Sec. 38 BDSG states that a data protection officer is required if, as a rule, a controller continuously employs at least 20 persons dealing with the automated processing of personal data.
Further, for private bodies with less than ten persons dealing with the automated processing of personal data, a DPO is also required, if the controller or processor undertake processing subject to a DPIA, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or of market or opinion research.
In accordance with Sec. 5-7 BDSG, it is obligatory for public bodies to designate a DPO.