Section 41

The Data Controller and the Data Processor shall designate a

data protection officer in the following circumstances:

(1)the Data Controller or the Data Processor is a public authority as

prescribed and announced by the Committee;

(2)the activities of the Data Controller or the Data Processor in the collection,

use, or disclosure of the Personal Data require a regular monitoring of the Personal
Data or the system, by the reason of having a large number of Personal Data as
prescribed and announced by the Committee;

(3)the core activity of the Data Controller or the Data Processor is the collection,

use, or disclosure of the Personal Data according to section 26 .

In the event that the Data Controller or the Data Processor are in the same

affiliated business or are in the same group of undertakings, in order to jointly
operate the business or group of undertakings as prescribed and announced by the
Committee according to section 29 paragraph two, such Data Controller or Data
Processor may jointly designate a data protection officer. In this regard,
each establishment of the Data Controller or the Data Processor in the same
affiliated business or in the same group of undertakings must be able to
easily contact the data protection officer.

The provisions in paragraph two shall apply to the Data Controller or the Data Processor

who is a public authority in (1) that is large in size or has several establishments mutatis mutandis.

In the event that the Data Controller or the Data Processor in paragraph one has

to designate the representative according to section 37 (5), the provisions
in paragraph one shall apply to the representative mutatis mutandis.

The Data Controller and the Data Processor shall have an obligation to provide

the information of the data protection officer, contact address, and contact
channels to the data subject and the Office. The data subject shall be able to
contact the data protection officer with respect to the collection, use, or
disclosure of the Personal Data and the exercise of rights of the
data subject under this Act.

The Committee may prescribe and announce the qualifications of the data protection

officer by taking into account the knowledge or expertise with respect
to the Personal Data protection.

The personal data protection officer may be a staff of the Data Controller or the Data Processor,

or a service provider under the contract with the Data Controller or the Data Processor.