Data Protection Commissioner
Public and non-public organisations that process personal data automatically must order a data protection commissioner. As well, if personal information is collected, processed or used in other ways. A data protection officer for non-public bodies must in principle be ordered in writing;
(Art. 37 DSGVO designation of a data protection officer)

Qualification
A data protection officer must have the necessary expertise and reliability in the area of data protection and IT security, which is based on the complexity of the data processing and the size of the organization.
Duties of a data protection officer
Art. 39 GDPR
A Data Protection Officer advises organizations on:
compliance
• Compliance assurance of the processing of personal data and special categories of personal data
(Art. 6-10 EU-DSGVO, §§ 22-24 BDSG)
data processing
• Processing of personal data with other responsible persons
(Art. 26 EU-GDPR)
• Processing of personal data for automated decisions including profiling
(Art. 22 EU-DSGVO, § 37 BDSG)
• Processing of personal data on behalf
(Art. 28 EU-GDPR)
• Processing of personal data for employment purposes
(Section 26 BDSG)
organization obligations
• Compliance with and implementation of information requirements when collecting personal data
(Articles 13, 14 EU-DSGVO, §§ 32, 33 BDSG)
• Compliance and implementation of the right to object to the processing of personal data
(Art. 21 EU-DSGVO, § 36 BDSG)
• upholding the rights of those affected
(Art. 15-20 EU-DSGVO, §§ 34, 35 BDSG)
• Creation and maintenance of directories of processing activities
(Art. 30 EU-GDPR)
• Procedures for action in the event of personal data protection breaches and related reporting obligations
(Art. 33, 34 EU-GDPR)
Technical reviews
• Assessment and implementation of technical and organizational measures and presettings
(Articles 24, 25, 32 EU-GDPR)
• Conducting risk assessments of personal data processing to evaluate privacy impact assessments
(Art. 35 EU-GDPR)
• Transfers of personal data to third countries
(Articles 44-49 EU-GDPR)
• Video surveillance in public areas or rooms
(§ 4 BDSG)
Position
If a data protection officer is appointed, the responsible management of the organization must publish the contact data and communicate the order to the supervisory authority together with the contact details. An intentional or negligent failure to appoint a company data protection officer constitutes a fines offense.
There is currently no explicit provision in the GDPR. There is a line position, e.g. recommended as company manager. An external order, as data protection representative in a staff position in direct assignment of the management is permissible. (Art. 38 GDPR - Position of the Data Protection Officer).

QHSE Compliance Division Europe