Sec. 38 BDSG states that a data protection officer is required if a controller constantly employs as a rule at least ten persons dealing with the automated processing of personal data.
Further, for private bodies with less than ten persons dealing with the automated processing of personal data, a DPO is also required, if the controller or processor undertake processing subject to a DPIA, or if they commercially process personal data for the purpose to transfer, of anonymized transfer or for purposes of market or opinion research.
In accordance with Sec. 5-7 BDSG, it is obligatory for public bodies to designate a DPO.