We are a German technology startup company approaching 20 employees spread over the world (Europe, Asia, Australia).
Actually, I have three questions:
1) I hear that if you have 20 employees with regular data processing activities, in Germany you are obliged to have a data protection officer. Is that right?
2) To have an employee considered having regular data processing activities, it is sufficient to have access and work with MS Outlook, is that right?
3) Following the ruling regarding the invalidation of Decision 2016/1250, I am very much confused with the requirements. Reading some of the publication of the edpb, it seems to me hardly feasible anymore to manage GDPR across a small multinational company. Any suggestions?