Germany's Thuringia Data Protection Authority has published its seventh annual report on data protection under the General Data Protection Regulation, addressing a question that has quietly divided compliance professionals for years: can a single organisation appoint more than one data protection officer? The answer, according to the authority, is almost always no.

The report, covering the period from 1 January 2024 to 31 December 2024, was finalised in November 2025 and published by Tino Melzer, the Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (TLfDI), who took office on 1 March 2024 after being elected on 2 February of that year. Dr. Carlo Piltz, a partner at Piltz Legal, drew attention to the report's position on the DPO appointment question in a LinkedIn post published this week, summarising the authority's stance as "Two DPOs is one too many."

7._Taetigkeitsbericht
7._Taetigkeitsbericht.pdf
19 MB
download-circle

The question of multiple DPOs sits at the intersection of Article 37 GDPR and Section 5 of the German Federal Data Protection Act (Bundesdatenschutzgesetz). According to the annual report, data protection law does allow a degree of flexibility in how organisations appoint their DPO. A group DPO for affiliated companies is permitted, as is a shared DPO across multiple public bodies. External DPOs are also allowed, and the internal DPO may work full-time or part-time, or be supported by a team in larger organisational units. But the appointment of two parallel DPOs with equivalent authority is a different matter entirely.

The Thuringia authority reaches its conclusion by examining the legal status of the DPO role. According to the report, "aus der Rechtsstellung des Datenschutzbeauftragten als Ansprechpartner der Behörden- oder Geschäftsleitung, der in Wahrnehmung der ihm übertragenen Überwachungs- und Beratungsaufgaben weisungsfrei ist, ergibt sich vielmehr, dass pro Verantwortungsbereich nur eine Person mit dem Amt des Datenschutzbeauftragten betraut werden kann" - meaning that the DPO's position as an independent point of contact for management, free from instructions in carrying out monitoring and advisory tasks, means only one person per area of responsibility can hold the role.

Neither the GDPR nor the German Federal Data Protection Act, the report notes, recognises the concept of a deputy DPO with equal rights and responsibilities. A deputy may step in only when the primary DPO faces prolonged absence - due to illness, annual leave, or parental leave. In specific circumstances, a deputy can also take over when a conflict of interest arises.

Why one DPO and not two

The reasoning goes beyond semantics. If an organisation were permitted to appoint two DPOs with identical authority, management could in practice choose which one to consult depending on the issue at hand. According to the annual report, this would contradict the broad non-disadvantage principle under Article 38(3)(2) GDPR, which protects the DPO's independence and prevents discriminatory treatment linked to the exercise of the role.

There is a further concern. Two DPOs with unrestricted access to data and processing activities means more individuals than necessary holding that access. This creates privacy risks that the regulation was designed to limit, not multiply.

The authority's position also addresses the specific scenario of appointing a dedicated DPO solely for employee data protection matters - a practice sometimes considered in larger organisations with complex HR structures. This too is ruled out. The reason: employee data protection cannot be cleanly separated from an organisation's general data protection compliance, making a meaningful division of responsibilities impossible in practice. According to the report, "die Aufgabe nur mit einem Gesamtüberblick über die Tätigkeit des Verantwortlichen effektiv wahrgenommen werden kann" - the task can only be performed effectively with a comprehensive overview of the controller's entire activities.

When multiple DPOs are permissible

The report does allow for exceptions, but they are narrow. Multiple DPOs may be appointed where a genuine and clear separation of responsibilities within the organisation is both possible and meaningful. The key phrase from the report: "Das Amt des Datenschutzbeauftragten lässt sich nur aufteilen, wenn innerhalb einer Behörde oder eines Unternehmens eindeutige Abgrenzungen der Zuständigkeiten möglich und sinnvoll sind."

Where such a division does apply, strict procedural consequences follow. Each DPO must have a separate contact address - a shared postal address, shared email address, or unified contact form is not permitted, as this would undermine the confidentiality of communications. Each DPO's contact details, along with a description of their specific area of responsibility, must be included in the privacy notices required under Articles 13 and 14 GDPR. The details must also be published in an accessible format - such as on an intranet or public website - and notified to the TLfDI, ideally through the DPO registration portal at https://tld.dsb-meldung.de, pursuant to Article 37(7) GDPR.

The authority also clarifies that a DPO team does not constitute a multiple-DPO situation. When one individual holds the DPO role but is supported by a team of colleagues, the authority treats the arrangement as a single DPO structure - unobjectionable in principle. This distinction matters for organisations scaling their privacy function without crossing into the problematic territory of parallel, co-equal DPO appointments.

Statistical context from the annual report

The DPO guidance does not appear in isolation. The 2024 annual report presents a detailed picture of data protection enforcement in Thuringia over the year. The TLfDI received 19,042 items of correspondence in 2024, down from 21,334 in the prior year. The authority opened 135 fine proceedings - an increase of approximately 17 percent compared to the previous year - though only five resulted in a formal fine notice during the reporting period. In total, 38 fine notices were issued across 2024.

Data breach notifications under Article 33 GDPR reached 330, representing an increase of roughly 10 percent over the prior year. The authority received 468 complaints under Article 77(1) GDPR, nearly 13 percent more than the year before. Of those, 163 concerned controllers in the public sector and 305 related to non-public sector entities.

In terms of corrective measures under Article 58(2) GDPR, the authority took 43 actions in total - 18 in the public sector and 25 in the non-public sector. Thirty-eight reprimands were issued, split between 18 in the public sector and 20 outside it. Unauthorised video surveillance remained a dominant enforcement theme, with fine notices concentrated against operators of unlawful camera systems. Eight fine notices related to police-sector violations, continuing a trend from prior years.

Tino Melzer noted in his foreword that the scale of the authority's tasks is growing faster than its staffing. "Die personelle Ausstattung des TLfDI ist bereits für das bisherige Beschwerdeaufkommen zu knapp bemessen," he wrote - the TLfDI's staffing is already too thin for the current volume of complaints. He called on the Thuringia legislature to continue the path of administrative digitalisation while maintaining constitutional principles and ensuring the authority remains capable of action.

Broader regulatory landscape

The Thuringia report's DPO guidance sits within a rapidly shifting European regulatory environment. The European Data Protection Supervisor adopted Decision 01/2026 on 16 January 2026, establishing binding rules requiring prior consent from the EDPS before any EU institution can dismiss a DPO before the end of their designated term. Published in the Official Journal on 29 January 2026 and entering into force on 18 February 2026, the decision reinforces DPO independence across EU institutions and bodies. That framework built on EDPS supervisory guidance issued on 18 December 2025, clarifying the DPO's role and tasks within EU institutions.

Germany's data protection landscape has seen significant movement beyond the DPO question. The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) agreed in June 2025 on model guidelines for unified fine procedures across German jurisdictions - a response to persistent enforcement disparities. At the European level, the European Data Protection Board and European Data Protection Supervisor issued a joint opinion on 10 February 2026, strongly opposing proposed changes to the definition of personal data in the European Commission's Digital Omnibus package.

The French data protection authority CNIL had earlier published research in July 2025, based on a survey of 3,625 DPOs conducted in January 2024, finding that organisations taking a positive approach to GDPR compliance often find DPO appointments financially advantageous rather than purely cost-generating. The study's fourth edition was the largest of its kind. A German court ruling from a different angle also contributed to the overall DPO picture: the Higher Regional Court of Karlsruhe decided on 12 January 2021 that DPOs serve advisory functions rather than obligations to provide specific data processing disclosures to individuals.

The Thuringia report also devotes considerable attention to the EU AI Act, which entered into force on 1 August 2024. According to the report, Germany faces a 12-month deadline from that date to establish supervisory structures for AI oversight. The DSK has recommended assigning market surveillance responsibilities to existing data protection authorities at both federal and state level, in order to achieve synergies and consolidate expertise. The DSK established a dedicated AI working group at its 108th conference on 15 November 2024, tasked with monitoring AI technology developments, contributing to policy discussions, and developing guidance for privacy-compliant AI deployment.

What this means for marketing and data-intensive organisations

For marketing professionals and their organisations, the Thuringia authority's position on DPO appointments carries direct operational implications. Many marketing-heavy organisations consider splitting DPO responsibilities between a general compliance officer and a specialist focused on customer data or employee records. The Thuringia guidance makes clear that such arrangements require a genuinely separable remit - and that the separation must be demonstrably meaningful in practice, not merely structural on paper.

The restrictions on shared contact infrastructure are particularly relevant for organisations that have centralised their privacy function under a single communications channel. If an organisation does move to multiple DPOs for genuinely distinct areas, each must have an independent contact address. A single "[email protected]" inbox serving two or more designated DPOs would not satisfy this requirement.

The guidance also touches on organisations that appoint DPO deputies as a matter of contingency planning. Deputies are valid - but only as stand-ins, not as parallel office-holders. German data protection authorities have faced increasing enforcement scrutiny over their handling of consent and data processing complaints, and the clarity around DPO structure adds one more element to the compliance picture organisations must manage.

For the broader advertising and marketing technology sector, the intersection of DPO governance with AI deployment is particularly pointed. The Thuringia report's discussion of the EU AI Act's application requirements - including Article 4 obligations on AI literacy for staff and operators - places the DPO at the centre of a growing compliance function that now extends well beyond traditional data protection into AI system governance.

Timeline

  • May 2018: GDPR enters into force, establishing DPO requirements under Article 37.
  • 12 January 2021: Higher Regional Court of Karlsruhe rules that DPOs serve an advisory function and are not obligated to provide specific personal data disclosures to data subjects.
  • 29 March 2021: Administrative Court Stuttgart issues ruling (11 K 484/21) referenced by the Thuringia authority, confirming a deputy DPO may take over specific matters in cases of conflict of interest.
  • 1 August 2024: EU AI Act enters into force; Germany given 12 months to establish AI supervisory structures.
  • 2 February 2024: Tino Melzer elected as the new Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (TLfDI).
  • 1 March 2024: Tino Melzer formally assumes the role of TLfDI.
  • 8 May 2024: DSK publishes position paper on national responsibilities for the AI Regulation.
  • May 2024: EDPB ChatGPT TaskForce publishes its first interim report.
  • 15 November 2024: DSK establishes a dedicated AI working group at its 108th conference.
  • November 2024: Thuringia DPA closes the 2024 reporting period; annual report finalized.
  • January 2024: CNIL conducts fourth statistical survey of 3,625 DPOs across French organisations.
  • 16 June 2025: DSK adopts unified model guidelines for GDPR fine procedures across German data protection authorities.
  • 23 July 2025: CNIL publishes research on economic benefits of DPO appointments based on the January 2024 survey.
  • November 2025: Thuringia 7th Annual Report on Data Protection (DS-GVO) published, covering the 2024 reporting year.
  • 18 December 2025: EDPS issues supervisory guidance on the role of DPOs in EU institutions.
  • 16 January 2026: EDPS adopts Decision 01/2026 establishing binding rules on prior consent for DPO dismissal across EU institutions.
  • 29 January 2026: Decision 01/2026 published in the Official Journal of the EU.
  • 10 February 2026: EDPB and EDPS issue joint opinion rejecting proposed GDPR changes in the Digital Omnibus package.
  • 10 February 2026: Court of Justice of the EU rules companies can directly challenge EDPB binding decisions.
  • 18 February 2026: EDPS Decision 01/2026 enters into force.
  • ~17 February 2026: Dr. Carlo Piltz of Piltz Legal publishes LinkedIn summary of the Thuringia DPA's DPO guidance, drawing attention to the "two DPOs is one too many" position.

Summary

Who: The Thuringia Data Protection Authority (TLfDI), led by Tino Melzer, who took office on 1 March 2024, issued guidance on data protection officer appointments as part of its seventh annual GDPR activity report. Dr. Carlo Piltz, a lawyer and partner at Piltz Legal, highlighted the guidance in a widely shared LinkedIn post this week.

What: The Thuringia DPA has clarified that, under Article 37 GDPR and Section 5 of the German Federal Data Protection Act, organisations may generally appoint only one DPO per area of responsibility. Multiple co-equal DPOs are permissible only where genuinely distinct and clearly separable areas of responsibility exist, with each DPO required to maintain separate contact details. A deputy DPO is permissible for periods of absence but does not constitute a parallel DPO appointment. A DPO team supporting a single designated officer remains unproblematic.

When: The annual report covers the period from 1 January 2024 to 31 December 2024, was finalised in November 2025, and was brought to wider attention through Dr. Piltz's LinkedIn post in February 2026.

Where: The guidance originates from the Thuringia Data Protection and Freedom of Information Commissioner in Erfurt, Germany, and applies directly to organisations subject to Thuringia's supervisory jurisdiction - though the legal reasoning draws on GDPR provisions applicable across all EU member states.

Why: Growing uncertainty in compliance practice about whether DPO responsibilities can be shared between two or more individuals prompted the Thuringia authority to set out its position formally. The authority's concern centres on protecting DPO independence, preventing selective engagement by management, limiting unnecessary access to personal data, and ensuring that data subjects and supervisory authorities have a single, clear point of contact for data protection matters.

Share this article
The link has been copied!