Article 37 GDPR - Obligation to Appoint a DPO
Conditions for appointing a Data Protection Officer under GDPR.
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
Definition
Article 37 GDPR requires the appointment of a Data Protection Officer (DPO) in the following cases: (a) public authorities, (b) core activity consisting of large-scale regular monitoring, (c) core activity consisting of large-scale processing of sensitive data. In Germany additionally Section 38 BDSG (>=20 employees). The GDPR Kit includes: DPO appointment template + duties catalogue.