Your 20-Employee DPO Trigger May Disappear

If your startup has 20 or more people processing personal data, German law currently requires a data protection officer (Datenschutzbeauftragter). That rule lives in § 38 Abs. 1 BDSG. It may not survive 2026.

The Ministerpraesidentenkonferenz resolved on December 4, 2025 that the federal government shall propose repealing § 38 Abs. 1 BDSG by year-end 2026. The stated goal: reduce bureaucracy for small and mid-sized businesses. A similar proposal failed in the Bundesrat in March 2024, but the renewed mandate from all 16 state premiers gives it more weight.

If the repeal goes through, only Art. 37 GDPR applies. That provision triggers a DPO obligation not by headcount but by risk: your core activities must involve large-scale systematic monitoring of individuals or large-scale processing of special category data. Most early-stage startups with standard B2B operations would fall outside this trigger. SaaS companies processing significant volumes of user data likely still qualify.

The practical catch: you lose a bright-line rule and gain an abstract standard. Instead of counting heads, you evaluate processing scope, and that assessment is on you.

I advise keeping your current DPO arrangements in place. The repeal is a political commitment, not law. Monitor the legislative process. If it passes, review your GDPR obligations and assess whether Art. 37 GDPR covers your operations before making changes.