Section 38 Data protection officers of private bodies

(1) In addition to Article 37 (1) (b) and (c) of Regulation (EU) 2016/679, the controller and processor shall designate a data protection officer if they constantly employ as a rule at least 20 persons dealing with the automated processing of personal data. If the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in processing.

(2) Section 6 (4), (5), second sentence, and (6) shall apply, Section 6 (4) however shall apply only if designating a data protection officer is mandatory.