EuroComply
Konto erstellen

GDPR

Do I need a Data Protection Officer (DPO)?

Under GDPR Article 37, certain organisations must appoint a DPO. Answer 6 questions to find out if you need one and what the role involves.

Last updated: 1 May 2025

Do DPO requirement need to comply with GDPR?

Under GDPR Article 37, certain organisations must appoint a DPO. Answer 6 questions to find out if you need one and what the role involves. If yes: DPO mandatory — public authority requirement. If not: DPO is not required for your organisation. Use the interactive tree below to w…

  • Yes path: DPO mandatory — public authority requirement
  • No path: DPO is not required for your organisation
  • Use the step-by-step decision tree below for your exact situation
Source: EUR-Lex — GDPR (Regulation 2016/679)Reviewed:
Step 1

GDPR · Question 1

Is your organisation a public authority or public body?

This covers government departments, regulators, courts, municipalities, public schools, hospitals. Private companies contracted by government are usually not public authorities.

For informational purposes only. Consult qualified legal counsel before making compliance decisions.

Decision tree questions

  1. Is your organisation a public authority or public body?

    This covers government departments, regulators, courts, municipalities, public schools, hospitals. Private companies contracted by government are usually not public authorities.

    • Yes: DPO mandatory — public authority requirement
    • No: Continue to: Do you carry out large-scale, systematic monitoring of individuals?

  2. Do you carry out large-scale, systematic monitoring of individuals?

    Examples: behavioural advertising networks, credit scoring platforms, fleet tracking, smart city surveillance, employee productivity monitoring across thousands of users.

    • Yes: DPO mandatory — large-scale systematic monitoring
    • No: Continue to: Do you process special category data (health, biometrics, race, religion, sexual orientation, trade union membership) at large scale?

  3. Do you process special category data (health, biometrics, race, religion, sexual orientation, trade union membership) at large scale?

    Large scale: thousands or more data subjects processed regularly. A GP processing patient records is not large scale. A health insurance company processing millions of records is.

    • Yes: DPO mandatory — large-scale special category processing
    • No: Continue to: Do you process data relating to criminal convictions or offences at large scale?

  4. Do you process data relating to criminal convictions or offences at large scale?

    This includes background check providers, legal research tools, fraud-prevention services, or HR systems with criminal record data.

    • Yes: DPO mandatory — criminal conviction data at large scale
    • No: Continue to: Even though a DPO is not mandatory, would a voluntary DPO or external advisor reduce compliance risk for your organisation?

  5. Even though a DPO is not mandatory, would a voluntary DPO or external advisor reduce compliance risk for your organisation?

    Many SMEs benefit from a part-time DPO-as-a-service arrangement (€1,000–€5,000/year) even when not legally required.

    • Yes: DPO not mandatory — voluntary appointment recommended
    • No: DPO is not required for your organisation

Related decision trees

SaaS startup with EU usersEcommerce siteNon-EU companyDPIA requirementView all trees →