Any non-public organisation which processes personal data on behalf of a federal authority or to which personal data have been transferred by a federal authority must appoint a data protection officer, provided that the processing of such data may involve a high risk (see Article 35).
by