§ 38 BDSG

Data protection officers of non-public bodies

(1)In addition to Article 37 Subsection (1)(b) and (c) of Regulation (EU) 2016/679, the controller and the processor shall designate a data protection officer insofar as they constantly employ as a rule at least 20 persons dealing with the automated processing of personal data. Where the controller or the processor carry out processing operations that are subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or where they process personal data on a commercial basis for the purpose of transfer, anonymised transfer or for the purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in the processing.

(2)Section 6 Subsections (4), (5), second sentence, and (6) shall apply, Section 6 Subsection (4), however, only where the designation of a data protection officer is mandatory.

Version Note

GII-Quelle (gesetze-im-internet.de) enthält Stand 06.05.2024. Die Änderung vom 01.01.2025 (BBVAnpÄndG 2023/2024, BGBl. 2024 I Nr. 283, Art. 10) betrifft §§ 10, 12, 13, 14, 15 (BfDI-Verwaltungsvorschriften zu Amtsbezügen). Keine inhaltlichen Datenschutzbestimmungen betroffen. Aktualisierung erfolgt bei nächstem GII-XML-Update.

Pending Amendment

BGBl. 2024 I Nr. 283 (BBVAnpÄndG 2023/2024) — in Kraft ab 01.01.2025 — betrifft §§ 10, 12-15

Source:: gesetze-im-internet.de (nur informatorisch — recht.bund.de ist seit 2023 die amtliche Quelle)
Citation:: BGBl I 2017, 2097
As of:: 2024-05-06
Retrieved:: 2026-02-25