The Bundestag recently passed the second Data Protection Adaptation and Implementation Act, according to which companies with fewer than 20 employees will no longer be obliged to establish a data protection officer.
Susanne Dehmel, member of the Bitkom Management Board for Security and Law, comments on this: "The law will not oblige companies with less than 20 employees to appoint a data protection officer:
"For small companies, the adjusted duty of a data protection officer is initially a relief. But even the smallest companies will continue to have to struggle with the still existing legal uncertainties of the basic data protection regulation. The fundamental problem remains: Even without an appointed data protection officer, all requirements must be met and complied with. In the forthcoming evaluation of the GDPR, policymakers must therefore make improvements. What we need is a departure from the one-size-fits-all approach of the GDPR. Startups or clubs must be regulated differently from large corporations. The type and scope of data processing should then be decisive."