The appointment of a (internal or external) data protection officer is mandatory in Germany if at least one of the following applies:
-
at least 20 persons are constantly engaged in the automated processing of personal data. This already includes the processing of e-mail addresses or working with a computer workplace
-
the company is processing not only "normal" personal data, but also a large amount of "particularly sensitive information", such as health data or political opinions
-
the core business activity is to process data for market and opinion research
-
extensive regular and systematic monitoring of data subjects takes place