Certain companies are obliged to appoint an (external or company) data protection officer. The General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) require the appointment of a company data protection officer if one of the following conditions is met:

a) As a rule, at least ten persons are permanently employed with the automated processing of personal data in the company.

b) The core activity of the company consists of carrying out processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects (this includes, for example, hospitals and pharmacies).