A functioning data protection organization is important in order to be able to implement the legal data protection obligations professionally and on time. First of all, a clear definition of roles and responsibilities is important.

If certain criteria are met, the company must appoint a data protection officer, who can be either an external (consultant) or internal (employed by the company) data protection officer.

In larger companies in particular, additional responsibilities are required in order to cope with the considerable need for implementation. For example, so-called data protection coordinators can help to anchor data protection in the specialist departments, for example by providing topic-specific training and documenting data processing issues. The latter can then be checked by the legal department in an already prepared form.

In a global group, the formation of so-called data protection hubs is a good idea. These ensure that local law and group requirements are complied with.

The obligation to maintain a data protection organization arises implicitly from various obligations of the GDPR. For example, the obligation to be able to account for compliance with data protection requires that appropriately competent persons in the company deal with the individual obligations and that reporting and implementation structures are in place.

The controller, i.e. usually the company itself, represented by the board of directors or management, is responsible for maintaining a data protection organization. The management is also obliged to appoint a data protection officer if this is required by law. If the company is not based in the EU/EEA and products are marketed specifically to persons in the EU/EEA or their behavior is monitored/tracked, a so-called EU representative may also need to be appointed.

The exact structure of a data protection organization is not regulated by law. It is important that it is appropriate to the size and special features of the company. Responsibilities must be clearly defined and named, e.g. in guidelines. Any necessary appointment of a data protection officer should also be made transparent within the company.