According to the GDPR, a data protection officer is required if
- authorities or public bodies process data, with the exception of courts,
- the core activity of the controller or processor involves extensive, regular and systematic monitoring of data subjects, or
- the core activity of the controller or processor involves substantial processing of special categories of data or of personal data relating to criminal convictions and offences (see Article 9 and 10 of the GDPR).
This means that a data protection officer is rarely needed in Austria.
Physicians do not need a data protection officer because the core activity is not working with medical data. Medical associations or hospitals definitely need a data protection officer. Also see our article on May patients be called by name?