guidance DPO, 18.12.2025 | Kühling/Buchner, DS-GVO BDSG, 4. ed. 2024 | Paal/Pauly, DS-GVO BDSG, 3. ed. 2021 - Research and formatting of this paper was supported by Claude Sonnet 4.6 Thinking