§ 38 BDSG

Data protection officers of non-public bodies

(1)In addition to Article 37 Subsection (1)(b) and (c) of Regulation (EU) 2016/679, the controller and the processor shall designate a data protection officer insofar as they constantly employ as a rule at least 20 persons dealing with the automated processing of personal data. Where the controller or the processor carry out processing operations that are subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or where they process personal data on a commercial basis for the purpose of transfer, anonymised transfer or for the purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in the processing.

(2)Section 6 Subsections (4), (5), second sentence, and (6) shall apply, Section 6 Subsection (4), however, only where the designation of a data protection officer is mandatory.

Unofficial translation

The authoritative version is the German text published by the competent German authority. This English translation is provided for convenience only and carries no legal force.

Version Note

GII-Quelle (gesetze-im-internet.de) enthält Stand 06.05.2024. Die Änderung vom 01.01.2025 (BBVAnpÄndG 2023/2024, BGBl. 2024 I Nr. 283, Art. 10) betrifft §§ 10, 12, 13, 14, 15 (BfDI-Verwaltungsvorschriften zu Amtsbezügen). Keine inhaltlichen Datenschutzbestimmungen betroffen. Aktualisierung erfolgt bei nächstem GII-XML-Update.

Pending Amendment

BGBl. 2024 I Nr. 283 (BBVAnpÄndG 2023/2024) — in Kraft ab 01.01.2025 — betrifft §§ 10, 12-15

Source:: gesetze-im-internet.de (nur informatorisch — recht.bund.de ist seit 2023 die amtliche Quelle)
Citation:: BGBl I 2017, 2097
As of:: 2024-05-06
Retrieved:: 2026-02-25