Under GDPR Article 37, certain organizations are legally required to appoint a Data Protection Officer (DPO). The conditions for mandatory appointment are broader than many organizations assume — and several EU member states impose additional national requirements beyond the GDPR baseline. This guide explains when a DPO appointment is mandatory, what "large-scale processing" means in practice, and when a voluntary appointment is strongly recommended even if not legally required.
Who Is This For?
Legal and compliance teams assessing whether their organization is required to appoint a DPO under GDPR
Data Protection Officers and privacy managers advising leadership on DPO appointment obligations
Organizations operating across multiple EU member states subject to national DPO requirements
Growing businesses evaluating whether their current or planned processing activities trigger mandatory appointment
GDPR Article 37: When Is DPO Appointment Mandatory?
Not every organization is required to appoint a DPO under GDPR — but the mandatory conditions are more widely applicable than many organizations realize. Under GDPR Article 37(1), DPO appointment is mandatory in three scenarios:
Public authorities or bodies: Any organization that is a public authority or body — except courts acting in their judicial capacity — must appoint a DPO.
Large-scale systematic monitoring: Organizations whose core activities require regular and systematic monitoring of individuals on a large scale — for example, behavioral advertising networks, telecom operators, or organizations using tracking technologies at scale.
Large-scale special category data processing: Organizations whose core activities involve large-scale processing of special categories of personal data under GDPR Article 9 (such as health, biometric, or religious data) or data relating to criminal convictions and offenses under Article 10.
What Does "Large-Scale Processing" Mean Under GDPR?
GDPR does not define a precise numeric threshold for large-scale processing. The European Data Protection Board (EDPB) advises that the following factors should be considered when determining whether processing qualifies as large scale:
The number of data subjects concerned — either as a specific figure or as a proportion of the relevant population
The volume of data or range of data items being processed
The duration or permanence of the data processing activity
The geographical extent of the processing — local, regional, national, or international
Where there is genuine doubt about whether your processing qualifies as large scale, your DPO can conduct an assessment and document the reasoning — providing a defensible position if the question is raised by a supervisory authority.
National DPO Appointment Requirements Across EU Member States
Several EU member states have enacted national legislation that imposes DPO appointment obligations beyond the GDPR Article 37 baseline. Organizations operating in multiple jurisdictions must assess both GDPR requirements and applicable national rules:
Country |
Additional DPO Appointment Requirement |
|---|---|
Germany |
Organizations with 20 or more employees regularly processing personal data must appoint a DPO under the Federal Data Protection Act (BDSG) |
France |
DPO appointment is strongly recommended for all organizations processing personal data; the CNIL has issued binding guidance on DPO obligations |
Austria |
Organizations that systematically process personal data as their primary activity are required to appoint a DPO |
Poland |
Public entities and organizations processing special categories of personal data are required to appoint a DPO under Polish national law |
When Voluntary DPO Appointment Is Recommended
Even where GDPR Article 37 does not strictly require a DPO, the European Data Protection Board recommends voluntary appointment for organizations that process personal data regularly or at meaningful scale. Consider appointing a DPO if:
You process customer, employee, or user data on an ongoing basis
You operate across multiple EU jurisdictions subject to varying national requirements
Your organization is growing in a way that may trigger mandatory DPO thresholds in the near future
You want to demonstrate GDPR accountability and good data governance to regulators, customers, and partners
Secure Privacy's DPO as a Service makes it straightforward to meet mandatory and voluntary DPO requirements without the cost and overhead of a full-time in-house hire.
Frequently Asked Questions
Does a DPO need to be an employee of the organization?
No. GDPR Article 37(6) explicitly permits the DPO role to be fulfilled by an external service provider under a contract. A DPO as a Service arrangement — such as that offered by Secure Privacy — satisfies this requirement and provides access to specialist expertise without the cost of a full-time hire.
What happens if an organization fails to appoint a mandatory DPO?
Failure to appoint a DPO when required under GDPR Article 37 is a direct violation of GDPR and can result in enforcement action and fines of up to €10 million or 2% of global annual turnover under GDPR Article 83(4). Supervisory authorities have issued fines for this specific failure in several EU member states.
Can one DPO serve multiple organizations?
Yes. GDPR Article 37(3) allows a single DPO to be appointed for a group of undertakings or a group of public authorities, provided the DPO is easily accessible from each entity. Availability and accessibility requirements must be met in practice, not just on paper.
How does an organization assess whether its processing triggers the mandatory DPO threshold?
Organizations should document their core processing activities and assess each against the three Article 37(1) scenarios — public authority status, large-scale systematic monitoring, and large-scale special category data processing — using the EDPB's large-scale assessment factors. Where the answer is uncertain, the assessment and its reasoning should be documented. Secure Privacy's DPO can conduct and document this assessment on your behalf.