The statutory requirement for appointing a data protection officer is set out in § 4f FDPA. According to this provision, non-public bodies in which more than nine persons are permanently engaged in the automated processing of personal data have to appoint a data protection officer.
The nine persons do not have to be employees of the organization. Employees of external service providers (e.g. freight forwarders, customs offices, shipping service providers), freelancers and their employees (e.g. company consultants) and third-party employees (e.g. call centers, credit insurances, claims management companies, factoring companies, salary bureaus) may be covered by the nine persons rule.
In this respect, even organizations that do not employees can be subject to the statutory appointment requirement.