According to the GDPR, a data protection officer is required if
- authorities or public bodies process data, with the exception of courts,
- the core activity of the controller or processor involves extensive regular and systematic monitoring of data subjects, or
- the core activity of the controller or processor involves substantial processing of special categories of data or of personal data relating to criminal convictions and offences (see Articles 9 and 10 of the GDPR).
In addition, the German Federal Data Protection Act requires that a data protection officer be appointed if at least 10 employees work with data.